Understand and Troubleshoot IP Address Management (IPAM) in Windows Server 8 Beta
Understand and Troubleshoot IP Address Management (IPAM) in Windows Server 8 Beta
Abstract
This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality,
and troubleshooting methods for IP Address Management (IPAM) in Windows Server 8 Beta. This UTG
provides you with:
Technical concepts to help you successfully install, configure, and manage this feature.
Copyright information
This document is provided as-is. Information and views expressed in this document,
including URL and other Internet Web site references, may change without notice.
Some examples depicted herein are provided for illustration only and are fictitious. No real
association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference
purposes.
2012 Microsoft. All rights reserved.
Active Directory, Hyper-V, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, Windows
Server, and Windows Vista are trademarks of the Microsoft group of companies.
Table of Contents
Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM...............1
About The Understanding and Troubleshooting Guide......................................................
Introducing IPAM..................................................................................................................
What Is IPAM?...................................................................................................................
Purpose/Benefits...............................................................................................................
Functional Overview.........................................................................................................
Technical Overview......................................................................................................... 23
Installing and Provisioning IPAM.........................................................................................30
Deployment Considerations............................................................................................30
Installation Process IPAM Server...................................................................................31
Installation Process IPAM Client....................................................................................35
IPAM Provisioning............................................................................................................ 36
Configuring and Managing IPAM......................................................................................... 43
IPAM Initial Setup............................................................................................................ 43
Address Space Management........................................................................................... 51
Troubleshooting IPAM......................................................................................................... 81
Troubleshooting tools...................................................................................................... 81
Common IPAM problems................................................................................................. 81
Appendix............................................................................................................................ 82
Manual IPAM Provisioning Configuring Access Settings................................................82
GPO Based IPAM Provisioning GPO Setting Details.......................................................90
DRAFT V5.0
Introducing IPAM
Internet Protocol (IP) Address Management, which is a critical part of network
administration, has become increasingly challenging, as networks grow more
dynamic and complex. The need for centralized administration of addresses is
increasing dramatically over time as mobile computing, virtualization, and IP
devices continue to consume more IP addresses. The need for management
tools has also increased with deployment and adoption of new Internet
Protocol version 6 (IPv6) networks, which have much larger address pools, and
a more complex 128-bit hexadecimal notation as compared with 32-bit dotted
decimal Internet Protocol version 4 (IPv4) addresses. The length and
complexity of IPv6 addresses makes continued tracking of them in a
spreadsheet impractical.
Currently, third party vendors offer various software-based or appliancebundled management solution options in this space. However, the upfront
overhead of procurement, deployment and integration of such solutions
remains a deterrent in their adoption. Most IT administrators still typically track
IP address allocation and utilization manually, using spreadsheets or custom
database applications. This can be very time consuming and resource
intensive, and is inherently prone to user error. Windows Server "8" Beta
introduces a new feature to meet the IP addressing and naming infrastructure
management needs of network and server administrators.
DRAFT V5.0
What Is IPAM?
Internet Protocol Address Management (IPAM) is a framework for discovering,
utilization monitoring, auditing, and managing the Internet Protocol (IP)
address space in a network. IPAM encompasses the administration and
monitoring of Dynamic Host Configuration Protocol (DHCP) and monitoring of
Domain Name Service (DNS), which are the services that assign and resolve IP
addresses to devices in a TCP/IP network. IPAM in Windows Server "8" Beta
provides components for planning and allocating IP address space, static IP
inventory management, audit of configuration changes, monitoring and
management of Microsoft DHCP servers, monitoring of Microsoft DNS servers
and DNS zones, and IP address usage tracking and customized visualization.
Purpose/Benefits
The Windows Server "8" Beta IPAM feature provides a unified framework meet the
following administrative requirements of addressing and naming infrastructure for
network and server administration from a central console. IPAM provides the
following benefits:
Multi entity management and monitoring of DHCP services and DHCP scopes
DRAFT V5.0
Functional Overview
Prerequisites
Windows Server "8" Beta IPAM is an integrated suite of IP addressing and
naming solutions aimed at helping network and system administrators to
manage IP infrastructures across the enterprise. IPAM scope selection across
the managed server nodes is limited to a single Active Directory (AD) forest,
with appropriate trust relationship between the domains.
The IPAM server must be domain joined, and is reliant on a prerequisite
functional network infrastructure environment, including IPv4 and IPv6 network
connectivity, in order to integrate with existing DHCP, DNS, DC, and NPS
installations across the AD forest.
Install the IPAM feature on an Active Directory domain member server intended
as a single-purpose server, and do not attempt to collocate other network
infrastructure roles such as DNS or DHCP on the same server. IPAM installation
and provisioning is not supported on a domain controller.
IPAM users must be logged in using a domain account with appropriate
privileges.
The following are requirements for successful IPAM deployment.
Ensure that you have network connectivity. Enabling both IPv4 and IPv6 is
recommended. Discovering IPv6 address space and infrastructure will not be
supported unless IPv6 connectivity is enabled.
DRAFT V5.0
Ensure that you log on to the IPAM server using a domain account. Do not log
on to the IPAM server using the local Administrator or a local user account.
Ensure that you are a member of appropriate IPAM local security group (See
the IPAM Local Security Groups section of this guide) or if you are running as
a member of the local Administrators group then you must run elevated.
If you are accessing the IPAM server remotely using Server Manager IPAM
client RSAT, then you must be a member of the WinRMRemoteWMIUsers
group on the IPAM server, in addition to being a member of the appropriate
IPAM security group (or local Administrators group).
For best performance, do not install any other server roles on the IPAM
server.
Ensure that network firewall ports and access settings are provisioned to
enable IPAMs access to workloads (DC, DNS, DHCP and NPS) across the
managed roles in the AD forest. For more information on IPAM provisioning
and provisioning methods refer to the Deployment Considerations section of
this guide.
If using Group Policy based provisioning, ensure that the users marking
servers as managed/unmanaged in IPAM server inventory console either
have domain administrator privileges or have delegated rights to edit GPO
security filter lists. For more information on GPO delegation, refer to the
Group Policy Based Provisioning section of this guide.
DRAFT V5.0
Functional Description
Windows Server "8" Beta IPAM consists of five primary modules, which provide
the management functionality. These modules include the following:
Event Catalog
IP address tracking
DRAFT V5.0
IPAM uses the following rules during server discovery on configured domains
for selected roles:
o
All DNS servers registered as name servers for the domain zone and
DNS suffixes registered for the configured domains are discovered
All DHCP servers authorized for the configured domains that respond
to the DHCP server INFORM message are discovered. This feature
allows IPAM to intelligently discard any inactive DHCP servers that are
listed as authorized in AD.
Add-Remove-Edit servers (and server roles) manually outside of the autodiscovery process
Disjointed name space support. Separate fields showing the servers DNS
suffix and domain name are maintained by IPAM.
Managed IPAM periodic tasks will collect data from the active
(checked) roles on these servers. Inactive (unchecked) roles on these
servers are ignored.
Unmanaged - IPAM periodic tasks will not collect data from these
servers. IPAM deletes all existing information pertaining to these
servers from its database.
Unspecified - IPAM periodic tasks will not collect data from these
servers. However, IPAM retains all existing information pertaining to
these servers in its database. Set a server status as Unspecified in
scenarios where the server is offline temporarily, during temporary
maintenance cycles for example.
11
DRAFT V5.0
Level 3 IP Subnet (/16 for IPv4 and /48 for IPv6 based on primary
interface address)
Edit owner and description for servers, and add user-defined or built-in
custom fields/tags to servers
Note:
Note:
DRAFT V5.0
IP addresses: are the leaf level entity under IP address ranges. IPAM
enables end-to-end life cycle management of IPv4 and IPv6 addresses,
15
DRAFT V5.0
17
DRAFT V5.0
IP Address
IP Address Range
Server
You can use custom field tagging for multi-valued custom fields for defining
logical groups. Logical groups enable you to visualize IP address ranges in a
real-life business perspective rather than a conventional hierarchy of IP
subnets. You can customize these logical groups and they can be hierarchical.
Logical groups are defined by selecting the grouping criteria from built-in or
user-defined custom fields. IPAM supports multi-level hierarchy when defining a
logical group for IP address ranges. Similar custom logical groups can be
created to group IP addresses and managed servers. Entities that do not map
to the first level criteria defined for the logical group are displayed under the
unmapped space in the group.
19
DRAFT V5.0
IPAM also rolls up utilization statistics and trends at the logical group level for
IP address ranges. Logical groups defined for IP address ranges are known as
IP range groups. IPAM supports simultaneous creation of multiple IP range
groups based on different criteria. By default, IPAM creates the built-in IP range
group called Managed By, which groups IP address range by the two-tier
hierarchy of Managed by Service field followed by Service Instance field.
Built-in logical groups cannot be deleted, but the grouping criteria can be
edited.
IPAM supports only one logical group for IP addresses known as IP address
inventory, which is created by default. This built-in IP address logical group
groups IP addresses by a single hierarchy of device type field. Built-in logical
groups cannot be deleted, but the grouping criteria can be edited.
Utilization Monitoring
Utilization trend building and reporting for IPv4 address ranges, IPv4 address
blocks and IPv4 range groups.
Capability to zoom in and out of utilization trend window. While you may
select from standard trend periods of 1 day, 7 days, 1 month, 3 months, 6
months, 1 year, 2 years and 5 years, Custom start and end date
configuration for viewing the utilization trend is also supported.
21
DRAFT V5.0
Two additional utilization counters are supported for dynamic IPv6 address
ranges discovered from Microsoft DHCP servers. Together these counters add
up to the total number of utilized addresses for this range:
o
Utilization trend for an IPv4 address range is plotted for following line graphs:
o
Percentage utilized
Utilization trend for an IPv4 address block is plotted for following line graphs:
o
23
DRAFT V5.0
Percentage assigned
Percentage utilized
Utilization trend for an IPv4 range group is plotted for following line graphs:
o
Percentage utilized
Auto-discovery of DHCP scopes and scope utilization information. Autodiscovered DHCP scopes appear as IP address ranges with Managed by
Service set as MS DHCP and Service Instance set as the name of DHCP
server
25
DRAFT V5.0
Use intuitive interface for import of address, range and block from
spreadsheets and databases
For any other range, IPAM queries the local IPAM database to find an
available IP address.
Further validation of free IP address using ping expect no reply, and DNS
lookup expect no record found. Anomalies to the expected result are called
out so that appropriate action can be taken to synchronize the IPAM IP
address inventory with the DNS records and servers active on the network.
27
DRAFT V5.0
Manage all DNS records from a central console. Create/delete DNS A/AAAA
records for IP addresses. Create/delete DNS PTR records for IP addresses
29
DRAFT V5.0
31
DRAFT V5.0
33
DRAFT V5.0
monitoring functions do not require any special privileges on the target server
for the logged in user.
Create and edit new and existing user classes - Multi-select servers
and launch the action to configure user classes on multiple servers
simultaneously.
Launch MMC - Launch the MMC for the selected DHCP server
Launch MMC - Launch the MMC for the selected DNS server
Multi-Entity Management
A primary benefit of IPAM functionality is its ability to simultaneously manage
multiple DHCP servers or DHCP scopes spread across one or more DHCP
servers. This significantly reduces the administrative effort needed by
35
DRAFT V5.0
eliminating repetitive steps and reducing the possibility of error during these
operations. Some of the advanced multi-edit constructs are explained below:
Edit DHCP server properties like DNS update settings and DNS credentials
on multiple DHCP servers simultaneously
Edit DHCP scope properties such as DNS updates, lease duration, and
advanced properties on multiple DHCP scopes spread across multiple
DHCP servers simultaneously
Server Monitoring
The IPAM monitoring view provides the ability to view from a single console the
status and health of selected sets of Microsoft DNS and DHCP servers. The
monitoring view of IPAM displays the basic health of servers along with recent
configuration events that occurred on these servers. The monitoring view also
provides the ability to organize the managed servers into logical sever groups.
Note:
The custom field tagging can only be done for DHCP servers from the
Monitor and Manage console by invoking the Edit DHCP Server
Properties dialog. Both DHCP and DNS servers can be configured with
custom field values from the Server Inventory view using Edit Server
dialog.
Basic configuration settings are displayed in the view and in the preview panes
in the server monitoring view. For DHCP servers, the server view enables
tracking of various server settings, server options, number of scopes, and
number of active leases, that are configured on the server. For DNS servers,
the view enables tracking of all zones configured on the server along with
details of the zone type. The view also allows you to see the total number of
zones configured on the server, as well as overall zone health status as
derived from the zone status of individual zones on the server.
37
DRAFT V5.0
IPAM also facilitates periodic service monitoring of DHCP and DNS service
status from a central console. The service status is appropriately displayed as
Running, Stopped, or Paused for each managed server in the DHCP and
DNS Servers view.
If the server role is running and IPAM still shows the availability state as Not
Reachable, ensure that
IPAM machine SID (or IPAMUG SID for GPO provisioning) is added to the
service ACL
IPAM displays a list of all forward lookup zones that are hosted by
managed DNS servers with their overall status based on status from
all the servers hosting that zone, as well as duration that the zone
has been in that state. The zone status for all servers is shown as
OK if the zone is being serviced by each of the Authoritative
servers. The zone status for all servers is shown as Warning, if
one or more authoritative servers is not servicing the zone. The
zone status for all servers of the zone is shown as Error if none of
the authoritative servers are servicing the zone. An authoritative
server is considered to be servicing the zone if the zone status of
the zone on that server and the server availability state of the
server are not in red state.
IPAM also displays a list of all authoritative servers for that zone in
the preview pane along with the zone type and zone health status
information.
39
DRAFT V5.0
IPv4 Reverse Lookup node - IPAM enables the user to visualize all IPv4
reverse lookup zones configured on the managed DNS server. A list of all
authoritative servers hosting the selected reverse lookup zone is
presented in the preview pane.
IPv6 Reverse Lookup node - IPAM enables the user to visualize all IPv6
reverse lookup zones configured on the managed DNS server. A list of all
authoritative servers hosting the selected reverse lookup zone is
presented in the preview pane.
IPAM does not support reverse lookup zone health monitoring.
Note:
Event Catalog
In a distributed network with multiple DHCP servers, the task of monitoring
configuration changes across the infrastructure can be challenging. Individual
servers log configuration events in their log channel which roll over periodically
and are difficult to query and track centrally.
IPAM event catalog provides a centralized repository to audit all configuration
changes performed on DHCP servers managed from a single IPAM
management console. Another console in event catalog gathers all of the
configuration events from the IPAM configuration event channel.
These configuration event catalogs provide the ability to view, query and
generate reports of the consolidated configuration changes, along with details
specific to each record. IPAM audit tools enable monitoring for any potential
misconfiguration of the IP infrastructure by leveraging network audit logs for
tracking and reporting of any administrative actions required. The advanced
query and filtering support from IPAM enables tracking of Service Level
Agreements (SLAs) based on time, administrator identity, server name and
additional detail from a single console.
The IP address management audit specifically provides for:
Event ID
Time of event
41
DRAFT V5.0
Event ID
Time of event
Data purge facility for event catalog database tables to clean up disk
space (after backup if intended). You can select the time window before
which data must be purged and the data type (IPAM configuration, DHCP
configuration, IP address tracking). It is advisable to schedule the data
purge operation in the night or at the time when IPAM activity is low.
IP Address Tracking
In certain network forensics scenarios, it is useful to establish a trail of the
computers or devices used by a user within a specific time. In an environment
where IP addresses are dynamically assigned using DHCP, the IP addresses
assigned to devices on a network are temporary and can change over time. IP
addresses do not necessarily uniquely identify a computer or device. A host
name assigned to a computer or device can also change, and cannot be relied
upon for unique device or computer identification. Establishing a
comprehensive record or trail of the computers or devices used by a user
within a specific period, complete with IP address, host name, and MAC (Media
Access Control)/DUID (DHCP Unique Identifier) address of a computer or device
may be difficult or impossible if based solely on IP lease events.
43
DRAFT V5.0
A DC or NPS server logs events for user and machine authentication, which
also identify the IP address from which an authentication request was received.
An intelligent audit system that collects and maintains a historical trail of IP
address lease events from the DHCP server and authentication events from DC
and NPS servers can help administrators to track and associate IP addresses
with the users and devices in their environment.
The IP address tracking feature of IPAM enables you to select a search criteria,
such as IP address, client ID (MAC/DUID), host name or user name, and specify
a query time interval in terms of start and end date and time. IPAM intelligently
correlates results from the repository of DHCP leases and DC/NPS logon events
based on advanced algorithms to provide the results. This enables you to
search events for a given time frame and obtain results mapping a user
account to particular devices identified by the IP address, MAC address, and/or
host name.
The IP address tracking feature collects the following events to build the
search database:
DHCP lease events: new lease, renew lease and lease expiry events from
the DHCP audit log of the managed DHCP servers
The IP address tracking feature enables two query modes over the specified
time:
Exclude co-related logon and lease events - All direct matches to the
search criteria between the specified search start time and end time from
the DHCP lease logs collected in the IPAM database are returned. This
mode is supported for all search pivots except User Name.
Include co-related logon and lease events - All the co-related lease
and logon logs based on intelligent processing are returned along with the
direct search matches on the specified search criteria are returned. This
mode is supported for all searches.
Note:
The events displayed in the query result are +/- 5 minutes from the
search period specified. This is done to accommodate server time lags
or discrepancies between IPAM and managed servers. The timestamp
of events collected from managed DHCP, DC and NPS servers is stored
in UTC in the IPAM database. The timestamp on the events mined as
the result of the search operation is displayed in the context of the time
and time zone configured on the IPAM client.
45
DRAFT V5.0
The advanced co-relation logic used by IPAM is comprised of three main steps
briefly explained below:
Step 1: Finding all DHCP lease events based on direct match
For user name based search, IPAM finds the co-related host names based on
logon events and then uses the host name to determine the valid DHCP lease
events to be used for further co-relation.
Step 2: Deriving DHCP lease chunks for the specified search interval
Using the various new lease, release, and/or expire lease events determined
for the specific IP address, different distinct lease period start and end values
can be ascertained. Such different lease periods are referred to as lease
chunks. Each ascertained lease chunk will have an IP address, MAC address
and host name associated with it, picked up from the DHCP lease event logs.
Step 3: Obtain co-related events for each of the derived lease chunks For each of the ascertained lease chunks, a query is then made of the
authentication events collected in the data store to find events that match
common elements, which could be one or more of the IP address, MAC
address, or host name within the specified lease chunk. Using multiple
different common elements for the search returns additional correlated
information.
Advanced UI features
Group navigation control - Divides the data into major functional areas
followed by entities/views. The lower navigation tree further arranges the
entities into appropriate pivots such as subnets or logical groups.
Customize the default view - Add or remove columns of your choice in the
default view displayed. All built-in and user-defined basic and custom fields
are available for selection in the view.
Group by functionality Select to group the view using the selected criteria
Support for free format query on all fields Start typing any value in the
search pane to return the matching string search results filtered from the
displayed rows
47
DRAFT V5.0
Dedicated event catalog monitoring for each address space entity, servers,
scopes and zone, in the preview pane for each row selected
Limitations
The Windows Server "8" Beta IPAM implementation does not provide a global
solution for every possible management scenario. Notable limitations are listed
below.
Supports only Microsoft DHCP, DNS, DC, and NPS servers running Windows
Server 2008 and above
IPAM supports only domain joined DHCP, DNS and NPS servers.
The only management features supported for DNS are DNS A/AAAA and PTR
record creation and deletion.
DNS management features beyond creation and deletion of A/AAAA and PTR
records are not supported. You can launch the DNS MMC from within the
IPAM console to initiate these operations.
Automatic DNS record enumeration is not supported. You can enable this
scenario by building upon IPAM periodic address import features available
from IPAM Windows PowerShell cmdlets.
49
DRAFT V5.0
Technical Overview
IPAM Architecture
IPAM is comprised of two main modules, which are available as two Server
Manager features:
IPAM Server This feature provides the IPAM backend, which implements
periodic data collection tasks to gather configuration and event
information from managed servers. It also manages the relational
database hosted in the Windows Internal Database (WID) and the
Windows Communication Foundation (WCF) server endpoint, which
enables remote management of the IPAM server, provides the IPAM
Windows PowerShell module, and implements role based access control.
IPAM Client This feature includes the IPAM client UI component that
interacts with the IPAM server to perform remote management using the
WCF. The IPAM client also directly invokes the relevant Windows
PowerShell interfaces to interact with DHCP server for configuration tasks,
with DNS server for record management, and with group policy for
security filter list synchronization.
The IPAM client UI communicates with the IPAM server to perform remote
management. This is done using the WCF with TCP as the transport.
Specifically, the NetTcpBinding is used. See WCFBinding-MSDN for more detail
on the various bindings and their capabilities. The TCP binding is performed on
port 48885 on the IPAM server. This port number falls into the Registered
Ports range of IANA but is not currently assigned. The default port choice is
not made from the ephemeral port range, as this server-side functionality that
the socket is listening for traffic at all times once the server feature is enabled.
When there is a port conflict or there is a need to reconfigure the server port,
the port number on the server can be configured. Prior to connecting to the
IPAM server, the client UI queries the configured server port by using a
Windows PowerShell cmdlet provided by IPAM. This leverages Windows
PowerShell remoting. Windows PowerShell remoting is built on the WinRM
layer, which is enabled by default. IPAM Windows PowerShell cmdlets getipamconfiguration and set-ipamconfiguration can be leveraged to get and set the
WCF communication port respectively.
The figure below illustrates high level IPAM architecture.
51
DRAFT V5.0
IPAM also allows you to specify the group policy objects to manage the
DHCP/DNS/NPS/DC server configuration for use with IPAM during setup. These
group policy objects must be created in advance for each server role (DHCP,
DNS, DC/NPS). The security filtering lists for these group policy objects will be
updated when the servers are enabled or disabled for management through
the IPAM console.
The IPAM server communicates with all the managed DHCP servers to get the
DHCP scope utilization for both IPv4 and IPv6 (stateless as well as stateful),
server configuration and scope configuration using DHCP Windows PowerShell
commands. The DHCP Windows PowerShell commands use Microsoft Dynamic
Host Configuration Protocol (DHCP) Server Management Protocol Specification
[MS-DHCPM] to communicate with the DHCP server.
The DHCP address lease information is available in an audit log file on the
DHCP server. The IPAM server retrieves the address audit text file (for both
IPv4 as well as IPv6) using the SMB protocol. This text file is parsed to get the
address assignment information. The address audit text file for IPv6 clients
(stateful and stateless) is available only in Windows Server "8" Beta DHCP
servers. The DHCP server generates events for auditing the configuration
changes. The IPAM server reads the configuration changes from the DHCP
server event log and EventLog Remoting Protocol Version 6.0 Specification
[MS-EVEN6] is used for reading these events. The IPAM server also retrieves
53
DRAFT V5.0
the service status of the DHCP/DNS servers using the Service Control Manager
Remote Protocol Specification [MS-SCMR] protocol.
The IPAM server communicates with DNS servers to get the server
configuration and DNS zone settings. The DNS Windows PowerShell commands
use Domain Name Service (DNS) Server Management Protocol Specification
[MS-DNSP] to communicate with the DNS server.
The IPAM server communicates with DCs to get the logon events. Whenever a
user authenticates with DC, a logon event is generated and the IPAM server
collects these events for audit trail analysis. The remote event collection uses
[MS-EVEN6]. In order to discover the DHCP servers, the IPAM server reads the
DHCP server list stored in the DHCPServers group contained in the NetServices
container
(CN=NetServices,CN=Services,CN=Configuration,DC=domain,DC=com) in AD.
The IPAM server reads the DHCPServers group using the LDAP protocol. LDAP is
also used to query the list of domains. This list of domains is used for
discovering the DNS servers.
The IPAM server communicates with NPS server to get the authentication
events. Whenever NPS authenticates a user, it generates an authentication
event. The IPAM server collects these events for audit trail analysis. The
remote event collection uses [MS-EVEN6].
The following table lists the different interactions between the IPAM system
and other servers.
Managed
Role
From
IPAM
compone
nt
IPAM
Server
Protocol
Comments
DHCP
IPAM
Client
MS-DHCPM
DHCP
address
audit file
IPAM
Server
MSSMB
DHCP
55
DRAFT V5.0
(IPv4/IPv6)
DNS
IPAM
Server
MS-DNSP/
[MS-EVEN6]
DNS
IPAM
Client
MS-DNSP
AD
IPAM
Server
RFC2251/MSEVEN6
NPS
IPAM
Server
MS-EVEN6
DC
IPAM
Client
MS-GPOL
DC
IPAM
Client
RFC2251/LDA
P
IPAM Server
IPAM
Client
[MS-PSRP]
57
DRAFT V5.0
provide permissions required for administering and using the multiple services
employed by IPAM. For example, IP lease audit collection could be restricted to
a specific set of administrators only. It is possible to display MSM configuration
data to all DHCP Users, while MSM configuration rollout itself may be restricted
to only a relevant subset of administrative accounts.
IPAM installation automatically creates the following local user groups:
Group Name
Description
IPAM Users
IPAM IP Audit
Administrators
IPAM Administrators
Note:
59
DRAFT V5.0
Audit - Collects DHCP and IPAM server operational events. Also collects
events from domain controllers, NPS, and DHCP servers for IP address
tracking.
All Windows tasks required for IPAM services need to present credentials to the
managed node for authentication before accessing protected data and logs
from server roles. For example, accessing event logs on the managed server
nodes requires that the IPAM tasks authenticate under the context of a
member of the Event Log Reader security group on the target node. All IPAM
tasks launch under the Network Service account, which presents the local
computers credentials to remote servers.
During installation, IPAM tasks are added with the following default frequency
of execution, which can be modified from the Task Scheduler from the path
Task Scheduler Library -> Microsoft -> Windows -> IPAM
Task Name
Frequency
For Duration
ServerDiscovery
AddressUtilization
1 Day
2 Hours
Indefinitely
Indefinitely
Audit
ServerConfiguration
1 Day
6 Hours
Indefinitely
Indefinitely
ServerAvailability
ServiceMonitoring
15 Minutes
30 Minutes
Indefinitely
Indefinitely
AddressExpiry
1 Day
Indefinitely
Apart from periodic data gathering IPAM also supports on-demand data refresh
from all the servers in its scope or only from a subset of servers in context of
the selected entity for which data retrieval has been triggered. IPAM further
supports on demand data refresh for specific functional areas such as address
space or event catalog. The following on-demand data retrieval actions are
supported by IPAM:
61
DRAFT V5.0
Action
Name
Type
Scope
Launch
Point
Periodic
Tasks Run
Start
Discovery
NonContextua
l
Across all
configured
domains
Manage
Menu
ServerDiscove
ry
Retrieve
All Server
Data
NonContextua
l
All tasks
except
Discovery
Refresh
Server
Access
Status
Contextua
l
Selected server(s)
Manage
Menu OR
Tasks
Menu in
Server
Inventory
view
Right click
menu on
(multi)sele
cting
servers in
the Server
Inventory
view
Retrieve
All Server
Data
Contextua
l
Selected server(s)
All tasks
except
Discovery
Retrieve
Address
Space
Data
NonContextua
l
Right click
menu on
(multi)sele
cting
managed
servers in
the Server
Inventory
view
Tasks
Menu in IP
Address
Space
view
Retrieve
Address
Space
Data
Contextua
l
(Multi)Selected
IPAM ranges (and
associated DHCP
servers)
Right click
menu on
(multi)sele
cting
ranges in
the IP
Address
Space
ServerConfigur
ation,
AddressUtilizat
ion,
AddressExpiry,
Audit
Discovery task
for access
status(es)
check
ServerConfigur
ation,
AddressUtilizat
ion,
AddressExpiry,
Audit
63
DRAFT V5.0
Retrieve
Server
Data
NonContextua
l
Retrieve
Server
Data
Contextua
l
(Multi)Selected
servers (or
servers associated
with (multi)
selected scopes or
zones)
Retrieve
Audit
Data
NonContextua
l
view
Tasks
Menu in
Monitor
and
Manage
view
Right click
menu on
(multi)sele
cting
servers,
scopes or
zones in
the
Monitor
and
Manage
view
Tasks
Menu in
Event
Catalog
view
ServerConfigur
ation,
ServerAvailabil
ity,
ServiceMonitor
ing, Audit
ServerConfigur
ation,
ServerAvailabil
ity,
ServiceMonitor
ing, Audit
Audit
Important:
65
DRAFT V5.0
You can choose to limit the IPAM scope, depending on the deployment. A single
IPAM server may be implemented to manage IP addressing for the entire
enterprise. Alternately, an IPAM server may be deployed at every geographical
site in the enterprise, or in each child domain in the AD forest. If multiple IPAM
servers are used, you can limit the server discovery and management scope of
each to include only infrastructure servers managed by the individual IPAM
installations.
The IPAM server manages and monitors the DHCP and DNS servers within the
site or child domain, and collects the forensics information from DHCP, DC and
NPS servers. IPAM correlates and stores the collected information in the IPAM
servers local database using Windows Internal Database (WID).
67
DRAFT V5.0
Installation UI/Wizard
In Server Manager, Dashboard, click Add roles and features.
69
DRAFT V5.0
Click through the Add roles and features wizard screens to select Role or
Feature Based Install and the target server. On the Select Features screen,
select IP Address Management (IPAM) Server. Click Add Features when
prompted.
IPAM installation ensures that all IPAM dependencies are also installed at the
time of installation. IPAM Installation is not successful unless all the dependent
modules are first installed. Installation dependencies include the following:
Feature or Tool
Description
Remote Server
Administration Tools
Windows Internal Database
71
DRAFT V5.0
Windows Process
Activation Service
Group Policy Management
The IPAM dependency list dialog allows you to select the installation of IPAM
client along with installation of the IPAM server feature using the checkbox
Include management tools (if applicable). By default, IPAM client is preselected for installation along with IPAM server.
After selecting Install in the wizard, installation progress is shown until the
feature is installed successfully.
73
DRAFT V5.0
Verifying Installation
When the Add Features wizard completes, it will display a message indicating
that the installation succeeded. IPAM server can now be managed using local
or remote instance of IPAM client UI.
Uninstalling/Disabling
The Windows Server "8" Beta IPAM feature integrates with the Server Manager
console for installation and uninstallation. The console eases the task of
managing and securing multiple server roles through the Remove Roles and
Features Wizard. The IPAM uninstallation process ensures that all IPAM
dependencies are removed, and that all IPAM local security groups and
scheduled tasks are deleted. Uninstallation also ensures that the IPAM
database is detached from WID and all the database data and schema files are
deleted.
75
DRAFT V5.0
77
DRAFT V5.0
In order for the IPAM client to connect to an IPAM server, you must ensure that
the target IPAM server is added to the Server Manager purview using the Add
Servers wizard launched from the Manage menu. If both IPAM client and IPAM
server are running on the same server, then by default the IPAM UI connects to
the local IPAM server instance.
Note:
A domain user connecting to the IPAM server from a remote IPAM client must be a member
of the WinRMRemoteWMIUsers__ group on the IPAM server, in addition to being a member
of the appropriate IPAM security group. IPAM client is an integrated component with the
Server Manager RSAT. Server Manager RSAT is also available for download and installation
on a Windows 8 Consumer Preview client machine. The IPAM node will appear in the Server
Manager navigation tree by default on the Windows 8 Consumer Preview client RSAT.
IPAM Provisioning
IPAM installation sets up various periodic data collection tasks to collect
relevant data from managed DNS, DHCP, DC and NPS servers to enable
address space management, multi-server management and monitoring and
event catalog scenarios. All IPAM tasks launch under the Network Service
account, which presents the local computers credentials to remote servers.
To accomplish this, administrators must enable read access and security
permissions for the required resources over managed servers for the IPAM
79
DRAFT V5.0
The term IPAM scope in this context and throughout this document refers
to the IP network elements (DHCP/DNS/NPS/DC servers within the forest)
which are discovered or added, and activated for various IPAM services.
In other words these are the Managed server roles within IPAM.
DHCP
DNS
Access Setting
FW Rule
Associated IPAM
functionality
Membership of
DHCP Users
security group
DHCP Server
(RPC-In)
Remote Service
Management
(RPC)
Membership of
Event Log
Readers security
group
Creation of
Network share
dhcpaudit of the
DHCP audit file
location (default
location for logs is
%windir
%\system32\dhcp)
and read access on
the same
Read access in the
domain wide DNS
ACL* (for DC colocated DNS
DHCP Server
(RPCSS-In)
Remote Service
Management
(RPC-EPMAP)
Remote Event
Log Management
(RPC)
DHCP Service
monitoring
DHCP configuration
event monitoring
Remote Event
Log Management
(RPC-EPMAP)
File and Printer
Sharing (NBSession-In)
81
DRAFT V5.0
servers)
OR
Membership of
local
Administrators
group on DNS
server (for DNS
servers not colocated with DC)
Membership of
Event Log
Readers security
group
Read access in the
ACL stored in the
DNS CustomSD
registry key
Read access in the
DNS Server
service ACL
DC/NPS
IPAM
(local
server)
Note:
Note:
Membership of
Event Log
Readers security
group
Membership of
Event Log
Readers security
group
Remote Event
Log Management
(RPC)
Remote Event
Log Management
(RPC-EPMAP)
Remote Service
Management
(RPC)
Remote Service
Management
(RPC-EPMAP)
Remote Event
Log Management
(RPC)
Remote Event
Log Management
(RPC-EPMAP)
N/A
IPAM configuration
event monitoring
For DNS servers co-located with a DC, the RPC read access can be
enabled by adding the IPAM machine account to the domain wide DNS
ACL. This setting needs to be propagated only once for the entire domain
and not for every individual DNS server.
For access to local event logs on the IPAM server to enable the IPAM
Configuration Events cataloguing, the Network Service account is
automatically added to the IPAM servers Event Log Readers group at
the time of IPAM installation and provisioning.
83
DRAFT V5.0
DHCP
DNS
DC/NPS
85
DRAFT V5.0
The following recommended actions are tracked by IPAM server inventory view
related to access settings:
Recommended
Action
IPAM access
Unblocked
IPAM access
Blocked
Unblock IPAM
access
Set manageability
status
Note:
Scenario
Server manageability status
is Managed and overall IPAM
access status is Allowed
Server manageability status
is Unmanaged and overall
IPAM access status is Blocked
Server manageability status
is Managed but overall IPAM
access status is Blocked
Action Required
No action required
No action required
Refer to sub-access
status listed in the
Details pane and
provision the required
access setting
Refer to sub-access
status listed in the
Details pane and unprovision the read
access for IPAM
Set server
manageability status
to Managed or
Unmanaged
Additional Considerations
The IPAM server must collect DHCP lease events and DC/NPS logon events to
enable IP address tracking functionality. This section explains some of the
deployment related details to consider on the target DHCP, DC and NPS
servers from which IPAM collects this information.
DHCP audit file is generated by default in the %windir%\system32\dhcp folder,
but the path can be changed by editing IPv4 and IPv6 properties (Properties ->
Advanced -> Audit log file path setting). For IP addressing to work, the IPv4
and IPv6 audit log file path should both be set to a common folder location.
Ensure that the DHCP audit log file size is appropriately configured to hold
audit events for the entire day on the DHCP server.
87
DRAFT V5.0
Similarly, for DC and NPS servers, enable the required events for logging. The
security log settings determine enabling/disabling of these events. The
relevant setting to enable logging of these events is available under group
policy (Computer Configuration -> Windows Settings -> Security Settings ->
Local Policies -> Audit Policy -> Audit Account Logon Events). For a heavily
loaded DC, ensure that the periodicity of IPAM AuditTask is less than the time
window in which the security logs on DC and NPS servers roll over.
Provisioning Methods
IPAM allows users to choose between manual or GPO based configuration of
these access settings on managed servers. Given the fair amount of
administrative complexity in configuring these settings, IPAM recommends
using GPO based mechanism to automatically provision IPAM access settings.
Using GPOs for IPAM access provisioning also enables ongoing automatic
maintenance of these settings and adjustments to the changing needs and
alterations made to the IPAM scope.
To append and not replace any custom setting on the DNS and DHCP
service ACL
To append and not replace any custom setting on the DNS event log
CustomSD registry entry
To ensure that the read access for the dhcpaudit share is enabled only for
IPAM and not for Everyone
To ensure that any localized string name for the DHCP Users group would
be automatically taken care of while adding the IPAM account
89
DRAFT V5.0
More
Information:
Note:
IPAMGPO_DHCP
IPAMGPO_DNS
IPAMGPO_DC_NPS
The access settings propagated by these GPOs are required by the periodic
IPAM data collection tasks that run under the Network Service account. Access
settings are propagated for the IPAM server machine account, since that is the
credential presented by Network Service to access remote resources. By
default, IPAM uses the IPAM server FQDN of the local machine from where the
cmdlet is run. If required, you can explicitly specify the FQDN name of the IPAM
server using the IpamServerFqdn parameter.
The cmdlet creates a universal group named IPAMUG in the specified domain (if
not already present), and adds the computer account of specified
IpamServerFqdn to it. Access setting propagation by IPAM GPOs are done for
the universal group IPAMUG. The cmdlet also modifies the domain wide DNS
ACL to enable DNS RPC access for IPAM.
91
DRAFT V5.0
Note:
IPAM considers GPO update failures during server edit operation due to
GPO not existing, insufficient privileges, or any other issue, as nonblocking. In other words, server edit operation will continue irrespective
of any failures encountered during GPO update. A detailed report of the
failures will be presented, and can be used to manually edit the IPAM
GPOs. Newly discovered IPAM roles on managed servers (in periodic
server discovery cycle) are marked as Managed. However, since the IPAM
task does not have GPO editing privileges, these roles will not be
automatically added in the relevant IPAM GPO. You must add such roles
manually to the relevant IPAM GPO. A critical event is logged in IPAM
93
DRAFT V5.0
Manual Provisioning
It is possible to bypass the wizard-based automated deployment and set a
custom scope for IPAM management. To deploy a limited pilot implementation
of IPAM, you can manually add administrators and server computer accounts
to appropriate predefined AD security groups, and configure firewall rules to
allow communication to a set of manually selected and configured network
nodes.
More
Information:
95
DRAFT V5.0
Note:
The IPAM provisioning wizard prompts you to select between manual and
group policy based provisioning methods. Once the provisioning wizard is
complete, this setting cannot be changed. For more information on IPAM
provisioning methods refer to the corresponding section in this guide.
97
DRAFT V5.0
If Manual deployment is selected, the IPAM wizard does not take any action to
deploy settings, and the administrator can consult the help files and IPAM
deployment guide to determine necessary settings to apply manually.
If Group Policy Based deployment is selected, supply the unique GPO prefix
name for this IPAM instance. The IPAM wizard does not take any action to
actually create the group policies, and you can use the IPAM Windows
PowerShell cmdlet Invoke-IpamGpoProvisioning to create the group policies.
The GPO prefix name selected in this step must be as the one specified as
GpoPrefixName parameter with the GPO creation cmdlet.
Important:
Once the IPAM provisioning wizard successfully completes, the IPAM database
and security groups are in place. You can add the required users to the IPAM
security groups based on their roles. For more information on IPAM security
groups, refer to the relevant section in this guide.
Configure Discovery
Next, click configure server discovery to launch the Configure Discovery
settings wizard. Use the discovery settings wizard to add all domains in the forest
on which you intend to run discovery. You must add each domain to the list
explicitly, even if the forest root domain has been selected. For each domain
added to the scope of discovery, you can select which type of servers to discover.
99
DRAFT V5.0
By default, domain controller, DHCP server, and DNS server check boxes are all
selected.
101
DRAFT V5.0
Servers are arranged under IPv4 or IPv6 nodes based on their network
interface address. It is possible that the same server may appear in both IPv4
and IPv6 node, if it has two types of IP addresses.
Add Server
Use the Add or Edit Server dialog to set the manageability status to
Managed for servers that you intend to manage via IPAM. Servers (and their
103
DRAFT V5.0
corresponding roles) can also be added manually into the IPAM management
span. This is especially useful for adding NPS servers (required for IP Address
tracking feature), which cannot be auto-discovered by IPAM. In order to add a
server manually, right click on IPv4/IPv6/Managed servers/Unmanaged servers
on the left navigation tree to trigger the Add server dialog.
105
DRAFT V5.0
107
DRAFT V5.0
Manual provisioning
For manual provisioning, ensure that the required access settings are
appropriately configured on the target server manually.
Verify Access
Verify that IPAM access status is listed as unblocked indicating that manual or
GPO based provisioning is successfully complete.
For the IPAM access status value to be allowed, all of the access sub-states
shown in the details pane should be marked as allowed. These access states
are:
109
DRAFT V5.0
111
DRAFT V5.0
IP Address Blocks
A user can view the IP address blocks, IP address ranges or IP addresses in this
view by selecting the appropriate view in the current view combo box. This
view allows you to visualize the address space by automatically segregating
the IP address ranges, IP address blocks and IP addresses into private address
and public address categories for IPv4 address and global and unicast
categories for IPv6 addresses.
113
DRAFT V5.0
115
DRAFT V5.0
Adding an IP Address
To Add an IPv4 IP address, right click on the IPv4 node and select Add IP
Address. Similarly, to add an IPv6 address, right click on the IPv6 node and
select Add IP Address. To view the IP addresses, switch to IP address view by
selecting IP Addresses from the current view combo box.
117
DRAFT V5.0
range, you must first switch to IP address range view by clicking on the current
view combo box and then clicking on the range in which you are interested.
Similarly, you can view the utilization statistics of an IP block. IPAM
automatically calculates the utilization statistics of an IP address block by
rolling up the utilization statistics of the IP address ranges mapped to it.
You can view the utilization trend of an IP address range by first clicking on the
IP address range, clicking on the utilization trend tab, and then selecting the
appropriate time window for generating the trend graph. You can view the
utilization trend graph of an IP address block by clicking on the block, and then
clicking on the utilization trend tab.
119
DRAFT V5.0
IP Address Inventory
In this view, you can see a list of all IP addresses available in the system, along
with their device names, device types, etc. You can choose to selectively view
IP address with a particular device type by clicking on the appropriate device
type node in the navigation pane. For example, to view IP addresses belonging
to firewalls, you can click on the firewall node and the view will be populated
with IP addresses with device type set as firewall. You can create a DNS record
or DHCP reservation for an IP address by right clicking on the IP address and
selecting Create DHCP Reservation or Create DNS Host Record.
121
DRAFT V5.0
123
DRAFT V5.0
125
DRAFT V5.0
IPAM auto-populates the discovered DNS zones and the corresponding primary
DNS servers in the IP address dialog. All the relevant reverse lookup zones to
which the address can map along with the corresponding primary DNS servers
are also made available for easy selection and configuration. A DNS record can
only be created or deleted against the DNS server being managed by this
instance of IPAM.
127
DRAFT V5.0
129
DRAFT V5.0
131
DRAFT V5.0
133
DRAFT V5.0
135
DRAFT V5.0
137
DRAFT V5.0
139
DRAFT V5.0
141
DRAFT V5.0
Import Data
IPAM allows you to export out the IP address block, IP address range, and IP
address records in comma separated value (csv) format. You can import the IP
address block, IP address range, and IP address records from csv files. The
names of column in the csv file from which data is being imported must be
same as the name of columns on IPAM views. For example, if the csv file
contains IP address block records, then the column names in the csv file must
be the same as column names in IP address blocks view of IPAM.
To import data, click the tasks menu and select Import IP Address Block,
Import IP Address Range, or Import IP Addresses based on the type of
data contained in csv file. Once the file is selected, the import process begins
and displays a progress bar.
IPAM supports periodic import and update operations for IP address ranges
belonging to the specified Managed By Service and Service Instance
values. Along with adding new ranges and editing existing ranges as in the
case of regular IP address range import, this operation also deletes those
ranges from IPAM which have the same value of Managed By Service and
Service Instance fields but are not present in the csv being imported. IPAM
provides the option of deleting the IP addresses mapping to the IP address
ranges that are deleted during this import operation. The dialog can be
launched from the tasks menu in the IP address space console.
143
DRAFT V5.0
IPAM also supports periodic import and update operations for IP addresses
belonging to the specified IP address range. Along with adding new addresses
and editing existing addresses as in the case of regular IP address import, this
operation deletes those addresses from IPAM that map to the specified IP
address range, but are not present in the csv being imported. Launch the
dialog by right clicking on the relevant IP address range in the UI.
Export Data
To export out data from IPAM views, navigate to the appropriate view, clicks
the Tasks menu and select Export. You may filter out the required subset of
records to be imported by running basic or advanced queries before export.
145
DRAFT V5.0
147
DRAFT V5.0
Configuration Monitoring
The details view shows the server properties of the server selected. In case of
DHCP servers, server options and DHCP events are shown. In case of DNS
servers, the zones on the server and the DNS zone events are shown.
149
DRAFT V5.0
role selected. The actions that can be performed on DHCP servers are as
follows:
151
DRAFT V5.0
153
DRAFT V5.0
Create and edit new and existing user classes - Multi-select servers
and launch the action to configure user classes on multiple servers
simultaneously.
Launch MMC - Launch the MMC for the selected DHCP server
Launch MMC - Launch the MMC for the selected DNS server
DHCP Scopes
In this view you can see all the DHCP scopes configured on all the DHCP
servers being managed by IPAM. The utilization of each scope is shown in this
view along with key properties and options configured on the scope. You can
view all IPv4 or all IPv6 scopes or only scopes that lie within a specific IP
address block.
155
DRAFT V5.0
157
DRAFT V5.0
159
DRAFT V5.0
To navigate to any zone, use the navigation pane to view the health status of
the zone on each of the authoritative servers. In case of an error in the zone,
the event catalog displays the specific event that is causing the error. Rightclick on the authoritative server to launch the MMC and investigate further to
fix the cause of the problem. The server properties and the other zones
hosted by the server are shown in the details pane.
Server Groups
IPAM allows servers to be tagged with custom fields. Servers so tagged can be
auto-arranged in hierarchical logical groups. Creation of custom fields is
161
DRAFT V5.0
described in section titled Creating a Custom field. Servers can be tagged with
custom fields from the Custom Configurations page or the Add or Edit
Server dialog described in the section Server Inventory Management.
A logical group for servers can be created by right-clicking the IPv4 or IPv6
node and selecting Add Server Group
163
DRAFT V5.0
IPAM Configuration
To track the configuration changes at the IPAM server, click on IPAM
Configuration Events. View all the configuration changes that have occurred
on the IPAM server along with the user name of the person who changed the
configuration. You can choose to filter out the events based on user name or
other filter criteria like time of the event, or operational code.
165
DRAFT V5.0
167
DRAFT V5.0
IP Address Tracking
IP address tracking feature of IPAM enables you to track the IP address and
user activity on the network. Begin the trail by selecting a time window and
using an IP address, client ID (MAC), hostname or username as query criteria.
For example, to start tracking an IP address, click By IP Address, select a
time window, and enter the IP address.
The query will return all the DHCP lease events gathered from managed DHCP
servers that match the given IP address. You can include or exclude the
correlated user and computer logon events collected from managed DCs and
NPS servers. For detail on how IPAM correlates the DHCP lease events with
user and computer logon events, refer to IP Address Tracking in the Functional
Description section of this guide.
169
DRAFT V5.0
Database Purging
IPAM supports on-demand purging of configuration event log and IP address
tracking related records. You can select the time window before which data
must be purged and the data type (IPAM configuration, DHCP configuration, IP
address tracking). It is advisable that data purge operation should be initiated
during the night or at a time when IPAM activity is low. IPAM recommends a
moving window of historical event log data for only last 6 months for best
performance and disk space utilization.
171
DRAFT V5.0
Troubleshooting IPAM
Troubleshooting tools
Event Logging
IPAM logs events under multiple channels in Event Viewer under the path
Application and Services Logs > Microsoft > Windows > IPAM. The
channels are as follows:
Admin channel:
Unexpected errors arising from either from a user action or a periodic
task are logged here.
ConfigurationChange channel:
This captures events related to configuration changes made to the IPAM
server
Operational channel:
This channel captures informational events and can give greater insight
to the health and operations of the various IPAM tasks. Logging on this
channel is Disabled by default.
Events in IPAMs admin channel and the operational channel can also be
viewed from the IPAM server within Server Managers Dashboard view.
173
DRAFT V5.0
Provisioning issues
IPAM Access status shows as blocked for a server or
unable to fetch data
In the server inventory view details pane, check that the access status is
unblocked or Not applicable for each of the following fields:
o DHCP RPC Access Status
o DNS RPC Access Status
o DHCP Audit Share Access Status
o Event Log Access Status
If any access status is listed as Blocked, check that the firewall rules for the
target server have been set as per IPAM Access Settings.
Check that the servers have been correctly provisioned. Refer to the section
Manual IPAM Provisioning Configuring Access Settings.
Discovery issues
A DNS server not co-located with a DC, is not being
discovered
Ensure that the DNS server is registered as a name server for the domain
zone and the DNS suffix is registered for the configured domain.
Ensure that the DHCP server is authorized for the configured domains and
responds to the DHCP server INFORM message and the message is reaching
IPAM
Ensure that there is no network connectivity issue between the IPAM server
and the target server
Open DNS MMC / DHCP MMC to the target DNS / DHCP server and ensure that
the service is running.
Check that the service read access status has been provisioned. Refer to the
section Manual IPAM Provisioning Configuring Access Settings on how to do
this.
175
DRAFT V5.0
Appendix
Manual IPAM Provisioning Configuring
Access Settings
Configuration required at DHCP servers
Steps described below should be repeated at each DHCP server expected to be
managed through IPAM
More
Information:
2. Add the IPAM server computer account to the DHCP Users local security
group on the DHCP servers.
3. Update DHCP service access settings.
a. Get the IPAM computer account SID - From the domain controller,
launch Windows PowerShell and type Get-ADComputer <IPAM
server name>. In the example below the name of the IPAM
server is S4-IPAM
177
DRAFT V5.0
Add the IPAM SID to the DHCP service read access status
i Find the string corresponding to the current permissions
using sc sdshow dhcpserver
179
DRAFT V5.0
New permissions added are show highlighted in yellow above. Note that the
permissions are added to the DACL (starting from D: ) and not the SACL
(starting from S:)
2
Unblocking the inbound File and Printer Sharing Firewall ports to enable
sharing of DHCP audit logs by enabling following inbound firewall rules:a
Add the IPAM server computer account to the Event Log Readers local
security group on the DHCP servers.
Enable DNS RPC access by enabling the following inbound firewall rules
a
181
DRAFT V5.0
Click the Security tab, click Add, click Object Types, and select
Computers.
Click OK, type the name of the IPAM server (IPAM01 in this
example), and click OK.
Verify that the IPAM server is configured with Allow for Read
access. See below.
183
DRAFT V5.0
Get the IPAM computer account SID - From the domain controller, launch
Windows PowerShell and type Get-ADComputer <IPAM server
name>. In the example below, the name of the IPAM server is S4-IPAM
Add the IPAM SID to the appropriate registry entry to get access to DNS
zone event logs.
a
185
DRAFT V5.0
Add the IPAM SID at the end of this registry entry. Type (A;;0x1;;;
and then paste the IPAM SID (obtained through Windows
PowerShell in step 4 above - the text string that you copied from
the Windows PowerShell prompt). Enter closed parentheses to
complete the value data. In the example above (A;;0x1;;; S-1-5-211793763811-3486041751-3179139019-1609) will be added to the
registry. Note that the permissions are added to the DACL (starting
from D: ) and not the SACL (staring from S:)
Add the IPAM SID to the DNS service read access status
a
187
DRAFT V5.0
Add the IPAM Server computer account to the Event Log Readers domain
security group on the domain controller and NPS servers.
189
DRAFT V5.0
Provisioning PS Script
Settings
191
DRAFT V5.0
Provisioning PS Script
Settings
193
DRAFT V5.0
195
DRAFT V5.0
Provisioning PS Script
Settings
N/A
197