Introduction to Ip Address Management PDF Amazon | Ip Address
Module 2 - IP Address Management Student Manual
-
Upload
bunea-petrica -
Category
Documents
-
view
18 -
download
5
description
Transcript of Module 2 - IP Address Management Student Manual
-
Published: 4th September 2012
Windows Server 2012: Networking
Module 2: IP Address Management.
Module Manual Author: James Hamilton-Adams, Content Master
-
Microsoft Virtual Academy Student Manual ii
Information in this document, including URLs and other Internet Web site references, are subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2012 Microsoft Corporation. All rights reserved. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
-
Microsoft Virtual Academy Student Manual iii
Contents
CONTENTS .................................................................................................................................................................................................................. III
MODULE 2: IP ADDRESS MANAGEMENT........................................................................................................................................................ 4
Module Overview ................................................................................................................................................................................................ 4
THE NEED FOR IP ADDRESS MANAGEMENT ................................................................................................................................................ 5
WHAT IS IPAM? ......................................................................................................................................................................................................... 7
DEPLOYING IPAM IN WINDOWS SERVER 2012 ........................................................................................................................................... 8
AUTOMATIC TASKS IN IPAM ............................................................................................................................................................................. 11
DELEGATING CONTROL IN IPAM ..................................................................................................................................................................... 12
FURTHER READING AND RESOURCES ........................................................................................................................................................... 13
Send Us Your Feedback About This Document ........................................................................ Error! Bookmark not defined.
-
Module 2: IP Address Management
Microsoft Virtual Academy Student Manual 4
Module 2: IP Address Management.
Module Overview
This module introduces the IP address management (IPAM) feature in Windows Server 2012. You
will see why IPAM is important for network infrastructures in modern organizations, followed by the
installation process and requirements for the new IPAM feature. You will also see some of the IPAM
server options and how to delegate access to IPAM and related tasks.
-
Module 2: IP Address Management
Microsoft Virtual Academy Student Manual 5
The Need for IP Address Management
In current TCP/IP networking infrastructures, for all but the smallest networks, you need to have a
method for managing IP address requirements. Administrators should have a plan that describes
what address ranges are in use, how many subnets there are, and which subnets correspond to
which locations.
Your IPAM method should also detail any dynamic address assignment configurations, such as
Dynamic Host Configuration Protocol (DHCP), and any corresponding reservation requirements. You
should also be able to clearly identify any IP address ranges used for static address assignment for
server or network device requirements.
Finally, based on these records, you should be able to identify how much of your designated address
pool is in use and how many addresses are free to assist with network expansion and new device
requirements.
Typically, there have been three approaches to managing your IP address estate:
Spreadsheets. Network administrators often capture all of this information in spreadsheets.
The initial cost is virtually zero, and when the network is small, this method seems efficient.
However, the update of information is labor-intensive, and as the network grows, or urgent changes are requested, administrators often do not apply the time that is required to keep
the information up to date, and the result becomes difficult to manage.
Custom in-house tools. Some organizations have the resources to build in-house solutions,
such as custom software or database applications that hold the relevant information and may
even provide some workflow or automation functions to identify free addresses or display
address pool usage. However, such tools may be expensive to develop, maintain, or further
-
Module 2: IP Address Management
Microsoft Virtual Academy Student Manual 6
extend in terms of developer resources. Support of these tools can only be dependent on the
in-house support model and expertise.
Commercial software or appliances. Commercial tools typically offer the most feature-rich
options, often providing automation and integration with existing infrastructure components,
such as Windows DNS and DHCP servers. However, commercial tools are typically the most
expensive option, often having ongoing licensing or support costs in addition to the initial cost
of the tools and their deployment.
-
Module 2: IP Address Management
Microsoft Virtual Academy Student Manual 7
What Is IPAM?
Windows Server 2012 provides IPAM as a feature. IPAM is a framework that enables discovery,
management, and monitoring of an IP address space within the network of an organization.
IPAM includes the following components:
Automatically discover your IP address infrastructure, such as DHCP servers, DNS servers,
and domain controllers. After discovery, you can use the IPAM tools to manage these services.
Display, manage, and report your address space. The IPAM console gives you the capability to
find a specific range of IP addresses by associated information. You can find and replace
specific information, or update several scopes at the same time. You can manage both IPv4
and IPv6 address ranges with IPAM.
Monitor the state of your DHCP and DNS servers. You can display information relating to
DHCP scope usage and DNS zone health.
Audit configuration changes and track your IP address usage. Configuration changes to DNS
or DHCP servers are captured by IPAM, and you can also track DHCP lease events.
-
Module 2: IP Address Management
Microsoft Virtual Academy Student Manual 8
Deploying IPAM in Windows Server 2012
You can deploy IPAM in Windows Server 2012 as a single-server, centralized deployment, or a
distributed deployment where each site may have an IPAM server.
In a distributed deployment, there is no communication or database sharing between different IPAM
servers in the organization. Each IPAM server will manage a part of the organization address space
only, such as a specific office or location. If required, you can use export functions in IPAM to
consolidate reporting data from across a distributed deployment.
Requirements for deploying IPAM in Windows Server 2012:
Windows Server 2012 full installation (IPAM is available on any edition of Windows Server
2012 except server core installations).
The IPAM server must be a member of an Active Directory Domain Services (AD DS)
domain.
You cannot install the IPAM feature on a domain controller.
IPAM automatically installs the Windows Internal Database on the IPAM server. IPAM does not
support external databases.
IPAM only supports integration with Microsoft domain controllers, DHCP, DNS, and Network
Policy Server (NPS) servers running Windows Server 2008 and later.
IPAM communicates with managed servers using remote procedure call (RPC) or Windows
Management Instrumentation (WMI) interfaces. Ensure that firewalls do not block IPAM
communication ports.
The process of configuring an IPAM server consists of the following steps:
1. Install the IPAM feature on the server. The IPAM feature requires the following Windows
Server 2012 components:
-
Module 2: IP Address Management
Microsoft Virtual Academy Student Manual 9
The DNS, DHCP, and IPAM client components of the Remote Server Administration
Tools (RSAT).
Windows Internal Database.
Windows Process Activation Service.
Group Policy Management.
Microsoft .NET Framework 4.5.
2. Provision the IPAM server. This step involves choosing whether to manually provision
managed servers or to use Group Policy to automate provisioning.
3. Configure server discovery. This step involves specifying which domains to retrieve domain
controller, DHCP server, and DNS server information for.
4. Run server discovery. This is an automated task created in the task scheduler after you
provision the IPAM server, but you can also manually start the discovery task.
5. Add servers to manage. This step involves choosing discovered servers to be managed by
IPAM and possibly adding servers manually to IPAM. You can also verify that IPAM can access
the required servers at this step.
6. Retrieve data. This step retrieves DNS, DHCP, and other data from the servers specified as
managed in the previous step. This enables IPAM to start displaying and managing blocks of
IP addresses.
Manual Versus Group PolicyBased Provisioning If you choose the manual provisioning option, you must manually configure each server that you
want IPAM to manage. The following table shows the requirements for each type of managed server:
Managed Server
Type
Configuration Requirements
DHCP server The computer account of the IPAM server must be a member of the
Event Log Readers local security group.
The computer account of the IPAM server must be a member of the
DHCP Users local security group.
The following firewall rules must be enabled:
DHCP Server (RPC-In)
DHCP Server (RPCSS-In)
Remote Service Management (RPC)
Remote Service Management (RPC-EPMAP)
For DHCP auditing, the following additional requirements exist:
A network file share named Dhcpaudit must be created using the
DHCP audit file folder, with read access enabled for the IPAM
server computer account.
The following firewall rules must be enabled:
o File and Printer Sharing (NB-Session-In)
o File and Printer Sharing (SMB-In)
DNS server The computer account of the IPAM server must be a member of the
Event Log Readers local security group.
You must add read access for the IPAM server computer account to the
DNS discretionary access control list (DACL).
The IPAM server computer account must be granted read access in the
ACL that is maintained by the following registry key on the DNS server:
MACHINE\System\CurrentControlSet\Services\Eventlog\DNS
Server\CustomSD
The following firewall rules must be enabled:
DNS Service RPC
DNS Service RPC Endpoint Mapper
Remote Service Management (RPC)
-
Module 2: IP Address Management
Microsoft Virtual Academy Student Manual
10
Remote Service Management (RPC-EPMAP)
Domain controller The computer account of the IPAM server must be a member of the
Event Log Readers domain security group.
The following firewall rules must be enabled:
Remote Event Log Management (RPC)
Remote Event Log Management (RPC-EPMAP)
NPS server The computer account of the IPAM server must be a member of the
Event Log Readers local security group.
The following firewall rules must be enabled:
DNS Service RPC DNS Service RPC Endpoint Mapper
Alternatively, you can use Group Policy to assist in provisioning managed servers. To use Group
Policy for IPAM provisioning, you must run the Invoke-IpamGpoProvisioning Windows PowerShell
cmdlet using a domain administrator account to create the necessary Group Policy Objects (GPOs).
The following GPOs are created:
DC_NPS. This Group Policy applies to domain controllers and NPS servers.
DHCP. This Group Policy applies to DHCP servers.
DNS. This Group Policy applies to DNS servers.
The GPOs are created at the domain level and use security group filtering to ensure that the Group
Policies are only applied to managed servers. When creating the GPOs using Invoke-
IpamGpoProvisioning, you can specify the that is added to all the GPO names.
-
Module 2: IP Address Management
Microsoft Virtual Academy Student Manual
11
Automatic Tasks in IPAM
When installing the IPAM feature on a server, the installation process creates a number of automated
tasks that IPAM uses to gather data from managed servers.
IPAM installation creates the following automated tasks:
Task Name Description Default
Frequency
DiscoveryTask Discovers domain controllers, DNS servers, and
DHCP servers across selected domains.
1 day
AddressUtilizationCollectionTask Collects address space utilization information
from DHCP servers.
2 hours
AuditTask Collects audit information from DHCP and IPAM
servers, and collects IP lease audit logs from
NPS servers and domain controllers.
1 day
ConfigurationTask Collects configuration information from DHCP
and DNS servers.
6 hours
ServerAvailabilityTask Collects service availability status for DHCP and
DNS servers.
15 minutes
-
Module 2: IP Address Management
Microsoft Virtual Academy Student Manual
12
Delegating Control in IPAM
During the installation of IPAM on a server, the installation process creates several local security
groups. You can use these groups to grant different levels of access to IPAM and allow delegation of
some IPAM management tasks.
The following security groups are created on the IPAM server:
IPAM Users. Users who are members of this group can view server discovery, IP address
space, and server management information. Group members can also view IPAM and DHCP
server operational events, but they cannot view IP address tracking information.
IPAM MSM Administrators. Members of this group have IPAM Users privileges and can
perform common IPAM multi-server management (MSM) tasks and server management tasks.
IPAM ASM Administrators. Members of this group have IPAM Users privileges and can
perform common IPAM address space management (ASM) tasks and IP address space tasks.
IPAM IP Audit Administrators. Members of this group have IPAM Users privileges and can
perform common IPAM management tasks and can view IP address tracking information.
IPAM Administrators. Members of this group have the privileges to view all IPAM data and
perform all IPAM tasks.
-
Module 2: IP Address Management
Microsoft Virtual Academy Student Manual
13
Further Reading and Resources
IP Address Management (IPAM) Overview.
Step-by-Step: Configure IPAM to Manage Your IP Address Space.