- Use Azure Bastion as a jump host for RDP and SSH - Tue, Apr 18 2023
- Azure Virtual Desktop: Getting started - Fri, Apr 14 2023
- Understanding Azure service accounts - Fri, Mar 31 2023
To us Windows systems administrators, the term “TCP/IP network infrastructure” typically brings the following technologies to mind:
- IP addressing strategy (IPv4 and IPv6)
- Dynamic Host Configuration Protocol (DHCP)
- Domain Name Service (DNS)
- Active Directory Domain Services (AD DS)
- (Optionally) Network Policy Server (NPS)
Historically, Microsoft hasn’t had a great deal of integration among the various Microsoft network infrastructure tools. Sure, Microsoft DHCP has the ability to automatically update DNS records. However, how can we, for instance, monitor IP address utilization at a glance? How can we maintain compliance with industry or internal regulations by auditing IP addressing and configuration changes?
Microsoft has given us an excellent suite of TCP/IP infrastructure administration tools in Internet Protocol Address Management (IPAM). IPAM is a new feature of Windows Server 2012 (currently known as Windows Server 8 Beta) that makes network infrastructure maintenance spreadsheets (!) or expensive enterprise solutions like Microsoft System Center irrelevant, at least with regard to IP address management.
In this blog post we will dive right into the IPAM setup workflow. After that we will examine some of the business use cases of this technology.
We install IPAM on our management server by using either Windows PowerShell or the Add Roles and Features Wizard from Server Manager. As you can see in the following figure, IPAM is officially classified as a feature.
Installing IP Address Management (IPAM)
In order to link our network infrastructure servers with our centralized IPAM solution, we must either configure settings manually on each server, or use Group Policy Object (GPO)-based provisioning. Obviously, the latter technique is preferred because it is largely automated.
NOTE: Trust me, you do NOT want to configure the IPAM provisioning steps manually. Talk about tedious!
The Provision IPAM Wizard deploys separate GPOs for provisioning IPAM on your DHCP servers, DNS servers, domain controllers, and NPS servers. In addition, the Provision IPAM Wizard creates the required network shares and security groups as well as creates the necessary Windows Firewall network traffic exceptions.
The Provision IPAM Wizard
NOTE: You cannot configure IPAM on a domain controller. I promise you that IPAM provisioning will fail if you try to do so.
Configuring and starting Server Discovery
During the IPAM server discovery step, we instruct IPAM to scour our Active Directory domain in search of network infrastructure servers.
As you can see in the following screen shot, we can simply select the domain(s) to discover and then click OK to continue.
Configuring IPAM Server Discovery
To actually start server discovery, we click Start server discovery in the IPAM Server Tasks pane in Server Manager. Once discover completes successfully, we can proceed.
Performing Server Discovery
Adding servers to manage
From Server Manager, we can click Select or add servers to manage and verify IPAM access to continue our journey of IPAM initial configuration.
We need to grant our IPAM server permission to manage my network infrastructure server(s) by using GPOs. To do that, we can run the Invoke-IpamGpoProvisioning Windows PowerShell cmdlet. In the following example, we specify dc01 as our network infrastructure server, ipamgpo as our GPO prefix, and nuggetlab.com as our AD DS domain.
Invoke-IpamGpoProvisioning –Domain nuggetlab.com –GpoPrefixName ipamgpo –IpamServerFqdn dc01.nuggetlab.com
In addition to the IPAM access status displaying as Unblocked for your infrastructure servers, you will also want to open the Group Policy Management Console and verify that the GPOs have been created for your managed TCP/IP network services.
Verifying IPAM GPOs in Group Policy Management Console
Retrieving data from managed servers
In the IPAM Server Inventory list, we can right-click an infrastructure server and select Retrieve All Server Data to query the system and, well, retrieve all server data that is related to the network service(s) that it hosts.
As you see in the following screenshot, a properly configured IPAM server offers the administrator a wide variety of centralized management and monitoring information, all within easy reach.
IPAM admin tasks
So there you have it! IP Address Management is intended to make TCP/IP network service management easier for us busy Windows systems administrators. I hope that you now have a clear picture of what IPAM is and how to configure the service in Windows Server 2012. Please feel free to leave any questions or remarks in the comments portion of this post.
- Step-by-Step: Configure IPAM to Manage Your IP Address Space
- IP Address Management (IPAM) Overview
- Windows Server “8” Beta Step by Step Guide for IPAM
- Test Lab Guide: Demonstrate IP Address Management (IPAM) in Windows Server "8" Beta
- Understand and Troubleshoot IP Address Management (IPAM) in Windows Server "8" Beta
Want to write for 4sysops? We are looking for new authors.
How does IPAM handle statically assigned IP addresses that aren’t in DHCP? Is there an option for manual entries?
Hey Caleb. If I understood your question, then you could account for static IPs under IPAM the same way we do without them. In other words, we can create exclusions or reservations in DHCP. -Tim
I expected a bit more depth in this article… How about some screenshots of actual results and management instead of some example screenies that are so abstract in nature…
Show some of the actual lists and possibilities hands-on. Finding out what it does, is also available on the Technet and Microsoft sites.
We have IP ranges that are not in DHCP at all, how does it handle those?
Hi Memento. I feel your pain, and I apologize for the relative shallowness of the article. To be perfectly honest, I had a heck of a time getting IPAM up and running in my test environment. Remember that we are dealing with pre-release bits; the setup process is also clunky as all get-out. Perhaps I will revisit this topic once Windows Server 2012 RTM happens. Thanks, Tim
Aright, Tx Tim. We’ll await more stable bits. I feel your pain getting beta bits to work 🙂
Any reason or speculation why “You cannot configure IPAM on a domain controller”? The first time I tried IPAM (outside of a guided lab) was on a DC, and the error message was not very helpful, nor did any ‘bingle’ search clue me in until I found this write-up.
Thanks again for all your great work at 4sysops!
Hi Bryan–thanks for your kind words. I’ve researched the IPAM/domain controller issue and found no justification from Microsoft whatsoever. All I do know is that it isn’t just a “we don’t support this configuration” thing. You get a hard stop and the tech does not work if you try to install IPAM on a DC. Later, Tim
Tim, I have done everything that I can to get IPAM working but I cannot unblock the servers. It says Status:IPAM BLOCKED! i already had these firewall rules enabled since I have been using winrm, however I have enabled IPAM on my server2012DHCP server is this a problem? Does the IPAM server have to not be a DHCP or DNS server, I also am going to try restarting the server, but when I ran the powershell command Invoke-IpamGpoProvisioning, the GPOs were not created, I had to go back and manually add them so they have no settings in them, this is turning out to be another 6 day problem in Server2012-these are becoming common Tim.
Sad that it isn’t able to scan subnets and show devices using an IP address but non-domain joined hosts like printers, DRAC’s, etc.
I just began to learn this tool and can’t find there how to scan a subnet with static ip-adressing to obtain a table like: hostname – ip – MAC
A condition – no DHCP or DNS must be used for scanning.
Also, it would be great to change remotely all found adresses on hosts or change it from static to dynamic (using posh or wmi or some else) from ipam console then force hosts to reinitialize NICs to aplly changes.. is it possible from IPAM?