When managing an IP address infrastructure, your overall goal is to reduce the administrative burden and overhead of managing the address space. For example, many organizations use something as simple as a spreadsheet for managing their address space. This makes tracking who makes changes to the address space difficult. Common tasks such as determining which devices use which IP need to be done manually and then updated manually. All this manual intervention for IP address management introduces errors, not to mention the overhead of having to do it in the first place.
In an ideal world, the IP address spaces in use would manage themselves as much as possible while requiring as little administrator intervention as possible. IP address management (IPAM) in Windows Server 2012 helps alleviate some of that overhead with several key features such as discovery, auditing, reporting, and monitoring.
IPAM enables IP address tracking for Windows Server 2008 and above domain controllers and network policy servers, enables some configuration and monitoring of DNS servers, and enables scope monitoring and configuration of DHCP servers. IPAM attempts to discover domain controllers, DNS servers, DHCP servers, and network policy servers at a regular interval.The servers themselves can be managed by IPAM or left unmanaged. However, to enable discovery, the server needs to allow communication from the IPAM server at the firewall level, and other security settings also need to allow the discovery to take place. All servers must reside in one Active Directory forest and must be domain members to be used with IPAM.
Designing an IPAM solution involves determining where to house the servers, whether at a central location or in a distributed fashion with an IPAM server at each site. IPAM servers don’t communicate or share information with each other, but you can customize each server’s scope to limit discovery to that site. The practical implication of this design choice is that you can allocate certain scopes in a multi-site environment so that they can be managed by a team local to that environment. In other environments, a centralized approach works best, but you can split IP address management as needed by your organization.
When deploying IPAM, you should be aware of the limitations for a single server:
- 150 DHCP servers
- 500 DNS servers
- 6000 DHCP scopes
- 150 DNS zones
Also, non-Microsoft devices such as routers and switches aren’t managed or monitored by
IPAM.
When installed, the IPAM server is provisioned manually or with Group Policy Objects (GPOs). The Provision IPAM Wizard walks through the provisioning process (see Figure 2-12).
Note, however, that after you choose the provision method, you can’t change it. Using the Group Policy Based option enables the servers to be marked as managed in a more automated fashion, and the GPOs can be removed when a server is marked as unmanaged.
FIGURE 2-12 Configuring the IPAM provisioning method.
Through GPOs, you can add a Server Discovery task to the task scheduler but can also start it manually through the IPAM server manager. The types of servers to be discovered can also be configured, as shown in Figure 2-13.
FIGURE 2-13 Configuring the types of servers to be discovered by IPAM.
When servers are discovered, their IPAM Access Status shows them as blocked, and their manageability will be Unspecified, as shown in Figure 2-14.
FIGURE 2-14 You need to correct the manageability status of a recently discovered server to be able to manage the server.
To configure the server so that it is manageable, add the appropriate GPOs to the server by running the following Windows PowerShell command (as Administrator) from the IPAM server:
Invoke-IpamGpoProvisioning -Domain <domain> -GpoPrefixName <Prefix> -IpamServerFqdn
<IPAM Server Name>
This command results in three GPOs being created. For example, if you use a GPO name prefix of IPAM1 when provisioning IPAM, the following Group Policy Objects would be created, which can be verified in the Group Policy Management tool:
- IPAM1_DC_NPS
- IPAM1_DNS
- IPAM1_DHCP
When this is complete, each server to be managed needs to obtain the GPOs. Run the following command from within the server itself:
gpupdate /force
The final step to manage the server is to set the server status to Managed. Right-click the server, select Edit Server, and set the Manageability status to Managed.
