Module 2 - IP Address Management Student Manual

Published: 4th September 2012

Windows Server 2012: Networking

Module 2: IP Address Management.

Module Manual Author: James Hamilton-Adams, Content Master

Microsoft Virtual Academy Student Manual ii

Information in this document, including URLs and other Internet Web site references, are subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2012 Microsoft Corporation. All rights reserved. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Microsoft Virtual Academy Student Manual iii

Contents

CONTENTS .................................................................................................................................................................................................................. III

MODULE 2: IP ADDRESS MANAGEMENT........................................................................................................................................................ 4

Module Overview ................................................................................................................................................................................................ 4

THE NEED FOR IP ADDRESS MANAGEMENT ................................................................................................................................................ 5

WHAT IS IPAM? ......................................................................................................................................................................................................... 7

DEPLOYING IPAM IN WINDOWS SERVER 2012 ........................................................................................................................................... 8

AUTOMATIC TASKS IN IPAM ............................................................................................................................................................................. 11

DELEGATING CONTROL IN IPAM ..................................................................................................................................................................... 12

FURTHER READING AND RESOURCES ........................................................................................................................................................... 13

Send Us Your Feedback About This Document ........................................................................ Error! Bookmark not defined.

Module 2: IP Address Management

Microsoft Virtual Academy Student Manual 4

Module 2: IP Address Management.

Module Overview

This module introduces the IP address management (IPAM) feature in Windows Server 2012. You

will see why IPAM is important for network infrastructures in modern organizations, followed by the

installation process and requirements for the new IPAM feature. You will also see some of the IPAM

server options and how to delegate access to IPAM and related tasks.



The Need for IP Address Management

In current TCP/IP networking infrastructures, for all but the smallest networks, you need to have a

method for managing IP address requirements. Administrators should have a plan that describes

what address ranges are in use, how many subnets there are, and which subnets correspond to

which locations.

Your IPAM method should also detail any dynamic address assignment configurations, such as

Dynamic Host Configuration Protocol (DHCP), and any corresponding reservation requirements. You

should also be able to clearly identify any IP address ranges used for static address assignment for

server or network device requirements.

Finally, based on these records, you should be able to identify how much of your designated address

pool is in use and how many addresses are free to assist with network expansion and new device

requirements.

Typically, there have been three approaches to managing your IP address estate:

Spreadsheets. Network administrators often capture all of this information in spreadsheets.

The initial cost is virtually zero, and when the network is small, this method seems efficient.

However, the update of information is labor-intensive, and as the network grows, or urgent changes are requested, administrators often do not apply the time that is required to keep

the information up to date, and the result becomes difficult to manage.

Custom in-house tools. Some organizations have the resources to build in-house solutions,

such as custom software or database applications that hold the relevant information and may

even provide some workflow or automation functions to identify free addresses or display

address pool usage. However, such tools may be expensive to develop, maintain, or further



extend in terms of developer resources. Support of these tools can only be dependent on the

in-house support model and expertise.

Commercial software or appliances. Commercial tools typically offer the most feature-rich

options, often providing automation and integration with existing infrastructure components,

such as Windows DNS and DHCP servers. However, commercial tools are typically the most

expensive option, often having ongoing licensing or support costs in addition to the initial cost

of the tools and their deployment.



What Is IPAM?

Windows Server 2012 provides IPAM as a feature. IPAM is a framework that enables discovery,

management, and monitoring of an IP address space within the network of an organization.

IPAM includes the following components:

Automatically discover your IP address infrastructure, such as DHCP servers, DNS servers,

and domain controllers. After discovery, you can use the IPAM tools to manage these services.

Display, manage, and report your address space. The IPAM console gives you the capability to

find a specific range of IP addresses by associated information. You can find and replace

specific information, or update several scopes at the same time. You can manage both IPv4

and IPv6 address ranges with IPAM.

Monitor the state of your DHCP and DNS servers. You can display information relating to

DHCP scope usage and DNS zone health.

Audit configuration changes and track your IP address usage. Configuration changes to DNS

or DHCP servers are captured by IPAM, and you can also track DHCP lease events.



Deploying IPAM in Windows Server 2012

You can deploy IPAM in Windows Server 2012 as a single-server, centralized deployment, or a

distributed deployment where each site may have an IPAM server.

In a distributed deployment, there is no communication or database sharing between different IPAM

servers in the organization. Each IPAM server will manage a part of the organization address space

only, such as a specific office or location. If required, you can use export functions in IPAM to

consolidate reporting data from across a distributed deployment.

Requirements for deploying IPAM in Windows Server 2012:

Windows Server 2012 full installation (IPAM is available on any edition of Windows Server

2012 except server core installations).

The IPAM server must be a member of an Active Directory Domain Services (AD DS)

domain.

You cannot install the IPAM feature on a domain controller.

IPAM automatically installs the Windows Internal Database on the IPAM server. IPAM does not

support external databases.

IPAM only supports integration with Microsoft domain controllers, DHCP, DNS, and Network

Policy Server (NPS) servers running Windows Server 2008 and later.

IPAM communicates with managed servers using remote procedure call (RPC) or Windows

Management Instrumentation (WMI) interfaces. Ensure that firewalls do not block IPAM

communication ports.

The process of configuring an IPAM server consists of the following steps:

1. Install the IPAM feature on the server. The IPAM feature requires the following Windows

Server 2012 components:



The DNS, DHCP, and IPAM client components of the Remote Server Administration

Tools (RSAT).

Windows Internal Database.

Windows Process Activation Service.

Group Policy Management.

Microsoft .NET Framework 4.5.

2. Provision the IPAM server. This step involves choosing whether to manually provision

managed servers or to use Group Policy to automate provisioning.

3. Configure server discovery. This step involves specifying which domains to retrieve domain

controller, DHCP server, and DNS server information for.

4. Run server discovery. This is an automated task created in the task scheduler after you

provision the IPAM server, but you can also manually start the discovery task.

5. Add servers to manage. This step involves choosing discovered servers to be managed by

IPAM and possibly adding servers manually to IPAM. You can also verify that IPAM can access

the required servers at this step.

6. Retrieve data. This step retrieves DNS, DHCP, and other data from the servers specified as

managed in the previous step. This enables IPAM to start displaying and managing blocks of

IP addresses.

Manual Versus Group PolicyBased Provisioning If you choose the manual provisioning option, you must manually configure each server that you

want IPAM to manage. The following table shows the requirements for each type of managed server:

Managed Server

Type

Configuration Requirements

DHCP server The computer account of the IPAM server must be a member of the

Event Log Readers local security group.

The computer account of the IPAM server must be a member of the

DHCP Users local security group.

The following firewall rules must be enabled:

DHCP Server (RPC-In)

DHCP Server (RPCSS-In)

Remote Service Management (RPC)

Remote Service Management (RPC-EPMAP)

For DHCP auditing, the following additional requirements exist:

A network file share named Dhcpaudit must be created using the

DHCP audit file folder, with read access enabled for the IPAM

server computer account.


o File and Printer Sharing (NB-Session-In)

o File and Printer Sharing (SMB-In)

DNS server The computer account of the IPAM server must be a member of the


You must add read access for the IPAM server computer account to the

DNS discretionary access control list (DACL).

The IPAM server computer account must be granted read access in the

ACL that is maintained by the following registry key on the DNS server:

MACHINE\System\CurrentControlSet\Services\Eventlog\DNS

Server\CustomSD


DNS Service RPC

DNS Service RPC Endpoint Mapper

Remote Service Management (RPC)


Microsoft Virtual Academy Student Manual

10

Remote Service Management (RPC-EPMAP)

Domain controller The computer account of the IPAM server must be a member of the

Event Log Readers domain security group.


Remote Event Log Management (RPC)

Remote Event Log Management (RPC-EPMAP)

NPS server The computer account of the IPAM server must be a member of the



DNS Service RPC DNS Service RPC Endpoint Mapper

Alternatively, you can use Group Policy to assist in provisioning managed servers. To use Group

Policy for IPAM provisioning, you must run the Invoke-IpamGpoProvisioning Windows PowerShell

cmdlet using a domain administrator account to create the necessary Group Policy Objects (GPOs).

The following GPOs are created:

DC_NPS. This Group Policy applies to domain controllers and NPS servers.

DHCP. This Group Policy applies to DHCP servers.

DNS. This Group Policy applies to DNS servers.

The GPOs are created at the domain level and use security group filtering to ensure that the Group

Policies are only applied to managed servers. When creating the GPOs using Invoke-

IpamGpoProvisioning, you can specify the that is added to all the GPO names.



11

Automatic Tasks in IPAM

When installing the IPAM feature on a server, the installation process creates a number of automated

tasks that IPAM uses to gather data from managed servers.

IPAM installation creates the following automated tasks:

Task Name Description Default

Frequency

DiscoveryTask Discovers domain controllers, DNS servers, and

DHCP servers across selected domains.

1 day

AddressUtilizationCollectionTask Collects address space utilization information

from DHCP servers.

2 hours

AuditTask Collects audit information from DHCP and IPAM

servers, and collects IP lease audit logs from

NPS servers and domain controllers.

1 day

ConfigurationTask Collects configuration information from DHCP

and DNS servers.

6 hours

ServerAvailabilityTask Collects service availability status for DHCP and

DNS servers.

15 minutes



12

Delegating Control in IPAM

During the installation of IPAM on a server, the installation process creates several local security

groups. You can use these groups to grant different levels of access to IPAM and allow delegation of

some IPAM management tasks.

The following security groups are created on the IPAM server:

IPAM Users. Users who are members of this group can view server discovery, IP address

space, and server management information. Group members can also view IPAM and DHCP

server operational events, but they cannot view IP address tracking information.

IPAM MSM Administrators. Members of this group have IPAM Users privileges and can

perform common IPAM multi-server management (MSM) tasks and server management tasks.

IPAM ASM Administrators. Members of this group have IPAM Users privileges and can

perform common IPAM address space management (ASM) tasks and IP address space tasks.

IPAM IP Audit Administrators. Members of this group have IPAM Users privileges and can

perform common IPAM management tasks and can view IP address tracking information.

IPAM Administrators. Members of this group have the privileges to view all IPAM data and

perform all IPAM tasks.



13

Further Reading and Resources

IP Address Management (IPAM) Overview.

Step-by-Step: Configure IPAM to Manage Your IP Address Space.

Module 2 - IP Address Management Student Manual

Documents

Transcript of Module 2 - IP Address Management Student Manual