In essence, IPAM is a “one-stop shop” that provides us Windows systems administrators with a centralized interface for managing all aspects of our forest’s TCP/IP infrastructure.

To us Windows systems administrators, the term “TCP/IP network infrastructure” typically brings the following technologies to mind:

  • IP addressing strategy (IPv4 and IPv6)
  • Dynamic Host Configuration Protocol (DHCP)
  • Domain Name Service (DNS)
  • Active Directory Domain Services (AD DS)
  • (Optionally) Network Policy Server (NPS)

Historically, Microsoft hasn’t had a great deal of integration among the various Microsoft network infrastructure tools. Sure, Microsoft DHCP has the ability to automatically update DNS records. However, how can we, for instance, monitor IP address utilization at a glance? How can we maintain compliance with industry or internal regulations by auditing IP addressing and configuration changes?

Microsoft has given us an excellent suite of TCP/IP infrastructure administration tools in Internet Protocol Address Management (IPAM). IPAM is a new feature of Windows Server 2012 (currently known as Windows Server 8 Beta) that makes network infrastructure maintenance spreadsheets (!) or expensive enterprise solutions like Microsoft System Center irrelevant, at least with regard to IP address management.

In this blog post we will dive right into the IPAM setup workflow. After that we will examine some of the business use cases of this technology.

Installing IPAM ^

We install IPAM on our management server by using either Windows PowerShell or the Add Roles and Features Wizard from Server Manager. As you can see in the following figure, IPAM is officially classified as a feature.

Installing IP Address Management (IPAM)

Installing IP Address Management (IPAM)

Provisioning IPAM ^

In order to link our network infrastructure servers with our centralized IPAM solution, we must either configure settings manually on each server, or use Group Policy Object (GPO)-based provisioning. Obviously, the latter technique is preferred because it is largely automated.

NOTE: Trust me, you do NOT want to configure the IPAM provisioning steps manually. Talk about tedious!

The Provision IPAM Wizard deploys separate GPOs for provisioning IPAM on your DHCP servers, DNS servers, domain controllers, and NPS servers. In addition, the Provision IPAM Wizard creates the required network shares and security groups as well as creates the necessary Windows Firewall network traffic exceptions.

The Provision IPAM Wizard

The Provision IPAM Wizard

NOTE: You cannot configure IPAM on a domain controller. I promise you that IPAM provisioning will fail if you try to do so.

Configuring and starting Server Discovery ^

During the IPAM server discovery step, we instruct IPAM to scour our Active Directory domain in search of network infrastructure servers.

As you can see in the following screen shot, we can simply select the domain(s) to discover and then click OK to continue.

Configuring IPAM Server Discovery

Configuring IPAM Server Discovery

To actually start server discovery, we click Start server discovery in the IPAM Server Tasks pane in Server Manager. Once discover completes successfully, we can proceed.

Performing Server Discovery

Performing Server Discovery

Adding servers to manage ^

From Server Manager, we can click Select or add servers to manage and verify IPAM access to continue our journey of IPAM initial configuration.

We need to grant our IPAM server permission to manage my network infrastructure server(s) by using GPOs. To do that, we can run the Invoke-IpamGpoProvisioning Windows PowerShell cmdlet. In the following example, we specify dc01 as our network infrastructure server, ipamgpo as our GPO prefix, and nuggetlab.com as our AD DS domain.

Invoke-IpamGpoProvisioning –Domain nuggetlab.com –GpoPrefixName ipamgpo –IpamServerFqdn dc01.nuggetlab.com

In addition to the IPAM access status displaying as Unblocked for your infrastructure servers, you will also want to open the Group Policy Management Console and verify that the GPOs have been created for your managed TCP/IP network services.

Verifying IPAM GPOs in Group Policy Management Console

Verifying IPAM GPOs in Group Policy Management Console

Retrieving data from managed servers ^

In the IPAM Server Inventory list, we can right-click an infrastructure server and select Retrieve All Server Data to query the system and, well, retrieve all server data that is related to the network service(s) that it hosts.

As you see in the following screenshot, a properly configured IPAM server offers the administrator a wide variety of centralized management and monitoring information, all within easy reach.

IPAM admin tasks

IPAM admin tasks

Conclusion ^

So there you have it! IP Address Management is intended to make TCP/IP network service management easier for us busy Windows systems administrators. I hope that you now have a clear picture of what IPAM is and how to configure the service in Windows Server 2012. Please feel free to leave any questions or remarks in the comments portion of this post.

Related Resources:

11 Comments
  1. Caleb 10 years ago

    How does IPAM handle statically assigned IP addresses that aren’t in DHCP? Is there an option for manual entries?

  2. Tim Warner 10 years ago

    Hey Caleb. If I understood your question, then you could account for static IPs under IPAM the same way we do without them. In other words, we can create exclusions or reservations in DHCP. -Tim

  3. Memento 10 years ago

    I expected a bit more depth in this article… How about some screenshots of actual results and management instead of some example screenies that are so abstract in nature…

    Show some of the actual lists and possibilities hands-on. Finding out what it does, is also available on the Technet and Microsoft sites.

  4. Caleb 10 years ago

    We have IP ranges that are not in DHCP at all, how does it handle those?

  5. Tim Warner 10 years ago

    Hi Memento. I feel your pain, and I apologize for the relative shallowness of the article. To be perfectly honest, I had a heck of a time getting IPAM up and running in my test environment. Remember that we are dealing with pre-release bits; the setup process is also clunky as all get-out. Perhaps I will revisit this topic once Windows Server 2012 RTM happens. Thanks, Tim

  6. Memento 10 years ago

    Aright, Tx Tim. We’ll await more stable bits. I feel your pain getting beta bits to work 🙂

  7. Bryan 10 years ago

    Any reason or speculation why “You cannot configure IPAM on a domain controller”? The first time I tried IPAM (outside of a guided lab) was on a DC, and the error message was not very helpful, nor did any ‘bingle’ search clue me in until I found this write-up.

    Thanks again for all your great work at 4sysops!

  8. Tim Warner 10 years ago

    Hi Bryan–thanks for your kind words. I’ve researched the IPAM/domain controller issue and found no justification from Microsoft whatsoever. All I do know is that it isn’t just a “we don’t support this configuration” thing. You get a hard stop and the tech does not work if you try to install IPAM on a DC. Later, Tim

  9. James G 9 years ago

    Tim, I have done everything that I can to get IPAM working but I cannot unblock the servers. It says Status:IPAM BLOCKED! i already had these firewall rules enabled since I have been using winrm, however I have enabled IPAM on my server2012DHCP server is this a problem? Does the IPAM server have to not be a DHCP or DNS server, I also am going to try restarting the server, but when I ran the powershell command Invoke-IpamGpoProvisioning, the GPOs were not created, I had to go back and manually add them so they have no settings in them, this is turning out to be another 6 day problem in Server2012-these are becoming common Tim.

  10. Justin G 7 years ago

    Sad that it isn’t able to scan subnets and show devices using an IP address but non-domain joined hosts like printers, DRAC’s, etc.

  11. Hi,
    I just began to learn this tool and can’t find there how to scan a subnet with static ip-adressing to obtain a table like: hostname – ip – MAC
    A condition – no DHCP or DNS must be used for scanning.
    Also, it would be great to change remotely all found adresses on hosts or change it from static to dynamic (using posh or wmi or some else) from ipam console then force hosts to reinitialize NICs to aplly changes.. is it possible from IPAM?

Leave a reply to Roman Plokhotnikov (Rank: )
Click here to cancel the reply

Please enclose code in pre tags

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account