With the development of IPv6 and the bunch of devices that require IP addresses, networks have become so much complex and difficult for us to manage.
Maintaining an updated list of static IP addresses that have been issued has often been a manual task, which can lead to errors. To help organizations manage IP addresses, Windows Server 2012 R2 provides the IP Address Management (IPAM) tool.
IP address management is a difficult task in large networks, because tracking IP address usage is largely a manual operation. Windows Server 2012 introduces IPAM, which is a framework for discovering, auditing, monitoring utilization, and managing the IP address space in a network.
IPAM enables the administration and monitoring of DHCP and DNS, and provides a comprehensive view of where IP addresses are used.
IPAM collects information from domain controllers and Network Policy Servers (NPSs), and then stores that information in the Windows Internal Database.
Benefits of IPAM:
- IPv4 and IPv6 address space planning and allocation.
- IP address space utilization statistics and trend monitoring.
- Static IP inventory management, lifetime management, and DHCP and DNS record creation and deletion.
- Service and zone monitoring of DNS services.
- IP address lease and logon event tracking.
- Role-based access control (RBAC).
- Remote administration support through RSAT.
- Reporting in the IPAM management console.
In case you are interested to learn how to implement & configuring IPAM, please make sure that you prepare a complete LAB environment and of course you may setup the whole infrastructure in Hyper-V. Confirm that you have 1 Domain Server and at least 1 member server, in this demo, we will use adatum domain with 1 Domain Controller Server and 2 Member Server, which is SVR1 & SVR2.
There are almost 40 over step just to complete the basic of IPAM implementation & configuration, so please spend some time to read and understand how IPAM working in Windows Server 2012 R2.
Installing IPAM in Member Server
Log in to your member Server (SVR2), open Server Manager, click add roles & features, proceed to Select features interface, and select the IP Address Management (IPAM) Server check box and proceed with Next…
On the Confirm installation selections interface, click Install:
Close the Installation progress interface when installation is complete:
Provisioning IPAM through a Group Policy Object (GPO)
In the Member server, on the Server Manager, click IPAM:
In the IPAM Overview interface, click Connect to IPAM server:
On the Connect to an IPAM Server interface, click LON-SVR2.Adatum.com (your server name), and then click OK:
Next, click Provision the IPAM server:
In the Provision IPAM Wizard interface, on the Before you begin page, click Next:
On the Configure database interface, click Next:
On the Select provisioning method interface, ensure that the Group Policy Based is selected then in the GPO name prefix box, type IPAM, and then click Next:
On the Confirm the Settings interface, click Apply. Provisioning will take a few minutes to complete.
Click Close once provisioning is complete.
Configure IP Management Server Discovery
On the IPAM Overview interface, click Configure server discovery:
In the Configure Server Discovery settings box, click Add (verify that you add the correct domain):
On the Configure Server Discovery box, confirm that Domain Controller, DHCP Server and DNS Server is selected and then click OK:
In the IPAM Overview interface, click Start server discovery. Discovery may take around 5 to 10 minutes to run:
After few minutes, the yellow bar will indicate that the discovery is completed:
Configure managed servers
In the IPAM Overview interface, click Select or add servers to manage and verify IPAM access.
Notice that the IPAM Access Status is blocked. This also indicate that IPAM server has not yet been granted permission to manage the domain server via Group Policy.
We will use Windows PowerShell to provisioning the IPAM GPO:
In the Windows PowerShell type:
|Invoke-IpamGpoProvisioning –Domain Adatum.com –GpoPrefixName IPAM –IpamServerFqdn LON-SVR2.adatum.com –DelegatedGpoUser Administrator|
When you are prompted to confirm the action, type Y, and then press Enter. The command will take a few minutes to complete.
Next, in the SERVER INVENTORY > IPv4 pane, right-click LON-DC1, and then click Edit Server:
In the Add or Edit Server box, set the Manageability status to Managed, and then click OK:
Please switch to Domain Server and run gpudate /boot /force command to update the IPAM GPO. Next, in the IPAM console, right-click LON-DC1, and then click Refresh Server Access Status.
It may take up to 10 minutes for the status to change.
Refresh tasks as needed until a green check mark displays next to LON-DC1 and the IPAM Access Status shows Unblocked for the server. Next, right-click LON-DC1 and then click Retrieve ALL Server Data.
This action also will take a few minutes to complete.
Configure and verify a new DHCP scope with IPAM
In the IPAM navigation interface, under MONITOR AND MANAGE, click DNS and DHCP Servers. Then right-click the instance of LON-DC1.Adatum.com that contains the DHCP server role, and then click Create DHCP Scope.
In the Create DHCP Scope box, in the Scope Name box, type Branch Scope:
- In the Start IP address box, type 10.0.0.50.
- In the End IP address box, type 10.0.0.100.
- Subnet mask is 255.0.0.0.
In the Create scope pane, click Options:
- On the DHCP Scope Options interface, click New.
- In the Configure options interface, in the Option select 003 Router.
- Under Values, in the IP Address box, type 10.0.0.1, click Add Configuration, and then click OK.
Verify the configuration, then click OK:
In the navigation interface, click DHCP Scopes, then right-click Branch Scope, and then click Configure DHCP Failover:
In the Configure DHCP Failover Relationship interface, for the Partner server field, click the click lon-svr1.adatum.com…
- In the Relationship Name field, type AdatumDHCPFailover.
- In the Enable Message Authentication Secret field, type Pa$$w0rd.
- In the Maximum Client Lead Time field, set the minutes to 10.
- Ensure the Mode field is set to Load balance.
Verify that the Load Balance Percentage is set to 50%. Select the Enable state switchover check box. Leave the default value of 60 minutes and then click OK.
Switch to Domain Server, and open DHCP console. Expand lon-dc1.adatum.com, expand IPv4, and confirm that Branch Scope exists.
Configure IP address blocks, record IP addresses, and create DHCP reservations and DNS records
Still in IPAM Server, click IP Address Blocks, in the right pane, click the Tasks drop-down arrow, and then click Add IP Address Block.
In the Add or Edit IPv4 Address Block box, provide the following values, and then click OK: (please refer to picture)
Next, click IP Address Inventory, in the right pane, click the Tasks drop-down arrow, and then click Add IP Address:
In the Add IP Address box, under Basic Configurations, provide the following values:
Click again the Tasks drop-down arrow, and then click Add IP Address:
In the Add IP Address box, under Basic Configuration, provide the following values: (Please refer to the picture)
In the Add IPv4 Address pane, click DHCP Reservation, and then enter the following values: (Please refer to the picture)
In the Add IPv4 Address pane, click DNS Record, enter the following values: (Please refer to the picture)
On the Summary interface, verify that the task is complete without failed:
Switch to Domain Server and open DHCP console, expand IPv4, expand Scope (172.16.0.0) Adatum, and then click Reservations.
Verify that the reservation for 172.16.0.10 is displays.
Lastly, open the DNS console, expand Forward Lookup Zones, and then click Adatum.com.
Verify that a host record displays for Webserver.
Finally we have managed, installed IPAM and configured IPAM with IPAM related GPOs, IP management server discovery, managed servers, a new DHCP scope, IP address blocks, IP addresses, DHCP reservations, and DNS records.