IP Address Management (IPAM) is the name of an IT discipline that involves centralized management, monitoring, and auditing of IP address spaces and corresponding infrastructure servers on a network. Smaller organizations, those with just a few IP networks to keep track of, can’t appreciate the difficulty some large organizations have in tracking, assigning, planning, and changing IP addresses. For the distributed organization with hundreds of networks and just as many DNS and DHCP servers involved in delivering IT services, IPAM becomes a need, not a luxury.
Even organizations without formal IPAM applications keep track of their IP address information somehow—most typically in spreadsheets. IPAM lets you view IP address availability and configuration from a database perspective, enabling you to use your addresses more efficiently. IPAM features such as IP reconciliation and automation can eliminate the need to use spreadsheets for tracking addresses.
IPAM is performed on a Microsoft network by an installable Windows Server 2012 feature that you run on a domain member server to “centrally watch and manage” the other servers on your network that are actually doing the work. IPAM manages the functionality of the following Windows servers:
- DHCP Service
- DNS Server
- Network Policy Server (NPS)
- Active Directory Domain Controller (DC)
After you deploy IPAM, you can choose which services on which servers are to be centrally managed or unmanaged. Managed servers must be configured with access settings that allow IPAM to remotely manage, monitor, or audit them. You can either configure these settings manually on each server, or IPAM can provision managed servers automatically using Group Policy Objects (GPOs). Once you deploy IPAM, you use IPAM for making changes because the IPAM database becomes your central authority on IP addresses.
Steps to Deploy IPAM on Windows Server 2012
#1 Install the IPAM Server Role
In Windows Server 2012 Server Manager, run the Manage…Add Roles and Features wizard to install the IP Address Management (IPAM) Server feature. You cannot install IPAM on a domain controller.
#2 Provision the IPAM Server
After installing the IPAM server feature, navigate in Windows Server 2012 Server Manager to IPAM | Overview. Click on step 2, “Provision the IPAM server”. Select either the Manual or Group Policy Based provisioning method.
- The manual provisioning method requires that you configure the required network shares, security groups, and firewall rules manually on each managed server.
- The Group Policy based provisioning method requires Group Policy Objects (GPOs) to be created in each domain that you manage with the IPAM server. IPAM will automatically configure settings on managed servers by adding the computers to the appropriate GPO. Figure A shows the confirmation dialog for this step.
Provisioning IPAM using the GPO-based method.
- When using the GPO provisioning method (recommended), next run the Invoke-IpamGpoProvisioning PowerShell command as seen in Figure B on the IPAM computer (replacing “IPAM_” with the prefix you selected in the provisioning):
This PowerShell command creates and links the IPAM GPOs.
#3 Configure Server Discover (button 3): This is just two clicks to add your domain(s) to the list of domains that that will be scanned and managed by IPAM.
#4 Start Server Discover (button 4): After launching this task, you’ll observe there are one or more IPAM tasks running in the Task Scheduler. Please wait for their completion. When the task completes, the status will change to “Please refresh to update the view.”
#5 Set Manageability Status (button 5): Now you need to explicitly permit the discovered server(s) to be managed by IPAM remotely and/or automatically. After selecting Managed status as shown in Figure C, an IPAM Audit Task and an IPAM ServiceMonitoring task are launched.
Change the discovered DC, DNS, DHCP, or NPS server status to Managed status.
If you correctly performed the Invoke-IpamGpoProvisioning PowerShell command, and domain group policy has refreshed, your server will appear as UnBlocked and “green” status in the IPAM server list. If GPOs have not been applied, or the computer account of the IPAM server is not added to the security filtering of the IPAM GPOs, you will see Blocked and “red” status flags in Server Manager.
Tips on IPAM setup and permissions
IPAM performs service status monitoring for DNS and DHCP servers. To enable this service monitoring functionality, the computer account of the IPAM server must be granted read access to the DHCP Server service (for DHCP service monitoring) and to the DNS Server service (for DNS service monitoring). Here are some configuration tips:
- The Universal Security Group IPAMUG is created in your Active Directory domain when you install the IPAM feature. Permissions in DNS and DHCP are keyed to this security group. Make sure the group has been created and that the computer account of your IPAM server is a member of the group.
- To see changes in the IPAM console, after refreshing group policy, modifying the registry on your managed domain DNS servers, and/or adding IPAM servers to DHCP and DNS server services, run the Refresh Server Access Status task in Server Manager.
- The Windows Event Collector Service needs to be running on the managed DC/DNS/DHCP computers.
- A reason you could see blocked status is if the computer account for the IPAM server is not granted read access in the ACL that is maintained by the following registry key on the DNS server: HKLM\System\CurrentControlSet\Services\Eventlog\DNS Server\CustomSD.
- DHCP data is not automatically imported into the IPAM database. You need to run a Windows PowerShell script to import DHCP leases and reservations into the IPAM database. Find the script at http://gallery.technet.microsoft.com/scriptcenter/Windows-Server-2012-f44cefce
- DNS A records need to be manually imported to get started as well, use this script for DNS record import: http://gallery.technet.microsoft.com/scriptcenter/Import-DNS-A-records-into-afb9ddd1 (This script, like the DCHP script, can be scheduled for automatic/recurring run.)
Using the IPAM feature
Once you commit to using IPAM to manage your DNS and DHCP services, you basically populate the IPAM database by manually importing data or using one of the scripts in the Tips section above. Then you start using IPAM exclusively to manage your IP addresses and not the native DNS and DHCP consoles. With the proper permissions and settings, you can create and delete DNS records and modify DHCP leases from the IPAM console as shown in Figure D.
Using IPAM to convert a DHCP leave to a reservation or make other IP address changes.
Changes are made on the involved DNS and DHCP servers by IPAM; however, this is a one-way connector to the IPAM database. If you make changes in DNS or DHCP client information outside IPAM, those changes won’t be reflected in IPAM until you run one of the import scripts again.
Other IPAM products
After seeing that the first release of Microsoft’s IPAM solution requires some scripting and manual work to make a complete solution, you may want to investigate what other products are on the market. Some quick research found these two, and neither one of these is free.
- Solar Winds IP Address Manager. Automated DHCP, DNS, & IP Space Management. Starts at $1995. http://www.solarwinds.com/solutions/ipam-dns-dhcp-ddi.aspx
- BlueCat Address Manager for Windows DNS/DHCP. http://www.bluecatnetworks.com/products/bluecat-address-manager-windows
For more details:
Consult the Step-by-Step: Configure IPAM to Manage Your IP Address Space guide at Microsoft: http://technet.microsoft.com/en-us/library/hh831622.aspx