Tagged: netsh

Windows Server 2012 – Deploy and manage IPAM

IPAM

 Installation requirements and prerequisites

IPAM has recommended hardware requirements of a 2GHz CPU, 4GB RAM and 80GB of free disk space.

The prerequisites of IPAM are:

  • IPAM must be installed in an Active Directory domain
  • IPAM cannot be installed on a domain controller
  • Only one forest can be managed
  • IPv6 must be enabled in order for IPAM to manage IPv6 addresses
  • Only works with Microsoft servers using TCP/IP protocol
  • IPAM database support in Windows Server 2012 is WID but in Windows Server 2012 R2 now supports SQL server too

You can install IPAM from the Add Roles and Features or PowerShell using Install-WindowsFeature IPAM -IncludeManagementTools

Provisioning methods

Manual provisioning requires you configure each managed server manually. The following links describes the configuration required for each role.

Group Policy automated deployment eases configuration and deployment i.e. it configure firewall rules, shares, configures the security group membership etc.

If you have hardware firewalls then the following ports will be used:

  • RPC end point mapper – TCP 135
  • SMB – TCP 445
  • Dynamic RPC ports – use ‘netsh interface ipv4 show dynamicports tcp’
  • NetBIOS Session service – TCP 139
  • DNS – TCP 53

To configure the Group Policy objects use Invoke-IpamGpoProvisioning cmdlet.

IPAM1

This will create the following Group Policy Objects and link then to the domain.

IPAM2

Configure server discovery

Select configure server discovery and select the domain which will be managed and which server roles exist within the domain e.g. Domain Controller, DNS and DHCP.

IPAM3

Once the domain is selected select start server discovery or wait for the next schedule of the ServerDiscovery task; once per day by default.

Create and manage IP blocks and ranges

IP Address blocks can be added manually if required; note that IP address blocks discovered by DHCP are automatically added to IPAM but IP address lease information is not. See below.

To import DHCP lease information from DHCP download this PowerShell script from the TechNet script center.

Once you have downloaded the script run IpamIntegration_dhcp.ps1 then run Invoke-IpamDhcpLease. You may need to register IPAM with PowerShell if you get an error in PowerShell related to Microsoft.ipam session configuration. To register ipam run Register-PSSessionConfiguration -Name Microsoft.ipam.

If you’re running Windows Server 2012 R2 and the import of DHCP leases fails then be sure to check out the Q & A section of the script download page.

IPAM8new

If you run Invoke-IpamDhcpLease with the periodic parameter the PowerShell will create a scheduled task that runs a every 6 hours.

IPAM9

IP addresses can also be imported from csv files. Scope utilisation can be viewed from the IP address range groups within IPAM.IPAM5

The IP address inventory contains all IP addresses which have been imported from DHCP (if the script above has been used) and manually added IP addresses. Note that manually added IP addresses cannot be managed by MS DHCP.

A manually created IP address block cannot be set to managed by MS DHCP.

IPAM4

The IP address inventory shows the status of each IP address lease.

IPAM10

If you have devices which need statically assigned IP addresses or DHCP reservations then you can use the ‘Find and Allocate Available IP Address…’ functionality to find an available IP address and set a DHCP reservation.

IPAM6

The ‘Reclaim IP Addresses…’ functionality just removes the IP Address entry from the IPAM database, it does not affect DHCP or DNS. To remove DHCP reservations and DNS records use the IP Address Inventory and right click the IP address you want to remove.

IPAM11

IPAM Delegation

IPAM administrators can view all IPAM data and manage all features.

IPAM ASM administrators can manage IP blocks, IP ranges and IP addresses.

IPAM IP Audit administrators can view IP address tracking data.

IPAM MSM administrators can manage DHCP and DNS servers from within IPAM.

IPAM Users can view IPAM data but cannot manage features or view IP tracking data.

IP Address Tracking

The domain controllers and NPS servers should have ‘Account Logon Events’ auditing enabled to collect user and computer authentication events and cross reference against DHCP leases.

IPAM12

 

Best Practice

The IPAM best practices can be found here.

Advertisements