Design and Implement Network Infrastructure Services

Objective 2.3: Design and manage an IP address management solution

Windows Server 2012 introduces a new feature called IP address management (IPAM) that helps administrators organize the infrastructure and hosts on the network. IPAM is a powerful tool that can be used to manage both IPv4 and IPv6 network infrastructure as well as provide auditing of an IP address space.

This objective covers the following topics:

• Design considerations, including IP address management technologies such as IPAM, Group Policy based, and manual provisioning, as well as distributed vs. centralized placement
• How to configure role-based access control
• How to configure IPAM auditing
• How to migrate IPs
• How to manage and monitor multiple DHCP and DNS servers
• How to configure data collection for IPAM

Design considerations for IP address management

When managing an IP address infrastructure, your overall goal is to reduce the administrative burden and overhead of managing the address space. For example, many organizations use something as simple as a spreadsheet for managing their address space. This makes tracking who makes changes to the address space difficult. Common tasks such as determining which devices use which IP need to be done manually and then updated manually. All this manual intervention for IP address management introduces errors, not to mention the overhead of having to do it in the first place.

In an ideal world, the IP address spaces in use would manage themselves as much as possible while requiring as little administrator intervention as possible. IP address management (IPAM) in Windows Server 2012 helps alleviate some of that overhead with several key features such as discovery, auditing, reporting, and monitoring.

IPAM enables IP address tracking for Windows Server 2008 and above domain controllers and network policy servers, enables some configuration and monitoring of DNS servers, and enables scope monitoring and configuration of DHCP servers. IPAM attempts to discover domain controllers, DNS servers, DHCP servers, and network policy servers at a regular interval. The servers themselves can be managed by IPAM or left unmanaged. However, to enable discovery, the server needs to allow communication from the IPAM server at the firewall level, and other security settings also need to allow the discovery to take place. All servers must reside in one Active Directory forest and must be domain members to be used with IPAM.

Designing an IPAM solution involves determining where to house the servers, whether at a central location or in a distributed fashion with an IPAM server at each site. IPAM servers don’t communicate or share information with each other, but you can customize each server’s scope to limit discovery to that site. The practical implication of this design choice is that you can allocate certain scopes in a multi-site environment so that they can be managed by a team local to that environment. In other environments, a centralized approach works best, but you can split IP address management as needed by your organization.

When deploying IPAM, you should be aware of the limitations for a single server:

• 150 DHCP servers
• 500 DNS servers
• 6000 DHCP scopes
• 150 DNS zones

Also, non-Microsoft devices such as routers and switches aren’t managed or monitored by IPAM.

When installed, the IPAM server is provisioned manually or with Group Policy Objects (GPOs). The Provision IPAM Wizard walks through the provisioning process (see Figure 2-12). Note, however, that after you choose the provision method, you can’t change it. Using the Group Policy Based option enables the servers to be marked as managed in a more automated fashion, and the GPOs can be removed when a server is marked as unmanaged.

Through GPOs, you can add a Server Discovery task to the task scheduler but can also start it manually through the IPAM server manager. The types of servers to be discovered can also be configured, as shown in Figure 2-13.

When servers are discovered, their IPAM Access Status shows them as blocked, and their manageability will be Unspecified, as shown in Figure 2-14.

To configure the server so that it is manageable, add the appropriate GPOs to the server by running the following Windows PowerShell command (as Administrator) from the IPAM server:

Invoke-IpamGpoProvisioning -Domain <domain> -GpoPrefixName <Prefix> -IpamServerFqdn
<IPAM Server Name>

This command results in three GPOs being created. For example, if you use a GPO name prefix of IPAM1 when provisioning IPAM, the following Group Policy Objects would be created, which can be verified in the Group Policy Management tool:

• IPAM1_DC_NPS
• IPAM1_DNS
• IPAM1_DHCP

When this is complete, each server to be managed needs to obtain the GPOs. Run the following command from within the server itself:

gpupdate /force

The final step to manage the server is to set the server status to Managed. Right-click the server, select Edit Server, and set the Manageability status to Managed.

Configuring role-based access control

When installed, IPAM creates five security groups, as shown in Table 2-3. These groups are added during IPAM provisioning and can be used like other security groups in Windows. For example, adding users to one of these groups enables them to perform IPAM-related tasks according to the permissions for that group.

Table 2-3 Security groups created by IPAM

Security Group	Description
IPAM Users	Allows you to view information about the various areas being managed by IPAM with the exception of IP address-tracking information.
IPAM MSM Administrators	Includes the privileges in the IPAM Users group and adds the ability to manage the IPAM server.
IPAM ASM Administrators	Includes the privileges in the IPAM Users group and adds the ability to manage IP address space tasks and server management.
IPAM IP Audit Administrators	Views IP address-tracking information in addition to the privileges in the IMAP Users group.
IPAM Administrators	Makes up an overall administrative group that can perform all IPAM tasks.

Configuring IPAM auditing

IPAM can be used for auditing purposes to provide information on address utilization, policy compliance, and other information based on the type of servers being managed by IPAM. You use the Event Catalog to configure IPAM auditing (see Figure 2-15). The IP address audit functionality in IPAM collects user information along with the IP address, hostname, and client identifier (MAC address for IPv4 or DUID for IPv6). This information comes from managed DHCP servers, domain controllers, and network policy servers.

By default, the IPAM configuration events are shown, but other events can be shown and can have reports created from the data within them. Included are query tools and a search box to help narrow the focus of the events displayed. Criteria can be added to a query filter, as shown in Figure 2-16.

After the data is retrieved, it can be exported to a comma-separated value (CSV) file.

Migrating IP addresses

IPAM can help you manage IP addresses in a network. IPAM might be used to track utilization of IP addresses for a given site to ensure that enough addresses exist for clients at that site. IPAM defines IP address ranges as groups of contiguous IP addresses, and IP address blocks as groupings of IP address ranges.

When migrating IP addresses to be managed by IPAM, the addresses can be entered manually by address range, address block, and individually by address. You can also import IP addresses into IPAM with a CSV-formatted file. Figure 2-17 shows the Add Or Edit IPv4 Address Range dialog box.

The Managed By Service drop-down list is helpful for migration planning. With this dialog box you can select how the address block or range is now being managed from choices like IPAM (as shown), a non-Microsoft DHCP solution, Microsoft Virtual Machine Manager (VMM), or another method. Choosing this correctly then enables you to import the IP address space within IPAM but still have address assignment done using the current method. When ready, the IP address can be moved under IPAM management as appropriate.

Managing and monitoring multiple DHCP and DNS servers

IPAM can use logical groupings of servers for configuration, monitoring, and management. This is useful for managing a group of servers that are located at a remote site or have some other common criteria for management and monitoring in IPAM. Server groups are configured within the Monitor and Manage section of IPAM.

Within server groups in IPAM, you add a server group with the Add Server Group dialog box, shown in Figure 2-18.

As you see within Figure 2-18, you can also group servers by several criteria, as shown in Figure 2-19.

Multi-filtering is available, such that you can choose to first group by one criterion and then additional criteria as needed to create a group with the necessary specificity.

After a server group is created, it can be found within the Server Groups section in the IPAM management console. Like other areas, server groups can be searched and their display order can be changed to locate the server group to be managed.

Configuring data collection

IPAM data-collection activities are scheduled using Task Scheduler and are run at regular intervals. The data collected depends on the items configured within IPAM. For example, if IPAM is being used to manage IP addresses, the data-collection activities include an IP address utilization scan for the IP addresses being managed. The length of time that it takes to collect data also varies accordingly.

The data-collection tasks are configured within the Task Scheduler Library under Microsoft | Windows | IPAM. Table 2-4 shows the task names and their default frequency.

Table 2-4 Default schedules for tasks in Task Scheduler

Task Name	Frequency
AddressExpiry	1 day
AddressUtilization	2 hours
Audit	1 day
ServerAvailability	15 minutes
ServerConfiguration	6 hours
ServerDiscovery	1 day
ServiceMonitoring	30 minutes

The type of server defines the data to be collected from that server. For example, DNS zones aren’t collected from a DHCP server, and so on. You can change the data to be collected from a server within the Add Or Edit Server dialog box. Figure 2-20 shows this dialog box, within which the Server Type can be set according to the need for data collection.

Objective summary

• IPAM has certain limitations on the number of servers that it can manage. These include 150 DHCP servers, 500 DNS servers, 150 DNS zones, and 6000 DHCP scopes.
• The IPAM server can locate servers to provision manually or by using Group Policy Objects (GPOs).
• IPAM servers can be distributed as appropriate for an organization’s needs.
• IPAM creates several groups that can be used for role-based access control to the various functions in IPAM.
• IP addresses can be managed and audited in IPAM, and IPAM can be provisioned with IP addresses managed by other DHCP servers.
• Server groups help manage multiple servers in IPAM by creating logical groups as configured by administrators.
• Task Scheduler contains several tasks related to collection of data in IPAM, and data collection can be started manually.

Objective review

Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

1. You need to grant access for viewing audit information within IPAM. To which group should you add a user to, to grant that user the minimum level of permission for this task?

   1. IPAM Users

   2. IPAM IP Address Audit Admins

   3. IPAM Administrators

   4. IPAM IP Audit Administrators

2. When provisioning IPAM servers using GPOs, servers are discovered. After configuring them to be managed in IPAM, what command do you need to run on the server to be managed?

   1. Invoke-IpamAudit /server <ipam-servername> /domain

   2. gpupdate /reset

   3. Invoke-IpamAudit /server <ipam-servername> /configure

   4. gpupdate /force

3. What is the default data-collection interval for the ServerDiscovery task?

   1. 3 days

   2. 8 hours

   3. 1 day

   4. 1 hour

4. Which of the following isn’t a valid criterion for grouping events (assuming you’re not using a custom criterion)?

   1. Keywords

   2. Event Region

   3. User Name

   4. User Domain Name

5. When do IPAM servers exchange information on the servers under their respective management?

   1. When configured in a distributed scenario

   2. Never; IPAM servers don’t exchange information

   3. When configured with System Center 2012

   4. When configured to use DNS