IPAM Microsoft Documentation

Understand and Troubleshoot IP Address Management (IPAM) in Windows Server "8" Beta

Microsoft Corporation

Published: February 2012

Abstract

This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality,

and troubleshooting methods for IP Address Management (IPAM) in Windows Server “8” Beta. This UTG

provides you with:

A technical overview and functional description of this feature.

Technical concepts to help you successfully install, configure, and manage this feature.

User Interface options and settings for configuration and management.

Relevant architecture of this feature, with dependencies, and technical implementation.

Primary troubleshooting tools and methods for this feature.

Copyright information

This document is provided “as-is”. Information and views expressed in this document, including URL and other

Internet Web site references, may change without notice.

Some examples depicted herein are provided for illustration only and are fictitious. No real association or

connection is intended or should be inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product.

You may copy and use this document for your internal, reference purposes.

© 2012 Microsoft. All rights reserved.

Active Directory, Hyper-V, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies.

All other trademarks are property of their respective owners.

Table of Contents

Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM ............................................. 1

About The Understanding and Troubleshooting Guide ........................................................................................ 1

Introducing IPAM....................................................................................................................................................... 1

What Is IPAM? ....................................................................................................................................................... 1

Purpose/Benefits ................................................................................................................................................... 2

Functional Overview.............................................................................................................................................. 3

Technical Overview ............................................................................................................................................. 23

Installing and Provisioning IPAM ............................................................................................................................. 30

Deployment Considerations ................................................................................................................................ 30

Installation Process – IPAM Server ...................................................................................................................... 31

Installation Process – IPAM Client ....................................................................................................................... 35

IPAM Provisioning ............................................................................................................................................... 36

Configuring and Managing IPAM ............................................................................................................................. 43

IPAM Initial Setup ................................................................................................................................................ 43

Address Space Management ............................................................................................................................... 51

Troubleshooting IPAM ............................................................................................................................................. 81

Troubleshooting tools ......................................................................................................................................... 81

Common IPAM problems .................................................................................................................................... 81

Appendix.................................................................................................................................................................. 82

Manual IPAM Provisioning – Configuring Access Settings .................................................................................. 82

GPO Based IPAM Provisioning – GPO Setting Details.......................................................................................... 90

DRAFT V5.0 Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

1

Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

About The Understanding and Troubleshooting Guide

Understanding and Troubleshooting Guides enable you to learn about technical concepts,

functionality, and general troubleshooting methods for new Windows features and

enhancements. The Understanding and Troubleshooting Guide supports you in developing

understanding of key technical concepts, architecture, functionality, and troubleshooting

tools and techniques. This understanding will enable more successful testing and early

adoption experiences during the pre-release product evaluation phase, and will support early

ramp-up of help desk and technical support roles.

Introducing IPAM Internet Protocol (IP) Address Management, which is a critical part of network

administration, has become increasingly challenging, as networks grow more dynamic and

complex. The need for centralized administration of addresses is increasing dramatically over

time as mobile computing, virtualization, and IP devices continue to consume more IP

addresses. The need for management tools has also increased with deployment and adoption

of new Internet Protocol version 6 (IPv6) networks, which have much larger address pools,

and a more complex 128-bit hexadecimal notation as compared with 32-bit dotted decimal

Internet Protocol version 4 (IPv4) addresses. The length and complexity of IPv6 addresses

makes continued tracking of them in a spreadsheet impractical.

Currently, third party vendors offer various software-based or appliance-bundled

management solution options in this space. However, the upfront overhead of procurement,

deployment and integration of such solutions remains a deterrent in their adoption. Most IT

administrators still typically track IP address allocation and utilization manually, using

spreadsheets or custom database applications. This can be very time consuming and resource

intensive, and is inherently prone to user error. Windows Server "8" Beta introduces a new

feature to meet the IP addressing and naming infrastructure management needs of network

and server administrators.

What Is IPAM?

Internet Protocol Address Management (IPAM) is a framework for discovering, utilization

monitoring, auditing, and managing the Internet Protocol (IP) address space in a network.

IPAM encompasses the administration and monitoring of Dynamic Host Configuration

Protocol (DHCP) and monitoring of Domain Name Service (DNS), which are the services that

assign and resolve IP addresses to devices in a TCP/IP network. IPAM in Windows Server "8"

Beta provides components for planning and allocating IP address space, static IP inventory

management, audit of configuration changes, monitoring and management of Microsoft DHCP

Understanding and Troubleshooting Guide DRAFT V5.0 Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

2 © 2012 Microsoft Corporation. All rights reserved.

servers, monitoring of Microsoft DNS servers and DNS zones, and IP address usage tracking

and customized visualization.

Purpose/Benefits

The Windows Server "8" Beta IPAM feature provides a unified framework meet the following

administrative requirements of addressing and naming infrastructure for network and server

administration from a central console. IPAM provides the following benefits:

IPv4 and IPv6 address space planning and allocation

IP address space utilization statistics and trend monitoring

Static IP inventory management, lifetime management and DHCP and DNS record creation

and deletion

Flexible support for import of address space from spreadsheets and management tools

Periodic update support of address space from systems such as System Center Virtual

Machine Manager (SCVMM) and third party DHCP servers

Multi entity management and monitoring of DHCP services and DHCP scopes

Configuration change event auditing for DHCP and IPAM services

Service and zone monitoring of DNS services

IP address lease and logon event tracking

Automatic server role discovery, through Active Directory integration

Automatic server configuration data collection and dynamic address space discovery

Granular distribution of data collection tasks with configurable periodicity

Agentless management of roles with Group Policy Object (GPO) based automated

deployment

Extensive support for user-defined and built-in custom fields or tags

Organizing and visualizing of data into user-defined hierarchical logical groups

Advanced search and filter support

Reporting support through UI view and Windows PowerShell export functionality

Role based access control

Remote administration support through Server Manager RSAT from both Windows Server

"8" Beta and Windows 8 Consumer Preview client builds

Support for concurrent client sessions

Built-in relational database support leveraging Windows Internal Database (WID)

Support for backup, restore, and migration scenarios



3

Functional Overview

Prerequisites

Windows Server "8" Beta IPAM is an integrated suite of IP addressing and naming solutions

aimed at helping network and system administrators to manage IP infrastructures across the

enterprise. IPAM scope selection across the managed server nodes is limited to a single

Active Directory (AD) forest, with appropriate trust relationship between the domains.

The IPAM server must be domain joined, and is reliant on a prerequisite functional network

infrastructure environment, including IPv4 and IPv6 network connectivity, in order to

integrate with existing DHCP, DNS, DC, and NPS installations across the AD forest.

Install the IPAM feature on an Active Directory domain member server intended as a single-

purpose server, and do not attempt to collocate other network infrastructure roles such as

DNS or DHCP on the same server. IPAM installation and provisioning is not supported on a

domain controller.

IPAM users must be logged in using a domain account with appropriate privileges.

The following are requirements for successful IPAM deployment.

• Ensure that the IPAM server is domain-joined.

• Ensure that you have network connectivity. Enabling both IPv4 and IPv6 is

recommended. Discovering IPv6 address space and infrastructure will not be supported

unless IPv6 connectivity is enabled.

• Ensure that you log on to the IPAM server using a domain account. Do not log on to the

IPAM server using the local Administrator or a local user account.

• Ensure that you are a member of appropriate IPAM local security group (See the IPAM

Local Security Groups section of this guide) or if you are running as a member of the local

Administrators group then you must run elevated.

• If you are accessing the IPAM server remotely using Server Manager IPAM client RSAT,

then you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in

addition to being a member of the appropriate IPAM security group (or local

Administrators group).

• Configure network settings on the IPAM server so that it has access to at least one

authoritative domain controller for server discovery. Ensure that you have network

connectivity to all the server roles (DHCP, DNS, DC and NPS) that you intend to manage

through this IPAM instance.

• For best performance, do not install any other server roles on the IPAM server.

• IPAM installation and provisioning on a DC is not supported

• IPAM installation on a DHCP server is not recommended. The IPAM server discovery

feature will not be able to discover DHCP roles if IPAM is running on a DHCP server.



• Ensure that logging of account logon events is enabled on DC and NPS servers for the IP

Address Tracking feature of IPAM

• Recommended server system requirements are as follows:

o CPU - Dual Core Processor, 2.0 GHz or higher speed

o OS – Windows Server "8" Beta

o RAM – 4 GB or more

o Hard Drive – 80 GB or more

• Ensure that network firewall ports and access settings are provisioned to enable IPAM’s

access to workloads (DC, DNS, DHCP and NPS) across the managed roles in the AD forest.

For more information on IPAM provisioning and provisioning methods refer to the

Deployment Considerations section of this guide.

• If using Group Policy based provisioning, ensure that the users marking servers as

managed/unmanaged in IPAM server inventory console either have domain administrator

privileges or have delegated rights to edit GPO security filter lists. For more information on

GPO delegation, refer to the Group Policy Based Provisioning section of this guide.

• Ensure that data replication to all AD global catalog servers is functioning properly at

regular intervals. Stale global catalog data can cause problems with discovery of servers.

Functional Description

Windows Server "8" Beta IPAM consists of five primary modules, which provide the

management functionality. These modules include the following:

Server inventory management

IP address space management

Management and Monitoring of DHCP and DNS

Event Catalog

IP address tracking

Server Inventory Management

IPAM leverages Active Directory deployment to define the scope of the IP infrastructure

elements to be centrally managed via the IPAM console. IPAM auto-discovers the configured

server roles from the configured domains and allows you to centrally manage and configure

the servers. Discovery of DHCP prepares the environment to perform management and

utilization tracking of dynamic address space, multi-entity management for DHCP servers

and scopes, service monitoring of DHCP servers, audit of configuration changes to DHCP

servers and IP address usage tracking by collecting lease events from DHCP. Discovery of DNS

roles enables DNS zone monitoring and DNS service monitoring. Discovery of DC and NPS

servers is done to support the auditing of IP address usage with associated user logon events.



5

The server discovery component in Windows Server "8" Beta IPAM leverages your Active

Directory (AD) deployment to discover network infrastructure servers. IPAM facilitates

configuring the scope of server discovery by allowing you to select domains in the AD forest

through its ‘Configure Server Discovery’ dialog. Discovery allows you to enumerate Microsoft

Windows DNS, DHCP and DC server role types that are available in either the entire AD forest

or a specified subset of domains within the forest. You can also manually add or delete

specific servers (Microsoft Windows DNS, DHCP, DC and NPS servers) to define a custom

scope of administrative control.

The IPAM server discovery and inventory feature also allows you to track granular IPAM

access status on servers. IPAM server inventory management also plays an important role in

managing the security filter list of IPAM GPOs, which are updated according to the

manageability status of the infrastructure servers in server inventory. The GPO updating

functionality is valid only if the Group Policy Based provisioning method has been selected

for IPAM. IPAM also tracks the status of data retrieval on managed servers.

Note: IPAM can be used to discover and manage servers running Windows Server 2008 and above.

An overview of the IPAM server inventory functions is provided below:

• Configure scope of Server Discovery by selecting domains and server roles within each

domain to be discovered within Active Directory forest.

• IPAM uses the following rules during server discovery on configured domains for selected

roles:

o All domain controllers registered for the configured domains are discovered

o All DNS servers registered as name servers for the domain zone and DNS suffixes

registered for the configured domains are discovered

o All DHCP servers authorized for the configured domains that respond to the DHCP

server INFORM message are discovered. This feature allows IPAM to intelligently

discard any inactive DHCP servers that are listed as authorized in AD.

• Add-Remove-Edit servers (and server roles) manually outside of the auto-discovery

process

• Automated discovery of infrastructure servers and their configuration such as server roles,

OS version, IPv4 and IPv6 interface address, domain name, DNS suffix, GUID, active roles

• Periodic and on-demand refresh of server information across configured scope of

discovery

• Disjointed name space support. Separate fields showing the server’s DNS suffix and domain

name are maintained by IPAM.

• Classify server manageability status as:



o Managed – IPAM periodic tasks will collect data from the active (checked) roles on

these servers. Inactive (unchecked) roles on these servers are ignored.

o Unmanaged - IPAM periodic tasks will not collect data from these servers. IPAM

deletes all existing information pertaining to these servers from its database.

o Unspecified - IPAM periodic tasks will not collect data from these servers. However,

IPAM retains all existing information pertaining to these servers in its database. Set

a server status as Unspecified in scenarios where the server is offline temporarily,

during temporary maintenance cycles for example.

• Granular control to configure individual server roles as active or inactive on a server

• Automatic organization of server inventory view into hierarchical view based on interface

address and manageability status of the server:

o Level 1 – IPv4 and IPv6 (based on interface address)

o Level 2 - Managed and Unmanaged

o Level 3 – IP Subnet (/16 for IPv4 and /48 for IPv6 based on primary interface

address)

• Edit owner and description for servers, and add user-defined or built-in custom fields/tags

to servers

• Built-in tracking of server data retrieval status such as In progress, Complete, Not started

• Automatic IPAM access status tracking on servers. IPAM collects granular access status

from the servers listed in the server inventory as Allowed or Blocked. IPAM rolls up these

sub-statuses into overall IPAM access status. The recommended action field indicates the

required action for managed, unmanaged, unspecified servers as appropriate.

• Integrated group policy provisioning mode support with automatic synchronization of the

IPAM GPO security filter list with the server inventory configuration. IPAM expects the user

to have appropriate GPO edit privileges while performing these operations for the

automatic GPO synchronization to be successful.

Note: Auto-discovery of the NPS server role is not supported. These servers can be added using the Add Server functionality

Note: Removing a configured domain from Server Discovery scope does not automatically delete the servers that are already discovered from that domain. If required, the corresponding servers belonging to this domain can be manually deleted from the server inventory view.

IP Address Space Management

IP address space management provides administrators with the ability to manage, track,

audit, and report on the IPv4 and IPv6 address space of the enterprise or datacenter. A

primary consumer of public Internet-routable IPv4 addresses is cloud-based hosted service



7

providers. These public IPv4 addresses are allocated and assigned by Regional Internet

Registries (RIR) in response to requests from the organization, and are in critically short

supply. Monitoring the utilization and trends for these RIR blocks is of prime importance.

Hosted service providers need to associate specific IP address subnets or blocks of addresses

to specific customers, development communities, or business divisions by customized logical

grouping.

Enterprises with public-facing datacenter entry points need to manage multiple statically

assigned public IP addresses and subnets. Administrators of these networks require

utilization data to perform actions around address space management. These actions include

finding free IP addresses, tracking address state, tracking the address lifetime, synchronizing

DNS and DHCP records/reservations, balancing the address usage for optimal utilization of

the available subnets, preparing the subnets for new or changing network requirements, and

reclaiming addresses previously assigned but no longer deployed in the production

environment.

The IP address space console of IPAM provides administrators with IP address utilization

statistics and historical trend data to make informed planning decisions for dynamic, static

and virtual address spaces. IPAM periodic tasks automatically discover the dynamic address

space and utilization data as configured on the DHCP servers managed in IPAM. Leverage the

powerful import functionality of IPAM IP address space management to bring static and

virtual address spaces under IPAM central management.

The IPAM Address Space Management (ASM) console provides the ability to efficiently

monitor various dimensions of the managed IP address space, including method of

assignment (static or dynamic), address scope (public or private), and IP version (IPv4 or

IPv6). Using IPAM ASM, you can track IP address utilization, receive threshold-crossing status

from the console and events, or zoom in and out to display utilization trends. The IPAM ASM

tools address the end-to-end IP lifecycle management problem for the static IP address space

in a growing distributed environment by ensuring better planning, accountability, and

control. It further facilitates centralized management and monitoring of address space using

periodic import and update functionality to bring in virtual address spaces managed through

systems like System Center Virtual Machine Manager (SCVMM) or any third party DHCP

servers and virtual machine (VM) managers.

For efficient network resource planning, administrators need to be able to visualize IP

address attributes in logical groupings. The utilization monitoring views in IPAM allow you to

view the enterprise address space in more meaningful logical correlation based on specific

needs. Some examples of logical group views are delineation by divisions of the organization,

geographical regions, Regional Internet Registries, offices located across geographical

regions, and categories assigned to customers based on business profiles. Grouping of

addresses by attributes provides meaningful perspective to utilization monitoring.

Address Space Entities

The various entities recognized by IPAM address space function are defined below:



• IP addresses: are the leaf level entity under IP address ranges. IPAM enables end-to-

end life cycle management of IPv4 and IPv6 addresses, including record synchronization

with DHCP and DNS servers. IPAM automatically maps an address to the appropriate

range based on the start and end address of the range. An IP address is uniquely

identifiable by the value of mandatory Managed By Service and Service Instance

fields, that help IPAM to manage and maintain duplicate IP addresses from the same

console. These two fields are also used (and should identically match) while mapping

the IP address to the IP address range.

• IP address ranges: are the next hierarchical level of IP address space entities after IP

address blocks. An IP range is conceptually an IP subnet marked by a start and end IP

address, and is typically a DHCP scope or a static IPv4 or IPv6 address range or address

pool used to assign addresses to hosts. IPAM enables you to centralize address ranges

that may span across many heterogeneous systems, such as across multiple DHCP

servers, VM managers, or legacy spreadsheets using IPAM import functionality through

UI or Windows PowerShell. An IP address range is uniquely identifiable by the value of

the mandatory Managed By Service and Service Instance fields, which help IPAM to

manage and maintain overlapping or duplicate IP address ranges from the same

console. Only one of multiple overlapping IP address ranges get mapped to the IP

address block. IPAM allows you to map any unmapped overlapping range to the

corresponding IP address block using the Map to Block action. The currently mapped

range will be unmapped because of this action.

• IP address blocks: are the highest-level entities of IP address space organization. An IP

block is conceptually an IP subnet marked by a start and end IP address, and is typically

assigned by various Regional Internet Registries (RIRs) to an organization. Network

administrators maintain the IP address block to carve out and allocate IP address

ranges to address allocation systems like DHCP. IPAM automatically arranges IPv4

address blocks into public and private address space and IPv6 addresses into unicast

global addresses. IP address blocks can be added, imported, edited, and deleted. If the

start and end IP address of a block lies within the start and end IP address of another

block, it is automatically arranged as a nested sub-block. IPAM automatically maps IP

address ranges to the appropriate IP address block based on the boundaries of the

range. This enables a hierarchically organized view of the IP address ranges and a multi-

level hierarchy of IP address blocks. IPAM rolls up utilization statistics and trends at the

IP address block or IP address sub-block level based on the ranges that are contained in

the block.



9

Figure 1 IP Address, Block, and Range Entities

Custom Fields and Logical Groups

IPAM supports user defined extensible metadata that can be associated to IP address ranges,

IP addresses, and servers. You can create metadata with multiple value types such as

Country/Region or single value types, such as Building. IPAM supports multiple built-in

custom fields with built-in values, which you can further enhance to add new user-defined

values. Similarly, you can add new user-defined custom fields that can either be free-format

or enumerations (multi-value fields). User-defined, multi-value custom fields allow you to

defined associated value tags against them.

While you can delete or edit user-defined custom fields and values, you cannot edit or delete

built-in custom fields and values. You cannot delete any particular custom field or value while

it is assigned to any entity within the IPAM database.

IPAM allows you to define the logical grouping of entities, and visualize utilization of address

space based on these groups. Custom field and value tagging is supported for the following

entities in IPAM:

IP Address

IP Address Range

Server

You can use custom field tagging for multi-valued custom fields for defining logical groups.

Logical groups enable you to visualize IP address ranges in a real-life business perspective

rather than a conventional hierarchy of IP subnets. You can customize these logical groups

and they can be hierarchical. Logical groups are defined by selecting the grouping criteria

from built-in or user-defined custom fields. IPAM supports multi-level hierarchy when

defining a logical group for IP address ranges. Similar custom logical groups can be created to

group IP addresses and managed servers. Entities that do not map to the first level criteria

defined for the logical group are displayed under the unmapped space in the group.

IPAM also rolls up utilization statistics and trends at the logical group level for IP address

ranges. Logical groups defined for IP address ranges are known as IP range groups. IPAM

supports simultaneous creation of multiple IP range groups based on different criteria. By



default, IPAM creates the built-in IP range group called Managed By, which groups IP

address range by the two-tier hierarchy of Managed by Service field followed by Service

Instance field. Built-in logical groups cannot be deleted, but the grouping criteria can be

edited.

IPAM supports only one logical group for IP addresses known as IP address inventory, which

is created by default. This built-in IP address logical group groups IP addresses by a single

hierarchy of device type field. Built-in logical groups cannot be deleted, but the grouping

criteria can be edited.

Utilization Monitoring

• Utilization data maintained for IP address ranges, IP address blocks and IP range groups

within IPAM

• User-configurable thresholds for percentage utilized field, used to mark entities as over-

utilized (above the configured threshold), under-utilized (below the configured threshold)

and optimally utilized (between over and under the utilization thresholds).

• Visualization of utilization state of IP address range, IP address block and IP range group

from the console:

o Over - Percentage utilized falls above configured over-utilized threshold

o Under - Percentage utilized falls below configured under-utilized threshold

o Optimal - Percentage utilized falls within configured over-utilized and under-

utilized threshold

• Utilization threshold crossing events are logged by IPAM whenever an IP address range

changes its utilization state.

• Utilization trend building and reporting for IPv4 address ranges, IPv4 address blocks and

IPv4 range groups.

• Capability to zoom in and out of utilization trend window. While you may select from

standard trend periods of 1 day, 7 days, 1 month, 3 months, 6 months, 1 year, 2 years and 5

years, Custom start and end date configuration for viewing the utilization trend is also

supported.

• Auto-discovery of dynamic IP address ranges and utilization data from DHCP scopes

configured on the managed Microsoft DHCP servers.

• The utilization calculation for utilized addresses be set to –

o Automatic – Auto-calculation based on the IP addresses within IPAM database that

map to the IP range

o User defined – Configured by the user agnostic of the IP addresses that map/do-

not-map to the IP range.

• Utilization statistics for an IP address range is available as following counters:



11

o Assigned addresses – The number of addresses between start IP address and end IP

Address of the block

o Utilized addresses – The summation of assigned addresses counter of IP address

ranges that map to this block

o Percentage utilized – Utilized addresses as a percentage of assigned addresses

• Two additional utilization counters are supported for dynamic IPv6 address ranges

discovered from Microsoft DHCP servers. Together these counters add up to the total

number of utilized addresses for this range:

o DHCP stateless addresses – Number of stateless address leases serviced by the

Microsoft DHCP range

o DHCP stateful addresses – Number of stateful address leases serviced by the

Microsoft DHCP range

• Utilization trend for an IPv4 address range is plotted for following line graphs:

o Percentage assigned (always 100%)

o Percentage utilized

• Utilization statistics for an IP address block is available as following counters:

o Total addresses – The number of addresses between start IP address and end IP

address of the block

o Assigned addresses – The summation of assigned addresses counters of IP address


o Utilized addresses – The summation of ‘Utilized addresses’ counters of IP address


o Percentage assigned – Assigned addresses as a percentage of total addresses

o Percentage utilized – Utilized addresses as a percentage of total addresses

• Utilization trend for an IPv4 address block is plotted for following line graphs:

o Percentage total (always 100%)

o Percentage assigned


• Utilization statistics for an IP range group is available as following counters:

o Assigned addresses – The summation of assigned addresses counters of IP address

ranges that map to this group

o Utilized addresses – The summation of utilized addresses counters of IP address

ranges that map to this group

o Percentage utilized – Utilized addresses as a percentage of assigned addresses



• Utilization trend for an IPv4 range group is plotted for following line graphs:

o Percentage assigned (always 100%)


IP address management features

• Multiple consoles/views for organizing and visualizing address space to facilitate address

space monitoring, reporting and utilization data roll up.

• Auto-discovery of DHCP scopes and scope utilization information. Auto-discovered DHCP

scopes appear as IP address ranges with Managed by Service set as MS DHCP and Service

Instance set as the name of DHCP server

• Support for identifying and managing overlapping address spaces from a single console.

Overlaps and duplicates are identified and displayed in the UI

• IPAM allows you to uniquely identify IP address ranges and IP addresses using the

Managed By Service and Service Instance fields that augment the key fields for these

entities. For example, all ranges discovered from managed DHCP servers are marked to be

Managed By Service set as MS DHCP and Service Instance set as the name of the DHCP

server.

o IP address blocks allow easy Auto discovery of DHCP scope and utilization

information from managed MS DHCP servers and visualizing them as IP address

ranges

• Plan and allocate address space by carving out multi-level hierarchy of IP address blocks.

Visualize rolled up utilization trends and statistics for IP address blocks

• Arrange address space into multi-level hierarchy of real-world custom group view.

Visualize rolled up utilization trends and statistics for group nodes.

• Customizable inventory view for IP addresses

• Support for detecting and visualizing stateless IPv6 address utilization information

• Add/Edit/Delete IP Addresses, IP address range and IP address blocks

• Detect and manage conflicts, overlaps, duplicates in address space across systems. Map

desired overlapping IP address range to the IP address block.

• Use intuitive interface for import of address, range and block from spreadsheets and

databases

• Find and allocate an available IP Address from a dynamic or static IP address range:

o For Microsoft DHCP ranges, IPAM queries the corresponding DHCP server in real-

time to finding an available IP address. The logged in user must have at least DHCP

Users privileges on the DHCP server to complete this action. If the IP address found

is already reserved/allocated in the IPAM database, IPAM discards it and goes on to

find another available IP address.



13

o For any other range, IPAM queries the local IPAM database to find an available IP

address.

• Further validation of free IP address using ping – expect no reply, and DNS lookup – expect

no record found. Anomalies to the expected result are called out so that appropriate action

can be taken to synchronize the IPAM IP address inventory with the DNS records and

servers active on the network.

• Allocate the free IP Address and maintain its state as active/inactive/reserved or any other

custom state value. Tag the assignment type of IP address as static/dynamic/VIP/auto.

• Configure appropriate assignment date for the IP address

• Assign and track IP address lifetime by assigning an expiry date to the IP address. By

default, the expiry date is not set and the address is assumed to be valid indefinitely.

• Visualize addresses as – not expired, expiry due, expired based on the configured expiry

date for the address and the system-wide configurable threshold for expiry log settings.

The IP address transitions to expiry due state ‘x’ days before the configured expiry date,

where ‘x’ is the expiry alert threshold.

• Receive alerts on changing the expiry status of address is a configurable setting to receive

expiry alerts periodic or only on state changes.

• Manage all DHCP reservations from a central console. Create/delete DHCP reservations for

IP addresses

• Manage all DNS records from a central console. Create/delete DNS A/AAAA records for IP

addresses. Create/delete DNS PTR records for IP addresses

• Build upon import and update functionality of IPAM to populate the IP Address inventory

view leveraging IPAM Windows PowerShell

o Periodically import and update the IP address inventory from third party systems

like SCVMM or other virtual address management systems

o Periodically import and update the IP address inventory from DHCP reservations

on Microsoft DHCP or third party DHCP servers

o Periodically import and update the IP address inventory from DNS records on

Microsoft DHCP or third party DNS servers

• Detect duplicate IP addresses. IPAM allows creation and management of duplicate IP

addresses (assuming your internal network has valid scenarios around maintaining

duplicate IPs)

• Automatically map IP addresses to the corresponding IP range

• Tag basic and custom configuration fields against IP addresses

• Reclaim IP addresses from selected IP address ranges using the reclaim wizard



Address Space Data Import

IPAM supports flexible schema for importing IP address, IP address range and IP address

block entries from a comma separated value (csv) file. The field names list in the header of

the csv file should match the IPAM field names corresponding to the entity being imported.

You can add new fields into IPAM using the custom field support. Column names can be

ordered in any way in the csv file.

IPAM supports the following two types of import –

Regular import operation for IP addresses, IP address ranges and IP address blocks –

new records are added and existing records are edited during this operation. This

Windows PowerShell cmdlet imports IP address range objects from the specified csv

file into the IPAM server. IPAM does not support import of IP address ranges whose

Managed By Service value is MS DHCP since this is reserved for DHCP scopes

automatically discovered by IPAM from the managed Microsoft DHCP servers.

Import and update operation for IP addresses belonging to the specified IP range –

Along with adding new addresses and editing existing addresses as in the case of

regular IP address import, this operation deletes those addresses from IPAM which

map to the specified IP address range, but are not present in the csv being imported. A

typical scenario for this operation can be to periodically import and synchronize DHCP

lease or DNS record information from servers into IPAM.

Import and update operation for IP address ranges belonging to the specified Managed

By Service and Service Instance values – Along with adding new ranges and editing

existing ranges as in the case of regular IP address range import, this operation deletes

those ranges from IPAM which have the same value of Managed By Service and

Service Instance fields but are not present in the csv being imported. IPAM provides

you the option of deleting the IP addresses mapping to the IP address ranges that are

deleted during this import operation. A typical scenario for this operation can be to

periodically import and synchronize IP pool or DHCP scope information from systems

like SCVMM and third party DHCP servers.

The UI import-export supports localized format while the Windows PowerShell import-

export supports fixed English format for the csv field names and values. Interoperability

between both formats is supported. The general rules for Windows PowerShell import-

export fixed schema is as follows:

1. Field names will be the same as English localized resource names of the corresponding

entries in IPAM. However, blank spaces in the field name will be omitted to comply with

the Windows PowerShell object header name convention. IP address import in fixed format

is identified by the presence of the mandatory field IPAddress in the csv file. Similarly, IP

address range import in fixed format is identified by the presence of the mandatory field

NetworkId in the csv file. The corresponding field names for localized English schema

import are IPAddress and Network respectively.



15

2. Enum value names will be same as English localized resource names of the corresponding

values in IPAM. Enum value in this context refers to built-in custom field values and built-in

enumeration field values such as utilization, expiry status, etc. Fixed format names for

values of built-in custom field Country is not supported and the input-output for this field

will always be localized.

IPAM generates an error csv file with details about records that failed to import along with

the reason for failure. By default, this error file is generated in the Documents folder of the

user’s profile.

Windows PowerShell support for IP range import

IPAM supports the following Windows PowerShell cmdlets for range import:

Import-NamsRange [-Path] <string> [-AddressFamily] <string> [-ErrorPath <string>] [-Force] Import-NamsRange [-Path] <string> [-AddressFamily] <string> [-ManagedByService] <string> [-ServiceInstance] <string> [-AddManagedByService] [-AddServiceInstance] [-DeleteMappedAddresses] [-ErrorPath <string>] [-Force]

The AddressFamily parameter specifies if the csv contains IPv4 or IPv6 records. Only one

address family can be specified at a time with this cmdlet, and the records in the csv should

match the specified AddressFamily. The Path parameter is used to specify the csv file

containing IP address range objects that need to be imported. The Force switch can be used

with the cmdlet to suppress the default confirmation text. The ErrorPath parameter

specifies the literal path (and not name) of the error csv file which will be created if one or

more records fail to import. The file name is generated automatically by IPAM for the error

csv file. The default value of ErrorPath is the Documents folder of the user.

The cmdlet supports two parameter sets. The default invocation of the cmdlet adds new IP

address range objects from the csv into IPAM and edits the existing address ranges with

updated information specified in the csv. The second parameter set can be used to

periodically import and update all IP address range objects that belong to the specified

unique combination of ManagedByService and ServiceInstance parameters. This

parameter set provides the option of deleting the IP addresses mapping to the IP address

ranges that are deleted during import by using the DeleteMappedAddresses switch.

Import and update of IP address ranges for the specified ManagedByService and

ServiceInstance will succeed if these values are present in IPAM at the time of import. The

parameters AddManagedByService and AddServiceInstance can be used to create the

specified ManagedByService and ServiceInstance values within IPAM at run time before

the import operation, if not already present in IPAM.

Management and Monitoring of DHCP and DNS

IPAM enables administrators to monitor hundreds of DNS and DHCP servers spread across

various regions from a centralized console. Administrative tasks are frequently repetitive,

such as altering a scope option setting on multiple DHCP scopes. The ability to execute such



tasks uniformly across servers reduces both the effort involved as well as the probability of

error. Administrators can use the IPAM multi server management (MSM) view to easily edit

and configure key properties of multiple DHCP servers across the organization,

simultaneously. This functionality does not require installation of additional agents or

software on the target servers.

IPAM uses DHCP and DNS RPC for monitoring and management functionality. The logged in

user must have appropriate administrative privileges on the target server in order to perform

any configuration change on the target server using IPAM UI or by launching the MMC from

IPAM. The data collection and monitoring functions do not require any special privileges on

the target server for the logged in user.

DHCP Server Management

IPAM allows managing multiple DHCP servers from a central console. The following actions

are available for DHCP servers:

Edit DHCP Server Properties - This allows setting a number of server properties of the

DHCP server

Edit DHCP Server Options - Allows addition, deletion or editing of options at the

servers level. Action can be performed on multiple DHCP servers simultaneously to

update multiple options across servers.

Create DHCP scope - Create a scope on a DHCP server, and set numerous scope

properties.

Configure predefined options and values - Create predefined options and set option

values. Select one or more servers and launch the action to configure predefined options

on multiple servers simultaneously

Configure User Class - Multi-select servers and launch the action to configure user

classes on multiple servers simultaneously.

Create and edit new and existing user classes - Multi-select servers and launch the

action to configure user classes on multiple servers simultaneously.

Configure Vendor Class - Multi-select servers and launch the action to configure user


Launch MMC - Launch the MMC for the selected DHCP server

Retrieve server data - Multi-select servers and launch the action to retrieve server

data from the selected set of servers.

DNS Server Management

IPAM allows launching MMC for DNS servers from a central console. The actions that can be

performed on DNS servers are as below:

Launch MMC - Launch the MMC for the selected DNS server



17

Retrieve server data - Multi-select servers and launch the action to retrieve server

data from the selected set of servers.

Multi-Entity Management

A primary benefit of IPAM functionality is its ability to simultaneously manage multiple DHCP

servers or DHCP scopes spread across one or more DHCP servers. This significantly reduces

the administrative effort needed by eliminating repetitive steps and reducing the possibility

of error during these operations. Some of the advanced multi-edit constructs are explained

below:

Create/Overwrite/Delete User Class on multiple DHCP servers simultaneously

Create/Overwrite/Delete Vendor Class on multiple DHCP servers simultaneously

Add/Edit/Delete Predefined Options and Values on multiple DHCP servers

simultaneously

Edit DHCP server properties like DNS update settings and DNS credentials on multiple

DHCP servers simultaneously

Add/Overwrite/Delete/FindAndReplace multiple DHCP options across multiple DHCP

servers simultaneously

Edit DHCP scope properties such as DNS updates, lease duration, and advanced

properties on multiple DHCP scopes spread across multiple DHCP servers

simultaneously

Add/Overwrite/Delete/FindAndReplace multiple DHCP options on multiple DHCP

scopes spread across multiple DHCP servers simultaneously

Activate/Deactivate multiple DHCP scopes spread across multiple DHCP servers

simultaneously

Server Monitoring

The IPAM monitoring view provides the ability to view from a single console the status and

health of selected sets of Microsoft DNS and DHCP servers. The monitoring view of IPAM

displays the basic health of servers along with recent configuration events that occurred on

these servers. The monitoring view also provides the ability to organize the managed servers

into logical sever groups.

Note: The custom field tagging can only be done for DHCP servers from the Monitor and Manage console by invoking the Edit DHCP Server Properties dialog. Both DHCP and DNS servers can be configured with custom field values from the Server Inventory view using Edit Server dialog.

Basic configuration settings are displayed in the view and in the preview panes in the server

monitoring view. For DHCP servers, the server view enables tracking of various server

settings, server options, number of scopes, and number of active leases, that are configured

on the server. For DNS servers, the view enables tracking of all zones configured on the



server along with details of the zone type. The view also allows you to see the total number of

zones configured on the server, as well as overall zone health status as derived from the zone

status of individual zones on the server.

IPAM also facilitates periodic service monitoring of DHCP and DNS service status from a

central console. The service status is appropriately displayed as Running, Stopped, or

Paused for each managed server in the DHCP and DNS Servers view.

If the server role is running and IPAM still shows the availability state as Not Reachable,

ensure that –

The service is running on the managed server as expected

There is proper network connectivity to the managed server

Remote service management firewall ports are open

IPAM machine SID (or IPAMUG SID for GPO provisioning) is added to the service ACL

DNS zone monitoring

IPAM enables DNS zone monitoring for DNS forward and reverse lookup zones. The zone

status is derived by IPAM based on zone events.

Forward Lookup node –

o IPAM displays a list of all forward lookup zones that are hosted by managed DNS

servers with their overall status based on status from all the servers hosting that

zone, as well as duration that the zone has been in that state. The zone status for

all servers is shown as OK if the zone is being serviced by each of the

Authoritative servers. The zone status for all servers is shown as Warning, if

one or more authoritative servers is not servicing the zone. The zone status for

all servers of the zone is shown as Error if none of the authoritative servers are

servicing the zone. An authoritative server is considered to be servicing the zone

if the zone status of the zone on that server and the server availability state of

the server are not in red state.

o IPAM also displays a list of all authoritative servers for that zone in the preview

pane along with the zone type and zone health status information.

DNS zone node –

o IPAM enables automatic hierarchical navigation of forward lookup zones. For

the zone selected on the navigation tree, all DNS servers hosting the zone are

displayed. IPAM displays the zone status on that server and the status duration.

Other details such as zone type, server availability, and IP address are displayed.

IPAM also provides a catalog of all zone events from the server to assist with

troubleshooting.



19

IPv4 Reverse Lookup node - IPAM enables the user to visualize all IPv4 reverse lookup

zones configured on the managed DNS server. A list of all authoritative servers hosting

the selected reverse lookup zone is presented in the preview pane.

IPv6 Reverse Lookup node - IPAM enables the user to visualize all IPv6 reverse lookup

zones configured on the managed DNS server. A list of all authoritative servers hosting

the selected reverse lookup zone is presented in the preview pane.

Note: IPAM does not support reverse lookup zone health monitoring.

Event Catalog

In a distributed network with multiple DHCP servers, the task of monitoring configuration

changes across the infrastructure can be challenging. Individual servers log configuration

events in their log channel which roll over periodically and are difficult to query and track

centrally.

IPAM event catalog provides a centralized repository to audit all configuration changes

performed on DHCP servers managed from a single IPAM management console. Another

console in event catalog gathers all of the configuration events from the IPAM configuration

event channel.

These configuration event catalogs provide the ability to view, query and generate reports of

the consolidated configuration changes, along with details specific to each record. IPAM audit

tools enable monitoring for any potential misconfiguration of the IP infrastructure by

leveraging network audit logs for tracking and reporting of any administrative actions

required. The advanced query and filtering support from IPAM enables tracking of Service

Level Agreements (SLAs) based on time, administrator identity, server name and additional

detail from a single console.

The IP address management audit specifically provides for:

Periodic and on-demand configuration event data collection from DHCP and IPAM

servers.

Enterprise wide view of all configuration changes on DHCP servers made by

administrators with the following details –

o Event ID

o Time of event

o DHCP server name (from where the event is collected)

o User name (who made the change)

o Domain name of the user

o Description of the event



In addition to the event parameters listed above, IPAM provides advanced query

constructs within the event Description field for filtering DHCP configuration events

such as scope id, scope name, option id, option name, and reservation address.

Enterprise wide view of all configuration changes on IPAM servers made by

administrators with the following details –

o Event ID

o Time of event

o User name (who made the change)

o Domain name of the user

o Description of the event

o Task category (server discovery, address space management, etc.)

o Keywords (server, IPv4-range, etc.)

o Opcode (add, delete, etc.)

In addition to the event parameters listed above, IPAM provides advanced query

constructs within the event Description field for filtering IPAM configuration events

such as network id, IP address, group name, and custom field name.

Data purge facility for event catalog database tables to clean up disk space (after backup

if intended). You can select the time window before which data must be purged and the

data type (IPAM configuration, DHCP configuration, IP address tracking). It is advisable

to schedule the data purge operation in the night or at the time when IPAM activity is

low.

IP Address Tracking

In certain network forensics scenarios, it is useful to establish a trail of the computers or

devices used by a user within a specific time. In an environment where IP addresses are

dynamically assigned using DHCP, the IP addresses assigned to devices on a network are

temporary and can change over time. IP addresses do not necessarily uniquely identify a

computer or device. A host name assigned to a computer or device can also change, and

cannot be relied upon for unique device or computer identification. Establishing a

comprehensive record or trail of the computers or devices used by a user within a specific

period, complete with IP address, host name, and MAC (Media Access Control)/DUID (DHCP

Unique Identifier) address of a computer or device may be difficult or impossible if based

solely on IP lease events.

A DC or NPS server logs events for user and machine authentication, which also identify the

IP address from which an authentication request was received. An intelligent audit system

that collects and maintains a historical trail of IP address lease events from the DHCP server

and authentication events from DC and NPS servers can help administrators to track and

associate IP addresses with the users and devices in their environment.



21

The IP address tracking feature of IPAM enables you to select a search criteria, such as IP

address, client ID (MAC/DUID), host name or user name, and specify a query time interval in

terms of start and end date and time. IPAM intelligently correlates results from the repository

of DHCP leases and DC/NPS logon events based on advanced algorithms to provide the

results. This enables you to search events for a given time frame and obtain results mapping a

user account to particular devices identified by the IP address, MAC address, and/or host

name.

The IP address tracking feature collects the following events to build the search database:

DHCP lease events: new lease, renew lease and lease expiry events from the DHCP audit

log of the managed DHCP servers

Windows security event ID ‘4768- Kerberos authentication ticket (TGT) was requested’

from domain controllers

Windows security event ID ‘672 - An authentication service (AS) ticket was successfully

issued and validated’ from NPS servers

The IP address tracking feature enables two query modes over the specified time:

Exclude co-related logon and lease events - All direct matches to the search criteria

between the specified search start time and end time from the DHCP lease logs collected

in the IPAM database are returned. This mode is supported for all search pivots except

User Name.

Include co-related logon and lease events - All the co-related lease and logon logs

based on intelligent processing are returned along with the direct search matches on

the specified search criteria are returned. This mode is supported for all searches.

Note: The events displayed in the query result are +/- 5 minutes from the search period specified. This is done to accommodate server time lags or discrepancies between IPAM and managed servers. The timestamp of events collected from managed DHCP, DC and NPS servers is stored in UTC in the IPAM database. The timestamp on the events mined as the result of the search operation is displayed in the context of the time and time zone configured on the IPAM client.

The advanced co-relation logic used by IPAM is comprised of three main steps briefly

explained below:

Step 1: Finding all DHCP lease events based on direct match –

For user name based search, IPAM finds the co-related host names based on logon events and

then uses the host name to determine the valid DHCP lease events to be used for further co-

relation.

Step 2: Deriving DHCP lease chunks for the specified search interval –

Using the various new lease, release, and/or expire lease events determined for the specific

IP address, different distinct lease period start and end values can be ascertained. Such

different lease periods are referred to as lease chunks. Each ascertained lease chunk will



have an IP address, MAC address and host name associated with it, picked up from the DHCP

lease event logs.

Step 3: Obtain co-related events for each of the derived lease chunks -

For each of the ascertained lease chunks, a query is then made of the authentication events

collected in the data store to find events that match common elements, which could be one or

more of the IP address, MAC address, or host name within the specified lease chunk. Using

multiple different common elements for the search returns additional correlated information.

Advanced UI features

• Group navigation control - Divides the data into major functional areas followed by

entities/views. The lower navigation tree further arranges the entities into appropriate

pivots such as subnets or logical groups.

• View switcher on management list – To toggle the view between associated entities, for

example Servers and Scopes or Address Range and Blocks.

• Customize the default view - Add or remove columns of your choice in the default view

displayed. All built-in and user-defined basic and custom fields are available for selection in

the view.

• Group by functionality – Select to group the view using the selected criteria

• Ordering – Order the displayed rows based on any field.

• Support for free format query on all fields – Start typing any value in the search pane to

return the matching string search results filtered from the displayed rows

• Advanced query/filtering support – Use multiple criteria to create advanced queries. Select

between advanced comparison constructs for each query criteria. Save the query along

with customized view and reload it later.

• Export filtered records into csv reports

• Dedicated event catalog monitoring for each address space entity, servers, scopes and zone,

in the preview pane for each row selected

Limitations

The Windows Server "8" Beta IPAM implementation does not provide a global solution for

every possible management scenario. Notable limitations are listed below.

• Supports only Microsoft DHCP, DNS, DC, and NPS servers running Windows Server 2008

and above

• IPAM supports only domain joined DHCP, DNS and NPS servers.

• Supports management of DHCP and DNS servers in a single AD forest

• Supports only Windows Internal Database, and no external database is supported

• IP address utilization trend is provided only for IPv4



23

• IP address reclaim support is provided only for IPv4

• The IPAM provisioning method cannot be modified after completion of the provisioning

wizard

• The only management features supported for DNS are DNS A/AAAA and PTR record

creation and deletion.

• Limited support for Windows PowerShell - only a subset of functionality is enabled

through the Windows PowerShell interface.

• Advanced DHCP management features such as failover management, Policy Based

Assignment (PBA) management, and backup and restore are not supported. You can launch

the DHCP MMC from within the IPAM console to initiate these operations.

• DNS management features beyond creation and deletion of A/AAAA and PTR records are

not supported. You can launch the DNS MMC from within the IPAM console to initiate these

operations.

• Automatic DHCP lease enumeration is not supported by the IPAM data collection tasks.

• Automatic DNS record enumeration is not supported. You can enable this scenario by

building upon IPAM periodic address import features available from IPAM Windows

PowerShell cmdlets.

• Granular delegated administration is not supported by IPAM.

Technical Overview

IPAM Architecture

IPAM is comprised of two main modules, which are available as two Server Manager features:

IPAM Server – This feature provides the IPAM backend, which implements periodic data

collection tasks to gather configuration and event information from managed servers. It

also manages the relational database hosted in the Windows Internal Database (WID)

and the Windows Communication Foundation (WCF) server endpoint, which enables

remote management of the IPAM server, provides the IPAM Windows PowerShell

module, and implements role based access control.

IPAM Client – This feature includes the IPAM client UI component that interacts with the

IPAM server to perform remote management using the WCF. The IPAM client also

directly invokes the relevant Windows PowerShell interfaces to interact with DHCP

server for configuration tasks, with DNS server for record management, and with group

policy for security filter list synchronization.

The IPAM client UI communicates with the IPAM server to perform remote management. This

is done using the WCF with TCP as the transport. Specifically, the NetTcpBinding is used. See

WCFBinding-MSDN for more detail on the various bindings and their capabilities. The TCP

binding is performed on port 48885 on the IPAM server. This port number falls into the

“Registered Ports” range of IANA but is not currently assigned. The default port choice is not

http://msdn.microsoft.com/en-us/library/ms733027.aspx



made from the ephemeral port range, as this server-side functionality that the socket is

listening for traffic at all times once the server feature is enabled.

When there is a port conflict or there is a need to reconfigure the server port, the port

number on the server can be configured. Prior to connecting to the IPAM server, the client UI

queries the configured server port by using a Windows PowerShell cmdlet provided by IPAM.

This leverages Windows PowerShell remoting. Windows PowerShell remoting is built on the

WinRM layer, which is enabled by default. IPAM Windows PowerShell cmdlets get-

ipamconfiguration and set-ipamconfiguration can be leveraged to get and set the WCF

communication port respectively.

The figure below illustrates high level IPAM architecture.

Figure 2 IPAM High Level Architecture

IPAM also allows you to specify the group policy objects to manage the DHCP/DNS/NPS/DC

server configuration for use with IPAM during setup. These group policy objects must be

created in advance for each server role (DHCP, DNS, DC/NPS). The security filtering lists for

these group policy objects will be updated when the servers are enabled or disabled for

management through the IPAM console.

The IPAM server communicates with all the managed DHCP servers to get the DHCP scope

utilization for both IPv4 and IPv6 (stateless as well as stateful), server configuration and

scope configuration using DHCP Windows PowerShell commands. The DHCP Windows

PowerShell commands use Microsoft Dynamic Host Configuration Protocol (DHCP) Server

Management Protocol Specification [MS-DHCPM] to communicate with the DHCP server.

http://msdn.microsoft.com/en-us/library/cc402664(v=PROT.10).aspx



25

The DHCP address lease information is available in an audit log file on the DHCP server. The

IPAM server retrieves the address audit text file (for both IPv4 as well as IPv6) using the SMB

protocol. This text file is parsed to get the address assignment information. The address audit

text file for IPv6 clients (stateful and stateless) is available only in Windows Server "8" Beta

DHCP servers. The DHCP server generates events for auditing the configuration changes. The

IPAM server reads the configuration changes from the DHCP server event log and EventLog

Remoting Protocol Version 6.0 Specification [MS-EVEN6] is used for reading these events.

The IPAM server also retrieves the service status of the DHCP/DNS servers using the Service

Control Manager Remote Protocol Specification [MS-SCMR] protocol.

The IPAM server communicates with DNS servers to get the server configuration and DNS

zone settings. The DNS Windows PowerShell commands use Domain Name Service (DNS)

Server Management Protocol Specification [MS-DNSP] to communicate with the DNS server.

The IPAM server communicates with DCs to get the logon events. Whenever a user

authenticates with DC, a logon event is generated and the IPAM server collects these events

for audit trail analysis. The remote event collection uses [MS-EVEN6]. In order to discover the

DHCP servers, the IPAM server reads the DHCP server list stored in the DHCPServers group

contained in the NetServices container

(CN=NetServices,CN=Services,CN=Configuration,DC=domain,DC=com) in AD. The IPAM

server reads the DHCPServers group using the LDAP protocol. LDAP is also used to query the

list of domains. This list of domains is used for discovering the DNS servers.

The IPAM server communicates with NPS server to get the authentication events. Whenever

NPS authenticates a user, it generates an authentication event. The IPAM server collects these

events for audit trail analysis. The remote event collection uses [MS-EVEN6].

The following table lists the different interactions between the IPAM system and other

servers.

Managed Role From IPAM component

Protocol Comments

DHCP IPAM Server MS-DHCPM/MS-EVEN6 /MS-SMB /MS-SCMR

IPAM server interacts with DHCP server to perform IP address utilization, DHCP server configuration retrieval, DHCP server monitoring and IP address audit trail data.

DHCP IPAM Client MS-DHCPM IPAM Client uses MS-DHCPM (used by Windows PowerShell provider) to remotely manage the DHCP servers.








DHCP address audit file (IPv4/IPv6)

IPAM Server MSSMB DHCP address lease information is stored in a file and IPAM retrieves this file. This qualifies as a new file format protocol.

DNS IPAM Server MS-DNSP/[MS-EVEN6]

IPAM server interacts with DNS server to perform DNS server configuration retrieval, DNS server monitoring.

DNS IPAM Client MS-DNSP IPAM client uses MS-DNSP (used by Windows PowerShell provider) to remotely manage DNS servers.

AD IPAM Server RFC2251/MS-EVEN6

IPAM server interacts with AD server to perform discovery of DHCP and DNS server and IP address audit trail data.

NPS IPAM Server MS-EVEN6 IPAM server interacts with NPS server to perform IP address audit trail data.

DC IPAM Client MS-GPOL IPAM client uses the MS-GPOL to configure the administrator specified group policy object with the list of servers that are enabled for management through IPAM.

DC IPAM Client RFC2251/LDAP Used to retrieve server information from the machine object in AD (such as machine GUID, OS installed etc.)

IPAM Server IPAM Client [MS-PSRP] Used to query the server-port configuration from the IPAM server using the Windows PowerShell cmdlet for the same.



27

IPAM Local Security Groups

IPAM setup creates appropriate security groups to isolate and restrict the permissions

available to different sets of IPAM administrators and users. The installation process creates

local security groups on the IPAM server, which provide permissions required for

administering and using the multiple services employed by IPAM. For example, IP lease audit

collection could be restricted to a specific set of administrators only. It is possible to display

MSM configuration data to all DHCP Users, while MSM configuration rollout itself may be

restricted to only a relevant subset of administrative accounts.

IPAM installation automatically creates the following local user groups:

Group Name Description

IPAM Users

Members of this group can view all information in server

inventory, IP address space, and server management consoles

of IPAM. They can view IPAM and DHCP server operational

events, but cannot view IP address tracking information.

IPAM MSM Administrators

Members of this group have all the privileges of IPAM User group and can perform IPAM common management tasks as well as server management tasks.

IPAM ASM Administrators

Members of this group have all the privileges of IPAM User group and can perform IPAM common management tasks as well as server management tasks.

IPAM IP Audit Administrators

Members of this group have all the privileges of IPAM User group and can view IP address tracking information.

IPAM Administrators

Members of this group have privileges to view all IPAM information and perform all IPAM tasks.

Note: In order to perform the Find Available IP task of IPAM address space management on a DHCP range, the user must additionally have DHCP Users privileges on the relevant DHCP server. Only IPAM Administrators can perform the Purge Event Catalog Data task. IPAM IP Audit Administrators do not have this privilege. IPAM MSM Administrators can edit IP address range information for MS DHCP ranges in the IP Address Space console.

IPAM Tasks and Service Account

IPAM schedules the following tasks to retrieve data from managed servers:



ServerDiscovery - Automatically discovers domain controllers, DHCP servers and DNS

servers in the domains you select.

ServerConfiguration - Collects configuration information from DHCP and DNS servers

for display in IP address space and server management functions.

AddressUtilization - Collects IP address space usage data from DHCP servers for display

of current and historical utilization.

Audit - Collects DHCP and IPAM server operational events. Also collects events from

domain controllers, NPS, and DHCP servers for IP address tracking.

ServerAvailability - Collects service status information from DHCP and DNS servers.

ServiceMonitoring – Collects DNS zone status events from DNS servers.

AddressExpiry – Tracks IP address expiry state and logs notifications.

All Windows tasks required for IPAM services need to present credentials to the managed

node for authentication before accessing protected data and logs from server roles. For

example, accessing event logs on the managed server nodes requires that the IPAM tasks

authenticate under the context of a member of the Event Log Reader security group on the

target node. All IPAM tasks launch under the Network Service account, which presents the

local computer’s credentials to remote servers.

During installation, IPAM tasks are added with the following default frequency of execution,

which can be modified from the Task Scheduler from the path – Task Scheduler Library ->

Microsoft -> Windows -> IPAM

Task Name Frequency For Duration

ServerDiscovery 1 Day Indefinitely

AddressUtilization 2 Hours Indefinitely

Audit 1 Day Indefinitely

ServerConfiguration 6 Hours Indefinitely

ServerAvailability 15 Minutes Indefinitely

ServiceMonitoring 30 Minutes Indefinitely

AddressExpiry 1 Day Indefinitely

Apart from periodic data gathering IPAM also supports on-demand data refresh from all the

servers in its scope or only from a subset of servers in context of the selected entity for which

data retrieval has been triggered. IPAM further supports on demand data refresh for specific

functional areas such as address space or event catalog. The following on-demand data

retrieval actions are supported by IPAM:



29

Action Name Type Scope Launch Point Periodic Tasks Run

Start Discovery

Non-Contextual

Across all configured domains

‘Manage’ Menu ServerDiscovery

Retrieve All Server Data

Non-Contextual

All servers (and server roles) managed by IPAM

‘Manage’ Menu OR ‘Tasks’ Menu in ‘Server Inventory’ view

All tasks except Discovery

Refresh Server Access Status

Contextual Selected server(s) Right click menu on (multi)selecting servers in the ‘Server Inventory’ view

Discovery task for access status(es) check

Retrieve All Server Data

Contextual Selected server(s) Right click menu on (multi)selecting managed servers in the ‘Server Inventory’ view

All tasks except Discovery

Retrieve Address Space Data

Non-Contextual

All DHCP servers managed by IPAM

‘Tasks’ Menu in ‘IP Address Space’ view

ServerConfiguration, AddressUtilization, AddressExpiry, Audit

Retrieve Address Space Data

Contextual (Multi)Selected IPAM ranges (and associated DHCP servers)

Right click menu on (multi)selecting ranges in the ‘IP Address Space’ view

ServerConfiguration, AddressUtilization, AddressExpiry, Audit

Retrieve Server Data

Non-Contextual

All DHCP and DNS servers managed by IPAM

‘Tasks’ Menu in ‘Monitor and Manage’ view

ServerConfiguration, ServerAvailability, ServiceMonitoring, Audit

Retrieve Server Data

Contextual (Multi)Selected servers (or servers associated with (multi) selected scopes or zones)

Right click menu on (multi)selecting servers, scopes or zones in the ‘Monitor and Manage’ view

ServerConfiguration, ServerAvailability, ServiceMonitoring, Audit

Retrieve Audit Data

Non-Contextual

All DHCP, DC and NPS servers managed by IPAM

‘Tasks’ Menu in ‘Event Catalog’ view

Audit



Installing and Provisioning IPAM

Deployment Considerations

IPAM is an agentless multi-server, multi-service management feature and leverages standard

Windows remote management protocols to manage, monitor and collect data from the

distributed servers in the enterprise. IPAM must be installed on a domain member computer.

IPAM relies on a host of remote management technologies to provide full functionality.

Various IPAM modules need to communicate with multiple network elements throughout the

enterprise for data gathering and configuration management. Depending on the scope of

managed elements, this communication may need to traverse multiple security boundaries or

domains.

Important: IPAM does not support multi-forest topology. All domains in a single Active Directory forest can be managed.

IPAM supports the following topologies for deployment in an enterprise:

Distributed: An IPAM server deployed at every site in an enterprise

Centralized: One IPAM server in an enterprise

Hybrid: Central IPAM server deployed alongside dedicated IPAM servers per site

There is no automatic built-in communication or database sharing between different IPAM

servers in the enterprise. If multiple IPAM servers are deployed, you can customize the scope

of discovery for each IPAM server, or filter the list of managed servers.

Note: If required, you can leverage the IPAM Windows PowerShell based export-import mechanism to periodically update IPAM range and address information between multiple IPAM instances running across the enterprise.

You can choose to limit the IPAM scope, depending on the deployment. A single IPAM server

may be implemented to manage IP addressing for the entire enterprise. Alternately, an IPAM

server may be deployed at every geographical site in the enterprise, or in each child domain

in the AD forest. If multiple IPAM servers are used, you can limit the server discovery and

management scope of each to include only infrastructure servers managed by the individual

IPAM installations.

The IPAM server manages and monitors the DHCP and DNS servers within the site or child

domain, and collects the forensics information from DHCP, DC and NPS servers. IPAM

correlates and stores the collected information in the IPAM server’s local database using

Windows Internal Database (WID).



31

Figure 3 IPAM Multi-Site Hybrid Deployment Model

Installation Process – IPAM Server

The Windows Server "8" Beta IPAM feature integrates with the Server Manager console for

installation and uninstallation. The Server Manager console eases the task of managing and

securing multiple server roles through the Add Roles and Features Wizard.

Note: You cannot install the IPAM server feature on an Active Directory domain controller.

Installing IPAM on a physical server with co-located DHCP server role is not

recommended. This negatively impacts the DHCP server discovery function of IPAM.

Installation UI/Wizard

In Server Manager, Dashboard, click Add roles and features.



Figure 4 Server Manager Dashboard

Click through the Add roles and features wizard screens to select Role or Feature Based

Install and the target server. On the Select Features screen, select IP Address Management

(IPAM) Server. Click Add Features when prompted.

Figure 5 Add Roles and Features Wizard – IPAM Server Selection

IPAM installation ensures that all IPAM dependencies are also installed at the time of

installation. IPAM Installation is not successful unless all the dependent modules are first

installed. Installation dependencies include the following:

Feature or Tool Description

Remote Server Administration Tools

DHCP and DNS Server Tools provides for remotely managing DHCP and DNS servers.

Windows Internal Database Windows Internal Database is a relational data store that can be used only by Windows roles and features.



33

Feature or Tool Description

Windows Process Activation Service

Windows Process Activation Service generalizes the IIS process model, removing the dependency on HTTP.

Group Policy Management Group Policy Management is a scriptable Microsoft Management Console (MMC), providing a single administrative tool for managing Group Policy.

.NET Framework 4.5 Features .NET Framework 4.5 provides a programming model for building and running applications designed for several different platforms.

IPAM Client (optional) For managing any local or remote IPAM server.

The IPAM dependency list dialog allows you to select the installation of IPAM client along

with installation of the IPAM server feature using the checkbox Include management tools

(if applicable). By default, IPAM client is pre-selected for installation along with IPAM

server.

After selecting Install in the wizard, installation progress is shown until the feature is

installed successfully.

Figure 6 Installation Progress



Verifying Installation

When the Add Features wizard completes, it will display a message indicating that the

installation succeeded. IPAM server can now be managed using local or remote instance of

IPAM client UI.

Figure 7 Successful Installation Confirmation

Uninstalling/Disabling

The Windows Server "8" Beta IPAM feature integrates with the Server Manager console for

installation and uninstallation. The console eases the task of managing and securing multiple

server roles through the Remove Roles and Features Wizard. The IPAM uninstallation

process ensures that all IPAM dependencies are removed, and that all IPAM local security

groups and scheduled tasks are deleted. Uninstallation also ensures that the IPAM database is

detached from WID and all the database data and schema files are deleted.



35

Figure 8 Remove Roles and Features Wizard

Installation Process – IPAM Client

Although the IPAM client feature is automatically installed on a Windows Server "8" Beta

server, along with installation of the IPAM Server feature, this component can also be

installed or uninstalled on its own. Click through the Add roles and features wizard screens to

select Role or Feature Based Install and the target server. On the Select Features screen,

select Remote Server Administration Tools -> Feature Administration Tools -> IP

Address Management (IPAM) Client. Click Add Features when prompted.



Figure 9 Add Roles and Features Wizard – IPAM Client Selection

In order for the IPAM client to connect to an IPAM server, you must ensure that the target

IPAM server is added to the Server Manager purview using the Add Servers wizard launched

from the Manage menu. If both IPAM client and IPAM server are running on the same server,

then by default the IPAM UI connects to the local IPAM server instance.

Note: A domain user connecting to the IPAM server from a remote IPAM client must be a member of the ‘WinRMRemoteWMIUsers__’ group on the IPAM server, in addition to being a member of the appropriate IPAM security group. IPAM client is an integrated component with the Server Manager RSAT. Server Manager RSAT is also available for download and installation on a Windows 8 Consumer Preview client machine. The IPAM node will appear in the Server Manager navigation tree by default on the Windows 8 Consumer Preview client RSAT.

IPAM Provisioning

IPAM installation sets up various periodic data collection tasks to collect relevant data from

managed DNS, DHCP, DC and NPS servers to enable address space management, multi-server

management and monitoring and event catalog scenarios. All IPAM tasks launch under the

Network Service account, which presents the local computer’s credentials to remote servers.

To accomplish this, administrators must enable read access and security permissions for the

required resources over managed servers for the IPAM server’s computer account. Further

the relevant firewall ports need to be configured on these managed servers.

Note: The term IPAM scope in this context and throughout this document refers to the IP network elements (DHCP/DNS/NPS/DC servers within the forest) which are discovered or added, and activated for various IPAM services. In other words these are the ‘Managed’ server roles



37

within IPAM.

IPAM Access Settings

The following table provides a mapping of the IPAM functionality and managed server role

type to access setting and FW rule required by IPAM periodic tasks:

Role Type Access Setting FW Rule Associated IPAM functionality

DHCP

Membership of ‘DHCP Users’ security group

DHCP Server (RPC-In)

DHCP Server (RPCSS-In)

DHCP address space, settings and utilization data collection

Read access in the ‘DHCP Server’ service ACL

Remote Service Management (RPC)

Remote Service Management (RPC-EPMAP)

DHCP Service monitoring

Membership of ‘Event Log Readers’ security group

Remote Event Log Management (RPC)

Remote Event Log Management (RPC-EPMAP)

DHCP configuration event monitoring

Creation of Network share ‘dhcpaudit’ of the DHCP audit file location (default location for logs is %windir%\system32\dhcp) and read access on the same

File and Printer Sharing (NB-Session-In)

File and Printer Sharing (SMB-In)

DHCP lease event collection for IP address tracking

DNS

Read access in the domain wide DNS ACL* (for DC co-located DNS servers)

OR

Membership of local Administrators group on DNS server (for DNS servers not co-located with DC)

DNS Service RPC

DNS Service RPC Endpoint Mapper

DNS zone configuration collection


Read access in the ACL stored in the DNS CustomSD registry key



DNS zone event collection for DNS zone monitoring



Role Type Access Setting FW Rule Associated IPAM functionality

Read access in the ‘DNS Server’ service ACL

Remote Service Management (RPC)

Remote Service Management (RPC-EPMAP)

DNS service monitoring

DC/NPS




Logon event collection for IP address tracking

IPAM (local server)


N/A IPAM configuration event monitoring

Note: For DNS servers co-located with a DC, the RPC read access can be enabled by adding the IPAM machine account to the domain wide DNS ACL. This setting needs to be propagated only once for the entire domain and not for every individual DNS server.

Note: For access to local event logs on the IPAM server to enable the ‘IPAM Configuration Events’ cataloguing, the Network Service account is automatically added to the IPAM server’s ‘Event Log Readers’ group at the time of IPAM installation and provisioning.

IPAM Access Monitoring

IPAM access monitoring tracks the provisioning state of the following statuses on the server

roles, which are displayed in the details pane of the IPAM server inventory view:

Role Type Access Setting Tracked by Server Discovery

Access tracking field’s name in Server Inventory view

DHCP

Membership of ‘DHCP Users’ security group and corresponding remote management firewall rules enablement

DHCP RPC Access Status

Membership of ‘Event Log Readers’ security group and corresponding remote management firewall rules enablement

Event Log Access Status

Creation and read access of Network share ‘dhcpaudit’ of the folder where DHCP audit files are located and remote file transfer firewall rules enablement

DHCP Audit Share Access Status



39

Role Type Access Setting Tracked by Server Discovery

Access tracking field’s name in Server Inventory view

DNS

Read access in the domain wide DNS ACL and corresponding remote management firewall rules enablement

DNS RPC Access Status



DC/NPS



The following recommended actions are tracked by IPAM server inventory view related to access

settings:

Recommended Action Scenario Action Required

IPAM access Unblocked Server manageability status is Managed and overall IPAM access status is Allowed

No action required

IPAM access Blocked Server manageability status is Unmanaged and overall IPAM access status is Blocked

No action required

Unblock IPAM access

Server manageability status is Managed but overall IPAM access status is Blocked

Refer to sub-access status listed in the Details pane and provision the required access setting

Block IPAM access

Server manageability status is Unmanaged but overall IPAM access status is Allowed

Refer to sub-access status listed in the Details pane and un-provision the read access for IPAM

Set manageability status Server manageability status is Unspecified

Set server manageability status to Managed or Unmanaged

Note: The following access sub-statuses are not tracked by IPAM server inventory view in Windows Server "8"Beta.

- DNS zone event access

- DHCP server service access

- DNS server service



Additional Considerations

The IPAM server must collect DHCP lease events and DC/NPS logon events to enable IP

address tracking functionality. This section explains some of the deployment related details

to consider on the target DHCP, DC and NPS servers from which IPAM collects this

information.

DHCP audit file is generated by default in the %windir%\system32\dhcp folder, but the path

can be changed by editing IPv4 and IPv6 properties (Properties -> Advanced -> Audit log file

path setting). For IP addressing to work, the IPv4 and IPv6 audit log file path should both be

set to a common folder location. Ensure that the DHCP audit log file size is appropriately

configured to hold audit events for the entire day on the DHCP server.

Similarly, for DC and NPS servers, enable the required events for logging. The security log

settings determine enabling/disabling of these events. The relevant setting to enable logging

of these events is available under group policy (Computer Configuration -> Windows Settings

-> Security Settings -> Local Policies -> Audit Policy -> Audit Account Logon Events). For a

heavily loaded DC, ensure that the periodicity of IPAM AuditTask is less than the time

window in which the security logs on DC and NPS servers roll over.

Provisioning Methods

IPAM allows users to choose between manual or GPO based configuration of these access

settings on managed servers. Given the fair amount of administrative complexity in

configuring these settings, IPAM recommends using GPO based mechanism to automatically

provision IPAM access settings. Using GPOs for IPAM access provisioning also enables

ongoing automatic maintenance of these settings and adjustments to the changing needs and

alterations made to the IPAM scope.

Group Policy Based Provisioning

IPAM allows automated discovery of the required server roles across domains within the

forest. The IPAM setup process automatically defines and sets required remote management

permissions to enable administrative actions performed by IPAM tasks by applying relevant

pre-staged Group Policy Objects. After the initial configuration is completed, IPAM setup

processes regular updates so that the environment remains current across any incremental

scope changes.

For DHCP and DNS servers, IPAM GPOs are configured using a combination of standard GPO

settings and custom script that is maintained in the SYSVOL share. There were multiple

reasons to use the custom script for propagating some of the settings versus using the

standard GPO settings. These reasons are provided below:

To append and not replace any custom setting on the DNS and DHCP service ACL

To append and not replace any custom setting on the DNS event log CustomSD registry

entry



41

To configure the dhcpaudit network share on any non-default location configured on

the DHCP server

To ensure that the read access for the dhcpaudit share is enabled only for IPAM and not

for Everyone

To ensure that any localized string name for the DHCP Users group would be

automatically taken care of while adding the IPAM account

More Information: For details of GPO settings created by IPAM, refer to the GPO settings detail section of the Appendix to this guide:

GPO Based IPAM Provisioning - GPO Setting Details

Note: The IPAM GPO based access provisioning is done by creating a universal group in the domain and adding the IPAM machine account to this universal group. All the access propagation by the GPO is done for the group and not for the specific IPAM machine account.

Creating Group Policy Objects

IPAM provides a Windows PowerShell cmdlet, - Invoke-IpamGpoProvisioning, to automate the

creation of IPAM GPOs.

Invoke-IpamGpoProvisioning [-Domain] <string> [-GpoPrefixName] <string> [-

IpamServerFqdn <string>] [-User <string[]>][-Group <string[]>] [-PassThru] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]

The Invoke-IpamGpoProvisioning cmdlet creates and links three group policies in the

specified domain for provisioning required access the server roles managed by IPAM.

GpoPrefixName provided here should be the same as the prefix configured in the IPAM

provisioning wizard. The three GPOs are created with the suffix '_DHCP', '_DNS' and '_DC_NPS'

appended to the GpoPrefixName. These suffixes signify the three different types of access

settings that are propagated depending on the type of server role managed by IPAM.

For example, if the group policy name prefix is ‘IPAMGPO’, then the cmdlet will create the

following three GPOs in the specified domain.

IPAMGPO_DHCP

IPAMGPO_DNS

IPAMGPO_DC_NPS

The access settings propagated by these GPOs are required by the periodic IPAM data

collection tasks that run under the Network Service account. Access settings are propagated

for the IPAM server machine account, since that is the credential presented by Network

Service to access remote resources. By default, IPAM uses the IPAM server FQDN of the local

machine from where the cmdlet is run. If required, you can explicitly specify the FQDN name

of the IPAM server using the IpamServerFqdn parameter.



The cmdlet creates a universal group named IPAMUG in the specified domain (if not already

present), and adds the computer account of specified IpamServerFqdn to it. Access setting

propagation by IPAM GPOs are done for the universal group IPAMUG. The cmdlet also

modifies the domain wide DNS ACL to enable DNS RPC access for IPAM.

IPAM auto-detects the available DC in order to invoke the GPO related operations. The GPO

objects created by this cmdlet can be returned using the PassThru switch.

Delegate IPAM GPOs

After creation of IPAM GPOs, it is feasible to delegate subsequent GPO edit privileges to the

appropriate IPAM administrators (who are not domain or enterprise administrators) by

using the parameters User or Group available with the Invoke-IpamGpoProvisioning

cmdlet. This delegation will be required when you select the servers to be managed within

the IPAM console, and IPAM automatically attempts to add them in the appropriate GPOs

using the logged in user credentials. IPAM recommends creating a domain level group

IPAMGPOAdmins and delegating the GPO edit privileges to that group using the Group

parameter, as opposed to adding an individual user list for delegation.

Adding Managed Servers to GPO

At the time of creation of GPOs, the security filter list of IPAM GPOs is empty. When the

manageability status of a server is edited in IPAM server inventory view, IPAM automatically

adds or removes the server in the appropriate GPO security filter list. Managed servers are

added to the GPO security filtering and unmanaged servers are deleted. IPAM GPO editing

privileges can be delegated to IPAM administrators who are not domain or enterprise

administrators, using User and Group parameters in Invoke-IpamGpoProvisioning cmdlet.

IPAM follows the logic below to update the GPO security filter list:

• When a server role is marked as managed IPAM automatically adds it to the appropriate

IPAM GPOs based on the active roles on this server.

• When a server is marked as unmanaged IPAM automatically deletes it from the

appropriate IPAM GPOs based on the active roles on this server.

• When a server role is marked as active (checked) on a managed server, IPAM

automatically adds it to the appropriate IPAM GPO.

• When a server role is marked as inactive (unchecked) from a managed server, IPAM

automatically deletes it from the appropriate IPAM GPO.

Note: IPAM considers GPO update failures during server edit operation due to GPO not existing, insufficient privileges, or any other issue, as non-blocking. In other words, server edit operation will continue irrespective of any failures encountered during GPO update. A detailed report of the failures will be presented, and can be used to manually edit the IPAM GPOs. Newly discovered IPAM roles on managed servers (in periodic server discovery cycle) are marked as Managed. However, since the IPAM task does not have GPO editing privileges, these roles will not be automatically added in the relevant IPAM GPO. You must add such roles manually to the relevant IPAM GPO. A critical event is logged in IPAM administrative



43

channel to allow you to easily track this scenario if it occurs.

Manual Provisioning

It is possible to bypass the wizard-based automated deployment and set a custom scope for

IPAM management. To deploy a limited pilot implementation of IPAM, you can manually add

administrators and server computer accounts to appropriate predefined AD security groups,

and configure firewall rules to allow communication to a set of manually selected and

configured network nodes.

More Information: For details of enabling IPAM access settings on managed roles manually, refer to the Manual IPAM Provisioning section of the Appendix to this guide:

Manual IPAM Provisioning - Configuring Access Settings

Configuring and Managing IPAM

IPAM Initial Setup

The IPAM overview page on IPAM Client UI navigates the user across six basic steps required

to complete initial setup for an IPAM Server:

1. Connect to an IPAM server

2. Provision the IPAM server

3. Configure server discovery

4. Start server discovery

5. Select or add servers to manage and verify IPAM access

6. Retrieve data from managed servers

Connect to IPAM Server

IPAM enables connecting to a remote or local IPAM server using the first step listed in

sequence on the IPAM Overview page. By default, the IPAM Client UI automatically connects

to the local instance of IPAM server (if running). The Connect to IPAM Server dialog allows

the user to select from the local and remote IPAM server instances detected by Server

Manager from the pool of servers being managed.



Figure 10 Select IPAM server to connect IPAM client

Note: Remote IPAM servers must be added to the Server Manager purview using the Add Servers dialog available in the Manage menu, before they are listed in the Connect dialog.

IPAM Provisioning Wizard

The IPAM provisioning wizard needs to be completed one time on every IPAM server. The

IPAM provisioning stage sets up IPAM security groups and IPAM database.

Note: The logged in user must have Administrator privileges (running elevated) in order to complete IPAM provisioning.

The IPAM provisioning wizard prompts you to select between manual and group policy based

provisioning methods. Once the provisioning wizard is complete, this setting cannot be

changed. For more information on IPAM provisioning methods refer to the corresponding

section in this guide.



45

Figure 11 Provision IPAM Wizard – Select Provisioning Method

If Manual deployment is selected, the IPAM wizard does not take any action to deploy

settings, and the administrator can consult the help files and IPAM deployment guide to

determine necessary settings to apply manually.

If Group Policy Based deployment is selected, supply the unique GPO prefix name for this

IPAM instance. The IPAM wizard does not take any action to actually create the group policies,

and you can use the IPAM Windows PowerShell cmdlet Invoke-IpamGpoProvisioning to

create the group policies. The GPO prefix name selected in this step must be as the one

specified as GpoPrefixName parameter with the GPO creation cmdlet.

Important: The provisioning method selected is simply committed in the IPAM database in this step. The IPAM provisioning wizard does not perform any corresponding action such as creating the group policy objects or provisioning the servers.

Once the IPAM provisioning wizard successfully completes, the IPAM database and security

groups are in place. You can add the required users to the IPAM security groups based on

their roles. For more information on IPAM security groups, refer to the relevant section in

this guide.

Configure Discovery

Next, click configure server discovery to launch the Configure Discovery settings wizard. Use

the discovery settings wizard to add all domains in the forest on which you intend to run

discovery. You must add each domain to the list explicitly, even if the forest root domain has

been selected. For each domain added to the scope of discovery, you can select which type of



servers to discover. By default, domain controller, DHCP server, and DNS server check boxes are

all selected.

Figure 12 Configure Server Discovery

Create IPAM GPOs

Although there is no strict ordering in terms of when IPAM group policies should be created,

IPAM recommends that at the time of adding any domain into the server discovery

configuration, the corresponding group policies objects should also be created using the

Windows PowerShell cmdlet Invoke-IpamGpoProvisioning. Domain administrator

privileges are required to create IPAM GPOs and the IPAM GPO edit privileges should be

delegated to appropriate IPAM administrators who do not have domain or enterprise

administrator privileges.

Start server discovery

The Discovery task runs periodically and uses these settings to discovery the specified server

roles running on the selected domains. The default periodicity of the discovery task is set as

one day and is user configurable from the task scheduler. User can also start server discovery

on demand by clicking on Start Server Discovery from the Overview page or by clicking

Start Discovery from the global action Manage from any other page.



47

Figure 13 Start Server Discovery

Select or add servers to manage and verify IPAM access

Once the discovery process completes, the discovered servers are listed in the Server

Inventory view of the IPAM management console. The action column initially displays each

discovered server manageability status as Unspecified until an administrator classifies the

server as managed or unmanaged.

Figure 14 Discovered Servers View

Servers are arranged under IPv4 or IPv6 nodes based on their network interface address. It is

possible that the same server may appear in both IPv4 and IPv6 node, if it has two types of IP

addresses.

Add Server

Use the Add or Edit Server dialog to set the manageability status to Managed for servers

that you intend to manage via IPAM. Servers (and their corresponding roles) can also be

added manually into the IPAM management span. This is especially useful for adding NPS



servers (required for IP Address tracking feature), which cannot be auto-discovered by IPAM.

In order to add a server manually, right click on IPv4/IPv6/Managed servers/Unmanaged

servers on the left navigation tree to trigger the Add server… dialog.

Figure 15 Add or Edit Server Dialog

Set Server as Managed

You can select one or more servers to be marked as managed from the discovered set of

servers. Right-click on the server to display the server menu and select Edit server action.

Figure 16 Edit Server Task



49

Verify IPAM Access

Discovered or added servers are shown along with their Server Type and IPAM Access

Status. Server type refers to the workloads (DHCP/DC/DNS) running on the server and IPAM

access status refers of the status of IPAM specific management settings which are required to

be configured on these servers.

GPO based provisioning

As the servers are set to be managed in IPAM, the server is added to the security filtering for

relevant GPOs based on the roles that are active on the server. Ensure that the GPOs are

created on the domain in advance, and the logged in user has the permissions to edit the GPO

at the time of marking server as managed. If for some reason the server fails to get added to

the GPO, the edit operation is not aborted and you must manually add the server to the

required GPO. IPAM recommends multi-editing all the relevant servers simultaneously to

mark their status as managed, in order to optimize the number of GPO updates done by IPAM.

Once the server is added the appropriate GPOs either wait for automatic periodic policy

update to take place or run GPUpdate /Force on the target managed servers. This should

enable the required access settings propagated by the standard GPO settings. For DHCP and

DNS servers, IPAM installs a scheduled task to execute a custom Windows PowerShell script

in order to propagate the access settings. Ensure that the task is successfully completed on

the target server.

Manual provisioning

For manual provisioning, ensure that the required access settings are appropriately

configured on the target server manually.

Refresh Access Status

The typical refresh period of the server access status as checked by the ServerDiscovery

task is one day. For the initial setup, IPAM recommends to multi-select all managed servers,

right click and select Refresh Server Access Status task to trigger on-demand refresh.

Running server discovery again will also update the IPAM access status.

Figure 17 Refresh Server Access Status



Verify Access

Verify that IPAM access status is listed as unblocked indicating that manual or GPO based

provisioning is successfully complete.

Figure 18 IPAM Access Unblocked

For the IPAM access status value to be allowed, all of the access sub-states shown in the details pane should be marked as allowed. These access states are:

DNS RPC access status

DHCP RPC access status

Event log access status

DHCP audit share access status

Troubleshooting Access Issues

If any of the access sub-states for managed server roles is showing in the Blocked state, check

that the corresponding setting is enabled on the target server. For details of access setting to

sub-state mapping refer to the IPAM Access Monitoring section in this guide. For GPO based

provisioning, the GPResult command line tool can be used to troubleshoot group policy update

issues. The provisioning task setup by IPAM DHCP and DNS GPOs creates a troubleshooting log

in the location %windir%\temp named IpamDhcpLog.txt and IpamDnsLog.txt respectively.

Retrieve data from managed servers

Multiple IPAM tasks run periodically to collect data from the set of servers marked as Managed. The default period of collection depends upon the data being collected and varies from 15 minutes to 6 hours. This interval of collection is configurable from the task scheduler. Data can also be retrieved on demand. In order to retrieve data from all managed server, the Retrieve All Server Data action can be invoked from the global management menu.

This completes the initial setup of IPAM for DHCP, DNS, DC and NPS server management and monitoring across various consoles on the UI.

Server Inventory Management

From the Server Inventory view, right click on one or more servers to take an action on only

the selected servers.



51

Figure 19 Server Inventory Management

The available actions are:

Edit Server: Edit manageability status of the server and roles on the servers.

Retrieve All Server Data: Retrieve data for all selected roles on the selected server.

Refresh Server Access Status: Refresh Server Access Status for the selected servers

only

Delete: Remove a server from the inventory view, along with all its data.

Address Space Management

The IPAM address space management (ASM) feature provides the ability to efficiently view,

monitor, and manage IP address space on the network. ASM supports IPv4 public and private

addresses and IPv6 global and unicast addresses. Searching and sorting of IP addresses, IP

address ranges and IP address blocks can be based on built-in fields or user defined custom

fields, such as region, Regional Internet Registries (RIR), device type, or customer name. You

can track IP address utilization and threshold-crossing status, or display utilization trends.

IPAM ASM feature address the IP address space management problem in a growing

distributed environment by ensuring better planning, accountability, and control. IPAM also

enables you to detect overlapping IP address ranges defined on different DHCP servers, find

free IP addresses within a range, create DHCP reservations, and create DNS records.

IP Address Blocks

A user can view the IP address blocks, IP address ranges or IP addresses in this view by

selecting the appropriate view in the current view combo box. This view allows you to

visualize the address space by automatically segregating the IP address ranges, IP address

blocks and IP addresses into private address and public address categories for IPv4 address

and global and unicast categories for IPv6 addresses.



Figure 20 IP Address Blocks

Adding an IP Address Block

To create an IPv4 IP address block, right click the IPv4 node and select Add IP Address

Block. Similarly, to add an IPv6 IP address block, right click on the IPv6 node and select Add

IP Address Block. Based on the network ID, IPAM can automatically group smaller sub-

blocks under larger IP Address blocks, forming a hierarchy of blocks. This hierarchy is

presented in the navigation pane in a tree view, and clicking on each IP address block or sub-

block allows you to view IP address ranges or IP addresses mapped to that block.



53

Figure 21 Add IP Address Block

Adding an IP Address Range

To add an IPv4 IP address range, right click on the IPv4 node and select Add IP Address

Range. Similarly, add a new IPv6 IP address range by right clicking on the IPv6 node and

selecting Add IP Address Range. To view the ranges, select IP address ranges from the

current view combo box. IPAM can also automatically enumerate scopes from managed DHCP

servers and these scopes will appear as dynamic ranges in ASM views. However, these

dynamic ranges are not editable. For dynamic ranges, you must edit the corresponding

scopes through MSM views.

Adding an IP Address

To Add an IPv4 IP address, right click on the IPv4 node and select Add IP Address. Similarly,

to add an IPv6 address, right click on the IPv6 node and select Add IP Address. To view the

IP addresses, switch to IP address view by selecting IP Addresses from the current view

combo box.

Viewing the utilization statistics and utilization trend

You can view the utilization statistics, such as percent utilization and total number of

addresses of an IP address block or IP address range in the Configuration Details panel. To

view the utilization statistics of an IP address range, you must first switch to IP address range



view by clicking on the current view combo box and then clicking on the range in which you

are interested. Similarly, you can view the utilization statistics of an IP block. IPAM

automatically calculates the utilization statistics of an IP address block by rolling up the

utilization statistics of the IP address ranges mapped to it.

You can view the utilization trend of an IP address range by first clicking on the IP address

range, clicking on the utilization trend tab, and then selecting the appropriate time window

for generating the trend graph. You can view the utilization trend graph of an IP address

block by clicking on the block, and then clicking on the utilization trend tab.

Figure 22 Utilization Statistics and Trend

Configuring utilization threshold

You can configure the over- and under-utilized threshold values by selecting IPAM Settings -

> Configure Utilization Threshold from the Manage menu. The threshold determines the

value of utilization state of IP address ranges, IP adddress blocks and IP range groups.



55

Figure 23 Configure Utilization Threshold

IP Address Inventory

In this view, you can see a list of all IP addresses available in the system, along with their

device names, device types, etc. You can choose to selectively view IP address with a

particular device type by clicking on the appropriate device type node in the navigation pane.

For example, to view IP addresses belonging to firewalls, you can click on the firewall node

and the view will be populated with IP addresses with device type set as firewall. You can

create a DNS record or DHCP reservation for an IP address by right clicking on the IP address

and selecting Create DHCP Reservation or Create DNS Host Record.



Figure 24 IP Address Inventory

Finding a Free IP Address

To find a free IP address from an IP address range, right click on the range and select Find

and Allocate Available IP Address. This will launch the Find and Allocate Available IP

Address dialog. IPAM will automatically select an available IP address from the selected

range, ping it, and check whether a DNS record exists for the IP address. You can chose to

allocate the IP address or click Find Next to find the next available IP address. Once you have

found an available IP address, fill in the parameters such as Expiry Date, Device type, Device

Name, and then click OK to create an IP address record in IPAM.

Provide the DNS server and DHCP server information for the IP address by clicking on DHCP

reservation and DNS record tabs in the dialog. Clicking OK merely creates a record in IPAM,

and a DHCP reservation or DNS record is not automatically created.



57

Figure 25 Find an Available Address

Configure expiry alert threshold

User may change the system-wide expiry alert threshold by selecting IP Address Expiry Log

Settings dialog from the Tasks menu.

Figure 26 Expiry Alert Threshold



Synchronizing DHCP and DNS records

IPAM allows you to fill optional DHCP reservation parameters and DNS record information

for the IP address on the Add/Edit IP address dialog by clicking on DHCP reservation and

DNS record tabs respectively.

IPAM auto-populates the relevant DHCP servers against the reservation server name based

on the discovered scopes to which the IP address can map. A reservation can only be created

or deleted against the DHCP server being managed by this instance of IPAM.

Figure 27 Reservation Synchronization

IPAM auto-populates the discovered DNS zones and the corresponding primary DNS servers

in the IP address dialog. All the relevant reverse lookup zones to which the address can map

along with the corresponding primary DNS servers are also made available for easy selection

and configuration. A DNS record can only be created or deleted against the DNS server being

managed by this instance of IPAM.



59

Figure 28 DNS Record

Clicking OK merely creates a record in IPAM, and a DHCP reservation or DNS record is not

automatically created during the IP address add or edit operation. You must explicitly invoke

the create or delete operation as intended after providing all the values. You may select

multiple IP addresses at a time to simultaneously synchronize add/delete of any of these

records. The success/failure of this operation can be tracked by status fields maintained for

the IP address.



Figure 29 Create or Delete DHCP and DNS Records

IP Address Range Groups

In this view, you can visualize and organize IP address range by logical groups based on user

defined business logic. For example, you can choose to visualize and organize IP address

range based on what geographical location or business unit they are serving. You can create a

logical group based on country and business unit and apply the appropriate custom field

value to IP address ranges for country and business unit custom fields. You will then be able

to view the IP address ranges serving a particular business unit in a particular country by

clicking on appropriate logical group node in navigation pane.

Creating a Custom field

To create a custom field, click on Manage menu and select IPAM Settings. Click the

Configure Custom Fields link to open Configure Custom Fields dialog. Specify a name for

the new custom field and type of the custom field. In case of a multi-valued custom field you

can specify the various values that the custom field can take.



61

Figure 30 Configure Custom Fields

Applying a Custom Field to an IP Address Range

To apply a custom field to an IP address range, right click on an IP address range and select

Edit IP Address Range. You can apply a custom field to more than once IP address range

simultaneously by selecting multiple IP address ranges and right clicking followed by

selecting Edit IP Address Range. You can then click on custom configuration pane in the

dialog to apply custom fields to the IP address ranges.



Figure 31 Multiple IP Address Selection



63

Figure 32 Edit IP Address Range



Creating an IP Address Range Logical Group

To Create an IP address range group, right click on the IPv4 node and select Add IP Address

Range Group. Specify what custom fields should be used to group the IP address ranges

together. Specify several groups by criteria, which will be applied one after another when

IPAM organizes the IP address ranges into IP address range groups. For example, you may

choose to first group the IP address ranges by country and then by business unit. Once the IP

address range group is created, it will appear in the navigation pane. You can then click on

any node of the group to select the IP address ranges that fulfill the grouping criteria.

Figure 33 Add IP Address Range Group



65

Figure 34 View Address Range Groups



Import Data

IPAM allows you to export out the IP address block, IP address range, and IP address records

in comma separated value (csv) format. You can import the IP address block, IP address

range, and IP address records from csv files. The names of column in the csv file from which

data is being imported must be same as the name of columns on IPAM views. For example, if

the csv file contains IP address block records, then the column names in the csv file must be

the same as column names in IP address blocks view of IPAM.

To import data, click the tasks menu and select Import IP Address Block, Import IP

Address Range, or Import IP Addresses based on the type of data contained in csv file. Once

the file is selected, the import process begins and displays a progress bar.

Figure 35 Import Data

IPAM supports periodic import and update operations for IP address ranges belonging to the

specified Managed By Service and Service Instance values. Along with adding new ranges

and editing existing ranges as in the case of regular IP address range import, this operation

also deletes those ranges from IPAM which have the same value of Managed By Service and

Service Instance fields but are not present in the csv being imported. IPAM provides the

option of deleting the IP addresses mapping to the IP address ranges that are deleted during

this import operation. The dialog can be launched from the tasks menu in the IP address

space console.



67

Figure 36 Periodic Address Range Import Settings

IPAM also supports periodic import and update operations for IP addresses belonging to the

specified IP address range. Along with adding new addresses and editing existing addresses

as in the case of regular IP address import, this operation deletes those addresses from IPAM

that map to the specified IP address range, but are not present in the csv being imported.

Launch the dialog by right clicking on the relevant IP address range in the UI.

Figure 37 Import IP Address Inventory

Export Data

To export out data from IPAM views, navigate to the appropriate view, clicks the Tasks menu

and select Export. You may filter out the required subset of records to be imported by

running basic or advanced queries before export.



Figure 38 Export Data



69

Monitor and Manage DNS and DHCP Servers

From the DNS and DHCP Servers view, you can view and monitor the health and

configurations of all the DNS and DHCP server roles being managed by IPAM.

Service Health Monitoring

The Server Availability state, Duration in current state and Last Refreshed fields

together show the state of the server at time of last poll and the duration it has been

continuously in that state.

From this view you can use the Server Type drop box to view only DNS or DHCP server roles

or use the navigation pane to view servers with network interfaces in the same /16 subnet

for IPv4 and /48 subnet for IPv6.

Figure 39 DNS and DHCP Servers

Configuration Monitoring

The details view shows the server properties of the server selected. In case of DHCP servers,

server options and DHCP events are shown. In case of DNS servers, the zones on the server

and the DNS zone events are shown.

DHCP Server Management

Right clicking on a server from this view shows the list of actions that can be performed on

the server. The list of actions available is specific to the server role selected. The actions that

can be performed on DHCP servers are as follows:



Edit DHCP Server Properties - This allows setting a number of server properties of the

DHCP server

Figure 40 Edit DHCP Server Properties

Edit DHCP Server Options - Allows addition, deletion or editing of options at the

servers level. Action can be performed on multiple DHCP servers simultaneously to

update multiple options across servers.

Figure 41 Edit DHCP Server Options

Create DHCP scope - Create a scope on a DHCP server, and set numerous scope

properties.



71

Figure 42 Create DHCP Scope

Configure predefined option and values - Create predefined options and set option

value. Select one or more servers and launch the action to configure predefined options

on multiple servers simultaneously

Figure 43 Configure Predefined Options

Configure User Class - Multi-select servers and launch the action to configure user




Figure 44 Configure User Classes

Create and edit new and existing user classes - Multi-select servers and launch the

action to configure user classes on multiple servers simultaneously.

Configure Vendor Class - Multi-select servers and launch the action to configure user


Launch MMC - Launch the MMC for the selected DHCP server

Retrieve server data - Multi-select servers and launch the action to retrieve server data

from the selected set of servers.

DNS Server Management

The actions that can be performed on DNS servers are the following:

Launch MMC - Launch the MMC for the selected DNS server

Retrieve server data - Multi-select servers and launch the action to retrieve server data

from the selected set of servers.

DHCP Scopes

In this view you can see all the DHCP scopes configured on all the DHCP servers being

managed by IPAM. The utilization of each scope is shown in this view along with key

properties and options configured on the scope. You can view all IPv4 or all IPv6 scopes or

only scopes that lie within a specific IP address block.



73

Figure 45 DHCP Scopes View

The actions that can be performed on DHCP scopes are as follows:

Edit a DHCP scope - This allows setting a number of scope properties of the DHCP

server. Action can be performed on multiple DHCP scopes across servers

simultaneously.



Figure 46 Edit DHCP Scope Options

Duplicate DHCP scope - Allows using a scope as a template to create another scope with

an identical set of properties. These properties can also be selectively edited before the

new scope is created. This is performed as a single operation.

Activate / Deactivate DHCP scope - Activate or deactivate a scope. Action can be

performed on multiple DHCP scopes across servers simultaneously.

Delete - Delete the selected scope(s).

DNS Zone Monitoring

This view shows all the forward lookup and reverse lookup zones on all the DNS servers

being managed by IPAM.

For the forward lookup zones, IPAM also displays all the servers hosting the zone and the

aggregate health of the zone across all these servers and the zone properties.



75

Figure 47 DNS Zone Monitoring

To navigate to any zone, use the navigation pane to view the health status of the zone on each

of the authoritative servers. In case of an error in the zone, the event catalog displays the

specific event that is causing the error. Right-click on the authoritative server to launch the

MMC and investigate further to fix the cause of the problem. The server properties and the

other zones hosted by the server are shown in the details pane.

Figure 48 Launch MMC

Server Groups

IPAM allows servers to be tagged with custom fields. Servers so tagged can be auto-arranged

in hierarchical logical groups. Creation of custom fields is described in section titled Creating



a Custom field. Servers can be tagged with custom fields from the Custom Configurations

page or the Add or Edit Server dialog described in the section Server Inventory

Management.

Figure 49 Assigning Custom Fields to Servers

A logical group for servers can be created by right-clicking the IPv4 or IPv6 node and

selecting Add Server Group



77

Figure 50 Add Server Group

Event Catalog Management

IPAM allows you to keep a track of the configuration changes at managed DHCP servers as

well as the IPAM server itself. In addition, IPAM allows you to track IP address and user

activity on the network through the IP address tracking feature.

IPAM Configuration

To track the configuration changes at the IPAM server, click on IPAM Configuration Events.

View all the configuration changes that have occurred on the IPAM server along with the user

name of the person who changed the configuration. You can choose to filter out the events

based on user name or other filter criteria like time of the event, or operational code.



Figure 51 IPAM Configuration Events

DHCP Configuration Events

View the configuration changes at managed DHCP servers by clicking on the DHCP

Configuration Events node.



79

Figure 52 DHCP Configuration Events

IP Address Tracking

IP address tracking feature of IPAM enables you to track the IP address and user activity on

the network. Begin the trail by selecting a time window and using an IP address, client ID

(MAC), hostname or username as query criteria. For example, to start tracking an IP address,

click By IP Address, select a time window, and enter the IP address.

The query will return all the DHCP lease events gathered from managed DHCP servers that

match the given IP address. You can include or exclude the correlated user and computer

logon events collected from managed DCs and NPS servers. For detail on how IPAM

correlates the DHCP lease events with user and computer logon events, refer to IP Address

Tracking in the Functional Description section of this guide.



Figure 53 IP Address Tracking

Database Purging

IPAM supports on-demand purging of configuration event log and IP address tracking related

records. You can select the time window before which data must be purged and the data type

(IPAM configuration, DHCP configuration, IP address tracking). It is advisable that data purge

operation should be initiated during the night or at a time when IPAM activity is low. IPAM

recommends a moving window of historical event log data for only last 6 months for best

performance and disk space utilization.

Figure 54 Purge Audit Data



81

Troubleshooting IPAM

Troubleshooting tools

Event Logging

IPAM logs events under multiple channels in Event Viewer under the path Application and

Services Logs > Microsoft > Windows > IPAM. The channels are as follows:

Admin channel:

Unexpected errors arising from either from a user action or a periodic task are logged

here.

ConfigurationChange channel:

This captures events related to configuration changes made to the IPAM server

Operational channel:

This channel captures informational events and can give greater insight to the health

and operations of the various IPAM tasks. Logging on this channel is Disabled by

default.

Analytic channel and the Debug channel

These channels are Disabled and hidden by default. To view these logs, right click on

the IPAM node in Event Viewer and select View > Show Analytic and debug logs.

Events in these channels are targeted for debugging purposes only.

Events in IPAM’s admin channel and the operational channel can also be viewed from the

IPAM server within Server Manager’s Dashboard view.

Common IPAM problems

Connection issues

Unable to connect to IPAM server

Ensure the WID service is running on the IPAM server.

Ensure the Windows Process Activation service is running.

Provisioning issues

IPAM Access status shows as blocked for a server or unable to fetch data

In the server inventory view details pane, check that the access status is unblocked or Not

applicable for each of the following fields:

o DHCP RPC Access Status

o DNS RPC Access Status

o DHCP Audit Share Access Status



o Event Log Access Status

If any access status is listed as Blocked, check that the firewall rules for the target server

have been set as per IPAM Access Settings.

Check that the servers have been correctly provisioned. Refer to the section Manual IPAM

Provisioning – Configuring Access Settings.

Discovery issues

A DNS server not co-located with a DC, is not being discovered

Ensure that the DNS server is registered as a name server for the domain zone and the DNS

suffix is registered for the configured domain.

A DHCP server is not being discovered

Ensure that the DHCP server is authorized for the configured domains and responds to the

DHCP server INFORM message and the message is reaching IPAM

Monitoring and Management Issues

Server Availability state is showing Not Reachable

Ensure that there is no network connectivity issue between the IPAM server and the target

server

Open DNS MMC / DHCP MMC to the target DNS / DHCP server and ensure that the service is

running.

Check that the service read access status has been provisioned. Refer to the section Manual

IPAM Provisioning – Configuring Access Settings on how to do this.

Appendix

Manual IPAM Provisioning – Configuring Access Settings

Configuration required at DHCP servers

Steps described below should be repeated at each DHCP server expected to be managed

through IPAM

More Information: For more information on configuring firewall rules, see:

Windows Firewall and IPsec Policy Deployment Step-by-Step Guide

1. Create a Network file share to the directory ‘%windir%\System32\dhcp’ by the share

name DHCPAudit and allow read-only access to the IPAM server computer account on

this share.

http://technet.microsoft.com/en-us/library/deploy-ipsec-firewall-policies-step-by-step(WS.10).aspx



83

2. Add the IPAM server computer account to the DHCP Users local security group on the

DHCP servers.

3. Update DHCP service access settings.

a. Get the IPAM computer account SID - From the domain controller, launch

Windows PowerShell and type Get-ADComputer <IPAM server name>. In

the example below the name of the IPAM server is S4-IPAM

a. Add the IPAM SID to the DHCP service read access status



i. Find the string corresponding to the current permissions using sc

sdshow dhcpserver

ii. Create the string corresponding to the new permissions to be added by

typing (A;;CCLCSWLOCRRC;;; followed by the IPAM SID followed by a

closed parenthesis. In the example above (A;;CCLCSWLOCRRC;;;S-1-5-

21-1793763811-3486041751-3179139019-1609) is the string

corresponding to the additional permissions that needs to be set.

iii. Update permissions by adding the new permission string to the current

permissions using sc sdset dhcpserver

New permissions added are show highlighted in yellow above. Note that the permissions are

added to the DACL (starting from ‘D:’ ) and not the SACL (starting from ‘S:’)

4. Unblock the inbound traffic on DHCP RPC Firewall ports by enabling following inbound

firewall rules

a. DHCP Server (RPC-In)

b. DHCP Server (RPCSS-In)

5. Unblock the inbound traffic on Remote Service Management Firewall ports by enabling

following inbound firewall rules

a. Remote Service Management (RPC)

b. Remote Service Management (RPC-EPMAP)

6. Unblocking the inbound File and Printer Sharing Firewall ports to enable sharing of

DHCP audit logs by enabling following inbound firewall rules:-



85

a. File and Printer Sharing (SMB-In)

b. File and Printer Sharing (NB-Session-In)

7. Enable Remote Event Log Management RPC access by enabling the following inbound

firewall rules

a. Remote Event Log Management (RPC)

b. Remote Event Log (RPC-EPMAP)

8. Add the IPAM server computer account to the Event Log Readers local security group

on the DHCP servers.

Configuration required at DNS servers

1. Enable DNS RPC access by enabling the following inbound firewall rules

a. DNS Service (RPC)

b. DNS Service (RPC Endpoint Mapper)

2. Enable remote management access by enabling following inbound firewall rules

a. Remote Service Management (RPC)

b. Remote Service Management (RPC-EPMAP)

3. Configure the Discretionary Access Control List (DACL) – This setting is required once

per domain and not per DNS server for DC co-located DNS servers. For non-DC-co-

located DNS servers, alternately add the IPAM computer account to the local

Administrators group on each standalone DNS server.

a. On the domain controller, from the Start screen, type dnsmgmt.msc, and press

ENTER. The DNS Manager console will open.

b. Right-click on the server and then click Properties.

c. Click the Security tab, click Add, click Object Types, and select Computers.



d. Click OK, type the name of the IPAM server (IPAM01 in this example), and click

OK.

e. Verify that the IPAM server is configured with Allow for Read access. See below.



87

4. Get the IPAM computer account SID - From the domain controller, launch Windows

PowerShell and type Get-ADComputer <IPAM server name>. In the example below,

the name of the IPAM server is S4-IPAM

5. Add the IPAM SID to the appropriate registry entry to get access to DNS zone event

logs.

a. Open regedit and navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\D

NS Server.

b. Click CustomSD and then modify the setting. See below.

c. Add the IPAM SID at the end of this registry entry. Type (A;;0x1;;; and then

paste the IPAM SID (obtained through Windows PowerShell in step 4 above -

the text string that you copied from the Windows PowerShell prompt). Enter

closed parentheses to complete the value data. In the example above (A;;0x1;;;

S-1-5-21-1793763811-3486041751-3179139019-1609) will be added to the



registry. Note that the permissions are added to the DACL (starting from ‘D:’ )

and not the SACL (staring from ‘S:’)

6. Add the IPAM SID to the DNS service read access status

a. Find the string corresponding to the current permissions using sc sdshow dns

b. Create the string corresponding to the new permissions to be added by typing

(A;;CCLCSWLOCRRC;;; followed by the IPAM SID (obtained through Windows

PowerShell in step 4 above - the text string that you copied from the Windows

PowerShell prompt) followed by a closed parenthesis. In the example above

(A;;CCLCSWLOCRRC;;;S-1-5-21-1793763811-3486041751-3179139019-1609)

is the string corresponding to the additional permissions that needs to be set.

c. Update permissions by adding the new permission string to the current

permissions using sc sdset dns

New permissions added are show highlighted in yellow above. Note that the

permissions are added to the DACL (starting from ‘D:’ ) and not the SACL

(staring from ‘S:’)



89

Configuration required at DC/NPS servers

Steps described below should be repeated at each Domain Controller expected to be managed

through IPAM

1. Enable Remote Event Log Management RPC access by enabling following inbound Firewall

rules

a. Remote Event Log Management (RPC)

b. Remote Event Log Management (RPC-EPMAP)

2. Add the IPAM Server computer account to the Event Log Readers domain security group on

the domain controller and NPS servers.



GPO Based IPAM Provisioning – GPO Setting Details

IPAM DHCP GPO Settings

Standard GPO Settings Provisioning PS Script Settings



91


Add the IPAMUG account SID to the Event Log Readers security group

Enable DHCP RPC access by unblocking the following inbound DHCP Management Windows Firewall ports

DHCP Server Management RPC-In and RPCSS-In

Enable Remote Management RPC access by unblocking the following inbound Remote Service Management Windows Firewall ports

Remote Service Management RPC and RPC-EPMAP

Enable Audit File access by unblocking the following inbound File and Printer Sharing Windows Firewall ports

File and Printer Sharing SMB-In and NB-Session-In

Enable Remote Event Log Management RPC access by unblocking the following inbound Windows Firewall ports

Remote Event Log Management RPC and RPC-EPMAP

Setup an advanced scheduled task IpamDhcpProvisioning under the path ‘Task Scheduler Library -> Microsoft’. The task will get trigged upon gpupdate –– to execute the Ipam provisioning script – IpamProvisioning.ps1 - from the GPO startup script location in the SYSVOL folder.

Use item-level targeting setup a basic scheduled task IpamDhcpProvisioning for Windows 2008 servers under the path ‘Task Scheduler Library -> Microsoft’.. The task will tigger every 60 minute to execute the bat file IpamProvisioning.bat from the GPO startup script location in the SYSVOL folder. The bat file does the following:

copies the IpamProvisioning.ps1 to the %windir%\temp folder on the target server,

installs Windows PowerShell,

saves executionpolicy on the target servers and sets executionpolicy to unrestricted,

executes the PS script for provisioning and

restores the original executionpolicy.

Read the localized name of the ‘DHCP Users’ group and add IPAMUG account SID to this localized group name.

Read the configured location of the DHCP audit log file generation and create a network file share to this directory by the name of dhcpaudit and enable read access for IPAMUG SID on the network share

Read the current service ACL settings for dhcpserver service and add read access for IPAMUG account SID in the DACL

Generate trace logs in the file %windir%\temp\ipamdhcplog.txt on the target server



IPAM DNS GPO Settings


Add the IPAMUG account SID to the Event Log Readers

security group

Enable DNS RPC access by unblocking the following inbound DHCP Management Windows Firewall ports

DNS RPC and DNS RPC EPMAP





Setup an advanced scheduled task IpamDnsProvisioning under the path ‘Task Scheduler Library -> Microsoft’. The task will get trigged upon gpupdate –– to execute the Ipam provisioning script – IpamProvisioning.ps1 - from the GPO startup script location in the SYSVOL folder.

Use item-level targeting setup a basic scheduled task IpamDnsProvisioning for Windows 2008 servers under the path ‘Task Scheduler Library -> Microsoft’. The task will tigger every 60 minute to execute the bat file IpamProvisioning.bat from the GPO startup script location in the SYSVOL folder. The bat file does the following:

copies the IpamProvisioning.ps1 to the %windir%\temp folder on the target server,

installs Windows PowerShell,

saves executionpolicy on the target servers and sets executionpolicy to unrestricted,

executes the PS script for provisioning and

restores the original executionpolicy.

Read the current ACL setting in the CustomSD item in the registry key “HKLM:\System\CurrentControlSet\Services\EventLog\DNS Server” and add read access for IPAMUG account SID in the DACL

Read the current service ACL settings for dnsserver service and add read access for IPAMUG account SID in the DACL

Generate trace logs in the file %windir%\temp\ipamdnslog.txt on the target server



93

IPAM DC/NPS GPO Settings


Add the IPAMUG account SID to the Event Log Readers security group





N/A

IPAM Microsoft Documentation

Documents

Transcript of IPAM Microsoft Documentation