Microsoft IPAM (IP Address Management)
February 4, 2014Microsoft IPAM (IP Address Management) is a feature that was released in Windows Server 2012 to help administrators manage decentralized DHCP and DNS Servers. Previously administrators may have needed to use spreadsheets to keep track of DHCP Scopes, IP Addresses DNS Names etc but with IPAM installed, a single server can refresh all of this data and put it in a single, always up to date place.
Deployment Guidelines
There are a few things you should know before installing IPAM.
DO: Install on a Server that is joined to the domain.
DO: Install on a Server that has network connectivity to your DNS, DHCP and Domain Controllers. The IPAM Server needs to be able to directly communicate with the services that they provide.
DON’T: Install on a Domain Controller. This is not supported.
DON’T: Install on a DHCP Server. This will prevent IPAM from discovering other DHCP Servers and is not supported.
Install IPAM Role
The IPAM Server role is added like all the server roles in Server 2012. From the Server Manager go through the Add Roles and Features wizard. Make sure to select the IPAM Server under features.
Setup IPAM
Once IPAM has been installed, use Server manager and go through the steps which are neatly ordered 1-6. Connect Server Manager to the IPAM server you just installed.
Step 2 is to provision IPAM. A wizard will pop up and give you some instructions. On the second page of the wizard, you need to make a decision about whether you will manually configure all of your security groups, firewall rules, etc. on each of your DHCP Servers, DNS Servers and Domain Controllers. I chose to forgo this method and choose the default option of using Group Policy. Notice that you’ll be required to put in a GPO Prefix.
Review the Summary and take notice to the fact that three new GPOs will be configured, each starting with your GPO Prefix (in my case hollow_)
Now we move on to Step 3. Which is doing the server discovery. What Servers do you plan on managing with this IPAM Server? I’ve chosen all of the server types.
Step 4 will attempt to discover the server types that you’ve selected. In the Server Inventory will show your servers listed, but will have an alarm about the server manageability status. Before you can set the manageability status the GPOs have to be deployed. The GPOs that you created in the wizard earlier haven’t been deployed yet and need to be invoked from PowerShell.
Note: I’m not sure exactly why this is a separate step, and furthermore not sure why this couldn’t have been done from the same Server Manager window you’ve been running through all along. RANT OVER.
In order to deploy the GPOs, the “Invoke-IpamGpoProvisioning” cmdlet needs to be run from PowerShell.
Run from a PowerShell prompt.
Invoke-IpamGpoProvisioning -Domain DOMAINNAME -GpoPrefixName GPOPREFIX -IpamServerFQDN IPAMSERVERNAME.DOMAINNAME
When finished you should see your GPOs listed in Group Policy Management.
Go back to Server Manager and look at your inventory again. Click Edit Server.
Chose the server types you plan to manage and choose “Managed” as the manageability status.
Once this is complete you may see a Red X indicating an error. This is likely due to the GPO not being applied yet. If this happens you can login to the server in question and run the “GPupdate /Force” command to get the server to re-read the GPOs assigned to it.
When finished your Server inventory should look something like this.
IPAM USAGE
When you’ve finished your setup, you can use IPAM to do things like manage your IP Addresses, manage DNS Zones and review auditing and logs.
I am currently working on my MCSE and struggled a little on the 70-412 exam and was wondering if you had any info that better explained the IPAM admin roles and permissions. To me that whole feature is a little confusing with Local admins and security groups, I have not seen anywhere that really explains the ASM and MSM Admin groups where I understand exactly what they do. Unfortunately for me my 412 had a lot of IPAM questions. Thanks
[…] First, you should deploy Microsoft IPAM on a Server 2012 R2 Server. (YES, this must be Server 2012 R2, or higher. Server 2012 is missing the required powershell commands, it’s not my fault). If you’re looking for setup instructions for IPAM check out this previous post. […]
Hi JAmieT;
I’m a MCT and if your question hasn’t been answered here’s a possible explanation. There are 8 (eight) Role-Based Access Control (RBAC) administrative roles implemented in IPAM. In order of importance, the roles and functions are as follows;
1. IPAM Administrator – can view all IPAM data and perform all IPAM tasks.
2. IPAM ASM Admin – Address Space Management (ASM) administrators have IPAM Users privileges and can perform IPAM common management tasks and IP address space tasks.
3. IPAM MSM Admin – Multi-Server Management (MSM) administrators have IPAM Users privileges and can perform IPAM common management tasks and server management tasks.
4. IPAM IP Audit Admin- Members of this group have IPAM Users privileges and can perform IPAM common management tasks and can view IP address tracking information.
5. IPAM DHCP Admin – Completely manages DHCP servers (DHCP Admins are automatically added to this group)
6. IPAM Address Record Admin – Manages IP addresses but not IP address spaces, ranges, blocks, or subnets.
7. IPAM DNS Records Admins – Manages DNS resource records
8. IPAM User Admin – Members of this group can view all information in server discovery, IP address space, and server management. They can view IPAM and DHCP server operational events, but cannot view IP address tracking information.
Hope this helps.
PESK
Awesome thanks for the info.