Sie sind auf Seite 1von 35

Important

The following instructions are for configuring a test lab using the minimum number of
computers. Individual computers are needed to separate the services provided on the
network and to clearly show the desired functionality. This configuration is neither
designed to reflect best practices nor does it reflect a desired or recommended
configuration for a production network. The configuration, including IP addresses and
all other configuration parameters, is designed only to work on a separate test lab
network.

Walkthrough: Demonstrate
IPAM in Windows Server 2012
IP Address Management (IPAM) in Windows Server® 2012 is a framework for discovering,
monitoring, managing and auditing IP address space on a corporate network. IPAM provides the
following features:
 Automatic IP address infrastructure discovery
 Highly customizable IP address space display, reporting, and management
 Configuration change auditing for DHCP and IPAM services
 Monitoring and management of DHCP and DNS services
 IP address lease tracking

In this guide
This guide provides step-by-step instructions for deploying IPAM in a test lab using three server
computers and one client computer. Software and hardware requirements are provided, as well as
an overview of IPAM.
Guide contents:
 IPAM overview
o IPAM discovery
o IP address space management
o Multi-server management and monitoring
o Operational auditing and IP address tracking
 IPAM architecture
o IPAM security groups
o IPAM tasks
o Privacy
o IPAM requirements
 Scenario overview
o Hardware and software requirements
 Configuring the test lab
o Configure DC1
o Configure DHCP1
o Configure Client1
o Configure IPAM1
 IPAM demonstration
o Address space management
o Infrastructure monitoring and management
o Review audit logs and events

IPAM overview
The IPAM feature consists of four primary modules. The following sections provide a brief
description of these modules.

IPAM discovery
IPAM discovery requires access to Active Directory in order to discover network infrastructure servers.
This discovery is necessary to enable IPAM services. Discovery allows administrators to enumerate
servers running Windows Server® 2008 or later with the DNS Server, DHCP Server and AD DS role
services installed. Administrators can also manually add or delete servers to define a custom scope of
administrative control. The scope of discovery can be modified in real-time by selecting or removing
domains and specific server roles.

IP address space management


The IPAM address space management (ASM) feature provides the ability to efficiently view, monitor,
and manage IP address space on the network. ASM supports IPv4 public and private addresses, and
IP addresses can be dynamically issued on the network or provided as static IP addresses. Sorting can
be based on custom fields, such as region, Regional Internet Registries (RIR), device type, or customer
name. A network administrator can track IP address utilization and threshold-crossing status, or
display utilization trends. IPAM ASM tools address the IP address space management problem in a
growing distributed environment by ensuring better planning, accountability, and control. IPAM also
enables an administrator to detect overlapping IP address ranges defined on different DHCP servers,
find free IP addresses within a range, create DHCP reservations, and create DNS records.

Multi-server management and monitoring


IPAM enables administrators to monitor and manage multiple DHCP servers and monitor multiple
DNS servers spread across various regions from a centralized console. Administrative tasks are
frequently repetitive across multiple servers. The ability to execute these tasks uniformly across servers
reduces both the effort involved as well as the probability of error. The multi-server management
(MSM) feature enables an administrator to easily edit and configure key properties of multiple DHCP
servers and scopes across the organization. IPAM also facilitates monitoring and tracking of DHCP
service status and utilization of DHCP scopes. IPAM also enables tagging of servers with built-in and
user-defined custom field values and to visualize these servers and group them into logical groups
and sub-groups. IPAM helps to monitor the health of a DNS zone on multiple DNS servers by
displaying the aggregated status of a zone across all authoritative DNS servers. IPAM also tracks the
service status of the DNS and DHCP servers on the network.
Operational auditing and IP address tracking
Auditing tools enable tracking potential configuration problems on IP infrastructure servers. IPAM
provides the ability to view consolidated configuration changes on managed DHCP servers and the
IPAM server. Details are tracked such as server name, user name, and the date and time a
configuration change was made. IP address lease tracking is available to aid forensics investigations
by collecting lease logs from DHCP, DC and NPS servers. IPAM enables history tracking for IP address
leases and user logins. This enables tracking of IP address activity correlated with MAC addresses,
user names, host names and other parameters.

IPAM architecture
An IPAM server is a domain member computer. You cannot install IPAM on an Active Directory
domain controller.
There are three general methods to deploy IPAM servers:
1. Distributed: An IPAM server is deployed at every site in the enterprise.
2. Centralized: One IPAM server is deployed in the enterprise.
Hybrid: A central IPAM server deployed with dedicated IPAM servers at each site.
There is no communication or database sharing between different IPAM servers in the enterprise. If
multiple IPAM servers are deployed, you can customize the scope of discovery for each IPAM server,
or filter the list of managed servers. A single IPAM server might manage a specific domain or location,
perhaps with a second IPAM server configured as a backup.
IPAM will periodically attempt to locate network policy servers, domain controllers, DNS servers, and
DHCP servers on the network that are within the scope of discovery that you specify. You must choose
whether these servers are managed by IPAM or unmanaged. In this way, you can select different
groups of servers that are managed or not managed by IPAM. To be managed by IPAM, server security
settings and firewall ports must be configured to allow the IPAM server access to perform required
monitoring and configuration functions. You can choose to configure these settings manually, or
automatically using Group Policy Objects (GPOs). If you choose the automatic method, then settings
are applied when a server is marked as managed and settings are removed when it is marked as
unmanaged. The IPAM server will communicate with managed servers using an RPC or WMI interface.
IPAM monitors domain controllers and NPS servers for IP address tracking purposes. In addition to
monitoring functions, several DHCP server and scope properties can be configured from using IPAM.
Zone status monitoring and a limited set of configuration functions are also available for DNS servers.

IPAM security groups


The following local IPAM security groups are created when you install IPAM.
 IPAM Users: Members of this group can view all information in server discovery, IP address
space, and server management. They can view IPAM and DHCP server operational events, but
cannot view IP address tracking information.
 IPAM MSM Administrators: IPAM multi-server management (MSM) administrators have
IPAM Users privileges and can perform IPAM common management tasks and server
management tasks.
 IPAM ASM Administrators: IPAM address space management (ASM) administrators have
IPAM Users privileges and can perform IPAM common management tasks and IP address
space tasks.
 IPAM IP Audit Administrators: Members of this group have IPAM Users privileges and can
perform IPAM common management tasks and can view IP address tracking information.
 IPAM Administrators: IPAM Administrators have the privileges to view all IPAM data and
perform all IPAM tasks.

IPAM tasks
IPAM launches the following tasks upon installation with the specified periodicity. These tasks can be
viewed in Task Scheduler by navigating to Microsoft > Windows > IPAM.

Default
Task Name Description Duration
Frequency

AddressExpiry Tracks IP address expiry state and logs 1 day Indefinite


notifications.

AddressUtilization Collects IP address space usage data 2 hours Indefinite


from DHCP servers to display current
and historical utilization.

Audit Collects DHCP and IPAM server 1 day Indefinite


operational events. Also collects events
from domain controllers, NPS, and
DHCP servers for IP address tracking.

ServerAvailability Collects service status information from 15 minutes Indefinite


DHCP and DNS servers.

ServerConfiguration Collects configuration information from 6 hours Indefinite


DHCP and DNS servers for display in
IP address space and server
management functions.

ServerDiscovery Automatically discovers the domain 1 day Indefinite


controllers, DHCP servers, and DNS
servers in the domains you select.

ServiceMonitoring Collects DNS zone status events from 30 minutes Indefinite


DNS servers.

Privacy
The IP address audit functionality in IPAM audit provides tracking of IP address, hostname and Client
Identifier (MAC address in IPv4, DUID in IPv6) information of computers and devices on a network in
addition to user login information. The IPAM server collects audit logs and events from DHCP servers,
domain controllers and network policy servers, and stores the IP address, hostname, client identifier
and user name of a network user in the IPAM database on the computer running the IPAM Server
feature. An IPAM audit administrator or IPAM administrator can search logs based on IP address,
client identifier, hostname, or user name.

Information collected, processed, or transmitted


IP addresses, client identifiers, and host names are collected from audit logs on DHCP servers that
are managed by IPAM.
 User names and IP addresses are collected from events on domain controllers.
 User names and client identifiers are collected from events on network policy servers.
 No information is sent to Microsoft.

Audit control
IPAM is not enabled by default and must be installed as a server feature. When the IPAM Server
feature is installed, IP address audit functionality is automatically enabled.
To disable IP address audit, start Task Scheduler on the IPAM server, navigate to
Microsoft\Windows\IPAM and disable the audit task.

IPAM requirements
The scope of IPAM server discovery is limited to a single Active Directory forest. The forest may be
comprised of a mix of trusted and untrusted domains. IPAM requires membership in an Active
Directory domain, and is reliant on a prerequisite functional network infrastructure environment in
order to integrate with existing DHCP, DNS, domain controller, and network policy server installations
across the forest.
IPAM has the following specifications:
 IPAM supports only Microsoft DHCP, DNS, domain controllers, and network policy servers
running Windows Server® 2008 and above.
 IPAM supports only domain joined servers in a single Active Directory forest.
 A single IPAM server can support up to 150 DHCP servers and 500 DNS servers.
 A single IPAM server can support up to 6000 DHCP scopes and 150 DNS zones.
 IPAM stores 3 years of forensics data (IP address leases, host MAC addresses, user login and
logoff information) for 100,000 users in a Windows Internal Database. There is no database
purge policy provided, and the administrator must purge the data manually as needed.
 IPAM does not support management and configuration of non-Microsoft network elements
(such as WINS, DHCP relays, or proxies).
 IPAM supports only Windows Internal Database. No external database is supported.
 IP address utilization trends are provided only for IPv4.
 IP address reclaiming support is provided only for IPv4.
 No special processing is done for IPv6 stateless address auto configuration private extensions.
 No special processing for virtualization technology or virtual machine migration.
 IPAM does not check for IP address consistency with routers and switches.
 IPAM does not support auditing of IPv6 address (stateless address auto configuration) on an
unmanaged machine to track the user.
Scenario overview
This test lab demonstrates IPAM functionality in Windows Server 2012. Three server computers and
one client computer are used. See the following figure.

Hardware and software requirements


Three server computers and one client computer are required to complete the test lab.

Note

You can install DHCP on the same server with AD DS and DNS if desired and adjust
procedures in the test lab accordingly. DHCP and DNS roles are separated in the test lab
to demonstrate discovery and management of multiple servers providing different
services on the network. The IPAM feature must be installed on a separate, domain
member computer. A client computer is required to demonstrate IP address audit
functionality.
The following are required components of the test lab:
1. The product disc or other installation media for Windows Server 2012.
2. Three computers that meet the minimum hardware requirements for Windows Server 2012.
3. The product disc or other installation media for Windows® 8.
4. One computer that meets the minimum hardware requirements for Windows 8.

Configuring the test lab


The following procedures provide instructions to install the operating system, configure TCP/IP, and
add required role services and features on computers in the test lab.
1. Configure DC1
2. Configure DHCP1
3. Configure Client1
4. Configure IPAM1
Configure DC1
DC1 is a computer running Windows Server 2012, providing the following services:
 A domain controller for the contoso.com Active Directory domain.
 An authoritative DNS server for the contoso.com DNS zone.
Initial configuration of DC1 consists of the following steps:
 Install the operating system and configure TCP/IP on DC1
 Install Active Directory and DNS on DC1
 Create a domain administrator account
Additional tasks will be performed on DC1 during the demonstration portion of the test lab.

Install the operating system and configure TCP/IP on DC1


To install the operating system and configure TCP/IP on DC1
1. Start your computer using the Windows Server 2012 product disc or other digital media.
2. When prompted, enter a product key, accept license terms, configure clock, language, and
regional settings, and provide a password for the local Administrator account.
3. Press Ctrl+Alt+Delete and sign-in using the local Administrator account.
4. If you are prompted to enable Windows Error Reporting, click Accept.
5. Click Start, type ncpa.cpl, and then press ENTER. The Network Connections control panel
will open.

Tip

The previous step demonstrates new functionality in Windows Server 2012 that enables
you to search and run applications, settings, and files by clicking Start and then typing a
search term. You can also open the Network Connections control panel by clicking
next to Wired Ethernet Connection in Server Manager using the Local Server view.
For more information, see Common Management Tasks and Navigation in Windows
Server 2012 (http://go.microsoft.com/fwlink/p/?LinkId=242147).
6. In Network Connections, right-click Wired Ethernet Connection and then
click Properties.
7. Double-click Internet Protocol Version 4 (TCP/IPv4).
8. On the General tab, choose Use the following IP address.
9. Next to IP address type 10.0.0.1 and next to Subnet mask type 255.255.255.0. It is not
necessary to provide an entry next to Default gateway.
10. Next to Preferred DNS server, type 10.0.0.1.
11. Click OK twice, and then close the Network Connections control panel.

Install Active Directory and DNS on DC1


DC1 will serve as the primary domain controller and DNS server for the contoso.com Active
Directory domain.
To configure DC1 as a domain controller and DNS server
1. In the Server Manager navigation pane, click Configure this local server.
2. Under PROPERTIES, click the name next to Computer name. The System
Properties dialog box will open.
3. On the Computer Name tab, click Change and then type DC1 under Computer name.
4. Click OK twice, and then click Close.
5. When you are prompted to restart the computer, click Restart Now.
6. After restarting the computer, sign-in using the local Administrator account.
7. In Server Manager, under Configure this local server, click Add Roles and Features.
8. In the Add Roles and Features Wizard, click Next three times, and then on the Select
server roles page select the Active Directory Domain Services checkbox.
9. When you are prompted to add required features, click Add Features.
10. Select the DNS Server checkbox.
11. When you are prompted to add required features, click Add Features.
12. Click Next four times, and then click Install.
13. Wait for the installation process to complete, verify on the Installation progress page
that Configuration required. Installation succeeded on DC1 is displayed, and then
click Close.
14. Click the Notification flag and then click Promote this server to a domain controller. See
the following example.

Note

There is a link displayed on the Installation progress page of the Add Roles and
Features Wizard to promote the server to a domain controller after installation of AD
DS is complete. However, if you close the Installation progress page, additional
configuration tasks can always be accessed by clicking the Notification flag.
15. In the Active Directory Domain Services Configuration Wizard, on the Deployment
Configuration page, choose Add a new forest and then next to Root domain name,
typecontoso.com.
16. Click Next, and then on the Domain Controller Options page, under Type the Directory
Services Restore Mode (DSRM) password, type a password next
to Password and Confirm password. Confirm that Domain Name System (DNS)
server and Global Catalog (GC) are selected, and then click Next.
17. Click Next five times and then click Install.

Tip

If An error was detected in the DNS configuration is displayed on the DNS Options
page, you can ignore this message.
18. The computer will restart automatically to complete the installation process.
19. Sign in using the CONTOSO\Administrator account.

Create a domain administrator account


A user account that is a member of Domain Admins is required to complete the test lab.

Tip

You can use the CONTOSO\Administrator account in this test lab and skip creation of a
domain administrator account if desired. This account has domain administrator
privileges, and other privileges. However, it is a best practice to disable or rename this
account. For more information, see Active Directory Best
Practices(http://go.microsoft.com/fwlink/p/?LinkID=243071).
To create a domain administrator account
1. On the Server Manager menu bar, click Tools, and then click Active Directory Users and
Computers.
2. In the Active Directory Users and Computers console tree, double-click contoso.com,
right-click Users, point to New, and then click User.
3. In the New Object – User dialog box, type user1 under User logon name and next to Full
name, then click Next.
4. Next to Password and Confirm password, type a password for the user1 account.
5. Clear the checkbox next to User must change password at next logon, select
the Password never expires checkbox, click Next, and then click Finish.
6. Double-click user1 and then click the Member Of tab.
7. Click Add, type domain admins under Enter the object names to select, click OK twice,
and then close the Active Directory Users and Computers console.
8. Click Start, click Administrator, and then click Sign out.
9. Sign in to the computer using the user1 credentials by clicking the left arrow next
to CONTOSO\Administrator and then clicking Other user.

Configure DHCP1
DHCP2 is a computer running Windows Server 2012, providing the following services:
 A DHCP server.
Initial configuration of DHCP1 consists of the following steps:
 Install the operating system and configure TCP/IP on DHCP1
 Install and configure DHCP on DHCP1
Install the operating system and configure TCP/IP on
DHCP1
Tip

The procedure below is identical to the steps used to install the operating system and
configure TCP/IP on DC1, with the exception that DHCP1 is configured with an IP
address of 10.0.0.2.
To install the operating system and configure TCP/IP on DHCP1
1. Start your computer using the Windows Server 2012 product disc or other digital media.
2. When prompted, enter a product key, accept license terms, configure clock, language, and
regional settings, and provide a password for the local Administrator account.
3. Press Ctrl+Alt+Delete and sign-in using the local Administrator account.
4. If you are prompted to enable Windows Error Reporting, click Accept.
5. In the Server Manager navigation pane, click Local Server and then click the IP address next
to Wired Ethernet Connection. The Network Connections control panel will open.
6. In Network Connections, right-click Wired Ethernet Connection and then
click Properties.
7. Double-click Internet Protocol Version 4 (TCP/IPv4).
8. On the General tab, choose Use the following IP address.
9. Next to IP address type 10.0.0.2 and next to Subnet mask type 255.255.255.0. It is not
necessary to provide an entry next to Default gateway.
10. Next to Preferred DNS server, type 10.0.0.1.
11. Click OK twice, and then close the Network Connections control panel.

Install and configure DHCP on DHCP1


DHCP1 is a domain member server running the DHCP Server role service.
To install DHCP on DHCP1
1. In the Server Manager navigation pane, click Local Server and then click the name next
to Computer name. The System Properties control panel will open.
2. On the Computer Name tab, click Change and then type DHCP1 under Computer name.
3. Under Member of, select Domain, type contoso.com, and then click OK.
4. When you are prompted to provide credentials to join the domain, enter the credentials for
the user1 account that was created previously and then click OK.
5. Confirm that computer name and domain changes were successful, click OK twice, and then
click Close.
6. When you are prompted to restart the computer, click Restart Now.
7. After restarting the computer, sign-in using the CONTOSO\user1 account.
8. In Server Manager, under Configure this local server, click Add Roles and Features.
9. In the Add Roles and Features Wizard, click Next three times, and then on the Select
server roles page select the DHCP Server checkbox.
10. When you are prompted to add required features, click Add Features.
11. Click Next three times, and then click Install.
12. Wait for the installation process to complete, verify on the Installation progress page
that Configuration required. Installation succeeded on DHCP1.contoso.com is
displayed, and then click Close.

To configure DHCP on DHCP1


1. On the Server Manager menu, click the Notification flag and then click Complete DHCP
configuration.
2. In the DHCP Post-Install configuration wizard, click Next and then click Commit.
3. On the Server Manager menu bar, click Tools and then click DHCP. THE DHCP console
opens.
4. In the DHCP console tree, navigate to IPv4. Right-click IPv4 and then click New Scope.
The New Scope Wizard opens.
5. Click Next and then type a name for the new scope next to Name (ex: Contoso-scope1).
6. Click Next and then in IP Address Range, type 10.0.0.1 next to Start IP address,
type 10.0.0.254 next to End IP address, and type 24 next to Length. The value of Subnet
mask will change automatically to 255.255.255.0.
7. Click Next, and then in Add Exclusions and Delay type 10.0.0.1 under Start IP address,
type 10.0.0.10 under End IP address, and then click Add. This allows the first ten IP
addresses in the 10.0.0.0/24 subnet to be used for static addressing of servers on the
network.
8. Click Next and then in Lease Duration under Limited to enter 0 Days, 0 Hours, and 2
Minutes. This very short lease duration will simplify generation of more DHCP leases to
review for the IP address auditing demonstration.
9. Click Next three times, and then in Domain Name and DNS Servers, verify that the Parent
domain is contoso.com and 10.0.0.1 is listed as the only DNS server.
10. Click Next twice, and then in Activate Scope select Yes, I want to activate this scope
now.
11. Click Next, and then click Finish.
12. Refresh the view in the DHCP console and verify that DHCP1 is authorized and that the
Contoso-scope1 is active.
Note: To review scopes on the current server using Windows PowerShell, right-
click Windows PowerShell, click Run as Administrator, click Yes in the User Account
Control alert that appears, and then type the following command at the Windows
PowerShell prompt, and then press ENTER.
get-dhcpserverv4scope

PS C:\Windows\system32> get-dhcpserverv4scopeScopeId
SubnetMask Name State StartRange EndRange
LeaseDuration------- ---------- ---- -----
---------- -------- -------------10.0.0.0
255.255.255.0 Contoso-scope1 Active 10.0.0.1 10.0.0.254
00:02:00

Configure Client1
Client1 is a computer running Windows® 8 that is acting as a DHCP client. Configuration of Client1
consists of the following steps:
 Install the operating system and configure TCP/IP on Client1
 Join Client1 to the contoso.com domain
During the demonstration portion of the test lab, Client1 will receive DHCP leases from DHCP1.

Install the operating system and configure TCP/IP on


Client1
To install the operating system and configure TCP/IP on Client1
1. Start your computer using the Windows 8 product disc or other digital media.
2. When prompted, enter a product key and accept license terms.
3. When prompted to enter a computer name, type Client1 and click Next.
4. Click Use express settings.
5. On the Sign in to your PC page, click Don’t want to sign in with a Microsoft
account and then click Local account.
6. Next to User name, type user1, enter a password and password hint, and then click Finish.

Join Client1 to the contoso.com domain


In order for Client1 to receive Group Policy settings, it must be joined to the contoso.com domain.
To join Client1 to the contoso.com domain
1. Click Start, type sysdm.cpl and then press ENTER.
2. In the System Properties dialog box, click Change.
3. Under Member of, choose Domain, type contoso.com and then click OK.
4. When you are prompted to enter an account with permission to join the domain, provide
the credentials for the user1 account, and then click OK.
5. Confirm that Welcome to the contoso.com domain is displayed, click OK twice, and then
click Close.
6. When you are prompted to restart the computer, click Restart Now.
7. After restarting the computer, press Ctrl+Alt+Delete, click the left arrow, click Other user,
and sign in using credentials for the CONTOSO\user1 account.

Configure IPAM1
IPAM1 is a computer running Windows Server 2012, providing the following services:
 An IPAM server.
Initial configuration of IPAM1 consists of the following steps:
 Install the operating system and configure TCP/IP on IPAM1
 Install and configure IPAM on IPAM1

Install the operating system and configure TCP/IP on


IPAM1
Tip

The procedure below is identical to the steps used to install the operating system and
configure TCP/IP on DC1 and DHCP1, with the exception that IPAM1 is configured
with an IP address of 10.0.0.3.
To install the operating system and configure TCP/IP on IPAM1
1. Start your computer using the Windows Server 2012 product disc or other digital media.
2. When prompted, enter a product key, accept license terms, configure clock, language, and
regional settings, and provide a password for the local Administrator account.
3. Press Ctrl+Alt+Delete and sign-in using the local Administrator account.
4. If you are prompted to enable Windows Error Reporting, click Accept.
5. In the Server Manager navigation pane, click Local Server and then click the IP address next
to Wired Ethernet Connection. The Network Connections control panel will open.
6. In Network Connections, right-click Wired Ethernet Connection and then
click Properties.
7. Double-click Internet Protocol Version 4 (TCP/IPv4).
8. On the General tab, choose Use the following IP address.
9. Next to IP address type 10.0.03 and next to Subnet mask type 255.255.255.0. It is not
necessary to provide an entry next to Default gateway.
10. Next to Preferred DNS server, type 10.0.0.1.
11. Click OK twice, and then close the Network Connections control panel.

Install and configure IPAM on IPAM1


IPAM1 is a domain member server running the IPAM feature. The following procedure provides
steps to install the IPAM feature using Server Manager. First, the computer will be renamed and
joined to the contoso.com domain.
To install IPAM on IPAM1
1. In the Server Manager navigation pane, click Local Server and then click the name next
to Computer name. The System Properties control panel will open.
2. On the Computer Name tab, click Change and then type IPAM1 under Computer name.
3. Under Member of, select Domain, type contoso.com, and then click OK.
4. When you are prompted to provide credentials to join the domain, enter the credentials for
the user1 account that was created previously and then click OK.
5. Confirm that computer name and domain changes were successful, click OK twice, and then
click Close.
6. When you are prompted to restart the computer, click Restart Now.
7. After restarting the computer, sign-in using the CONTOSO\user1 account.
8. In Server Manager, under Configure this local server, click Add Roles and Features.
9. In the Add Roles and Features Wizard, click Next four times, and then on the Select
features page select the IP Address Management (IPAM) Server checkbox.
10. When you are prompted to add required features, click Add Features.
11. Click Next, and then click Install.
12. Wait for the installation process to complete, verify on the Installation progress page
that Installation succeeded on IPAM1.contoso.com is displayed, and then click Close.
To configure IPAM
1. In the Server Manager navigation pane, click IPAM. The IPAM Overview page is displayed.
By default, the IPAM client is connected to the local server.
2. Click provision the IPAM server. The Provision IPAM wizard will launch.
3. Click Next. By default, the Group Policy Based provisioning method is chosen.
4. Next to GPO name prefix, type IPAM1 and then click Next.
5. On the Summary page, confirm that the GPO names displayed
are IPAM1_DHCP, IPAM1_DNS, and IPAM1_DC_NPS, and then click Apply.
6. Wait for provisioning to complete, and then on the Completion page verify that IPAM
provisioning completed successfully is displayed.
7. Click Close, and then in the Overview pane, click configure server discovery.
8. In the Configure Discovery Settings dialog box, under Select IPAM domains for
discovery, click Add next to (root domain) contoso.com.
9. Verify that the contoso.com domain was added and the server roles selected include
Domain controller, DHCP server, and DNS server.
10. When you are prompted that the discovery scope has been updated, click OK.
11. Click start server discovery, and then click OK when you are prompted that discovery has
started.
12. Click the Notification flag and then click Task Details.
13. Wait for the IPAM ServerDiscovery task to display a status of Complete under Stage, and
then close the Task Details dialog box.
14. In IPAM OVERVIEW, click select or add servers to manage and verify IPAM access. If no
servers are displayed, click the Refresh IPv4 icon located next to the Notification flag. The
DHCP1 and DC1 servers will be displayed with a manageability status of Unspecified and
an IPAM access status of Blocked.
Next, IPAM1 must be granted permission to manage DHCP1 and DC1 using Group Policy
Objects (GPOs).
15. On IPAM1, right-click Windows PowerShell and then click Run as Administrator.
Click Yes in the User Account Control alert that is displayed.
16. Type the following command at the Windows PowerShell prompt, and then press ENTER.
17. Invoke-IpamGpoProvisioning -Domain contoso.com -GpoPrefixName
IPAM1 -DelegatedGpoUser user1 -IpamServerFqdn ipam1.contoso.com

18. When you are prompted to confirm the action, press ENTER.
19. On the Server Manager menu, click Tools and then click Group Policy Management.
20. In the Group Policy Management console tree, navigate to contoso.com\Group Policy
Objects and verify that three GPOs have been created
named IPAM1_DC_NPS, IPAM1_DHCP, andIPAM1_DNS.

21. Close the Group Policy Management console.


22. In the IPAM > SERVER INVENTORY pane, right-click dhcp1 and then click Edit Server.
23. In the Add or Edit Server dialog box, next to Manageability status, choose Managed, and
then click OK.
24. Right-click DC1, click Edit Server, choose Managed, and then click OK.
25. On DHCP1, click Windows PowerShell, type gpupdate /force, and then press ENTER.
26. On DC1, click Windows PowerShell, type gpupdate /force, and then press ENTER.
27. On IPAM1, click the Refresh IPv4 icon and verify that UnBlocked is displayed under IPAM
Access Status for DHCP1 and DC1.
Tip

You might need to wait a few minutes and refresh the IPAM console view for IPAM
access status to be updated on managed servers after changing manageability status.
28. In IPAM > OVERVIEW, click retrieve data from managed servers.
29. Click the Notification flag and wait for all tasks to complete.

IPAM demonstration
A demonstration of IPAM on Windows Server 2012 includes the following procedures:
1. Address space management
o Create, delete, import and export IP addresses
o Find available IP addresses and create reservations
o Create custom logical groups
2. Infrastructure monitoring and management
3. Review audit logs and events

Address space management


In IPAM, IP address blocks are large chunks of IP addresses that are used for organization of address
space. IP address ranges are smaller chunks of IP addresses that typically correspond to a DHCP
scope. IP address ranges are mapped to IP address blocks.
IP addresses can be entered into IPAM manually, or by importing from a comma-delimited file.
Addresses can also be exported to a file in comma-delimited format.

Create, delete, import and export IP addresses


The following procedure demonstrates how IP address blocks, ranges, and addresses can be
created, deleted, exported, and imported in IPAM.
To create, delete, import, and export IP addresses
1. In the upper IPAM navigation pane, click IP Address Blocks.
2. In the lower navigation pane, right-click IPv4 and then click Add IP Address Block.

Note

The IP address block you create is automatically added to public or private address space according t
3. In the Add or Edit IPv4 Address Block dialog box, next to Network ID, type 10.0.0.0.
4. Next to Prefix Length, choose 8. This is the /8 corresponding to the /24 subnet that is
being dynamically allocated by DHCP1.
5. Click OK, and then next to Current View choose IP Address Blocks.

6. On the Configuration Details tab, next to Utilized Addresses, note that one IP address is
currently in use. This corresponds to the lease issued by DHCP1 for Client1.
7. Next to Current view, choose IP Address Ranges.
8. On the Configuration Details tab, review the information displayed. Details are provided
for Contoso-scope1 supplied by dhcp1.contoso.com.
9. In the lower navigation pane, right-click IPv6 and then click Add IP Address Block.
10. Under Specify the Network ID, type 21da:d3:0:2f3b:: and then move the slider next
to Specify Prefix length to that the prefix is 64, and then click OK.
11. Choose IP Address Blocks next to Current view and confirm that
the 21da:d3:0:2f3b::/64 block was successfully added.
12. Right-click IPv4 and add the following IP address blocks:
o 192.168.0.0/24
o 192.168.1.0/24
13. Right-click IPv4 and add the 207.46.0.0/16 address block. Since this is public address
space, you must choose a regional Internet registry. Choose ARIN, and if desired, supply
dates and a description for this block of public IP address space.

14. Ensure that the Current view selected is IP Address Blocks and click the Network field to
sort by highest to lowest network ID. Also try sorting by some other fields.
15. In the lower navigation pane, under IPv4, click Public Address Space and verify that
the 207.46.0.0/16 IP address block is displayed.
16. Right-click IPv4 and then click Add IP Address Range.
17. Next to Network ID, type 192.168.0.0, choose 25 next to Prefix length, and then click OK.
18. Right-click IPv4 and add the following IP address ranges:
o 192.168.0.128/25
o 192.168.1.0/25
o 192.168.1.128/25
19. Right-click IPv4, and then click Add IP Address.
20. In the Add IP Address dialog box, next to IP address, type 192.168.0.1.
21. Next to MAC address, type 112233445566 and then click OK.
22. Next to Current view, choose IP Addresses and verify that the static IP
address 192.168.0.1 was added, and that it is automatically assigned to the 192.168.0.1-
192.168.0.126 range.
23. With the current view set to IP Addresses, click TASKS and then click Export.
24. Choose a location where you want to save the file.
25. In the Save As dialog box, type ip-addresses next to File name and then click Save.
26. Right-click the ip-addresses.csv file and then click Edit.
27. Highlight the line containing the 192.168.0.1 IP address, right-click the line, and then
click Copy.

28. Paste the contents of the copied line underneath the text four times, so that you create a
total of six rows of text, with the first row containing the column headers.
29. Change the IP address in all five lines from 192.168.0.1 to values ranging from 192.168.0.2 –
192.168.0.6 and then save the file.
30. Right-click IPv4 and then click Import IP Addresses.
31. Select the ip-addresses.csv file and then click Open.
32. In the Import IP Addresses dialog box, verify that 5 out of 5 records successfully
imported is displayed, and then click OK.
33. Verify that five new IP addresses were added to the 192.168.0.1-192.168.0.126 range.
34. Right-click the 192.168.0.6 IP address and then click Delete.
35. Verify that the 192.168.0.6 IP address was removed from the list.

Find available IP addresses and create reservations


A network administrator might wish to locate an available IP address and use it for static assignment
to a network device. The following steps demonstrate how to use the Find and Allocate Available
IP Address function in IPAM for this scenario.
To find, reserve, and reclaim IP addresses
1. With the Current view set to IP Address Ranges, right-click the 10.0.0.1/24 range that is
assigned by DHCP1 and then click Find and Allocate Available IP Address.
2. Because the first ten IP addresses are reserved in the Contoso-scope1 DHCP scope, and
Client1 has been allocated the first available IP address, the first available IP address will be
10.0.0.12.
3. Wait a few seconds for Ping Reply Status and DNS Record Status to resolve and
display No Reply and Not Found, respectively.
4. Click Basic Configurations.
5. Next to MAC address, type 112233445566 and next to Device type choose VOIP
Gateway.
6. Click DHCP Reservation.
7. Next to Reservation server name, choose dhcp1.contosoc.com. The Reservation scope
name will automatically display Contoso-scope1.
8. Next to Reservation name, type voip-gw, and then next to Reservation type,
choose Both.
9. Click DNS Record.
10. Next to Device name, type voip-gw, next to Forward lookup zone, choose contoso.com,
and then next to Forward lookup primary server choose DC1.contoso.com.
11. If a reverse lookup zone has not been created yet, no in-addr.arpa zone is available to
select.
12. Click OK, and then in the IPAM navigation pane under IP ADDRESS SPACE, click IP
Address Inventory.
13. In the lower navigation pane, click the arrow next to IPv4 to expand IPv4 and then
click VOIP Gateway.
14. Verify that the 10.0.0.12 IP address is displayed.

Tip

So far, changes have only been made to the IPAM database. The following steps
will be used to create a DHCP reservation and DNS host record.
15. Right-click the 10.0.0.12 IP address and then click Create DNS Host Record.

16. Right-click the 10.0.0.12 IP address and then click Create DHCP Reservation.
17. On the Configuration Details tab, verify that Create Success is displayed next to DHCP
reservation sync and DNS Host Record sync.
18. On DHCP1, in the DHCP console, verify that the reservation is present in the Contoso-
scope1 DHCP scope.
19. On DC1, in DNS Manager, verify that the host record is present.

20. On IPAM1, right-click the 10.0.0.12 IP address and then click Edit IP Address.
21. Under Basic Configurations, click Select a date next to Assignment date and enter
today’s date.
22. Click Select a date next to Expiry date, select a date one month from today, and then
click OK.
Important

Expiry settings are alerts you can create for objects in the IPAM database. When a
reserved IP address passes the expiry date, it is not removed from reservations on the
DHCP server, but IPAM will provide events and alerts when the expiry date is close.
23. Verify that Valid is displayed under Expiry Status.
24. Click TASKS and then click IP Address Expiry Log Settings.
25. Under Expiry Alert Threshold, type 31.
26. Under Logging Frequency, choose Log all expiry status messages periodically and then
click OK.

Tip

By default, expiry logging begins 10 days before the expiration date. When you choose
to log alerts periodically, they will be logged each time the expiry task runs. The expiry
task runs once each day by default, but can be configured to run more or less frequently.
27. Refresh the IPAM console view and verify that Expiry Due is displayed under Expiry Status.
28. Edit the IP address again and change the assignment date and expiry date to one week in
the past. Verify that the address is now displayed as Expired.
29. Right-click the 10.0.0.12 address and then click Delete DHCP Reservation. This removes
the DHCP reservation from the DHCP server.
30. Right-click the 10.0.0.12 address and then click Delete DNS Host Record. This removes the
forward lookup record from the authoritative DNS server.
31. Click IP Address Blocks in the IPAM navigation pane and change the current view to IP
Address Ranges.
32. Highlight all the available ranges by holding down the SHIFT key and clicking the top and
bottom ranges.
33. Right-click the highlighted IP address ranges, and then click Reclaim IP Addresses.
34. Under Select IP addresses to be reclaimed, select the checkbox next to the 10.0.0.12
address, click Reclaim and then click Close. This removes the IP address from the IPAM
database.
Tip

Reclaiming IP addresses allows you visualize expiry status and delete multiple IP
addresses. You can also right-click one or more IP addresses and click Delete to remove
IP addresses from the IPAM database.

Create custom logical groups


The IP Address Inventory group is a built-in group with IP addresses organized by device type. In
addition, IPAM allows you to create custom logical groups. To create custom groups:
To create custom logical groups
1. In the IPAM navigation pane, under IP ADDRESS SPACE, click IP Address Range Groups.
2. On the Server Manager menu, click Manage and then click IPAM settings.
3. In the IPAM settings dialog box, click Configure custom fields.
4. In the Configure Custom Fields dialog box, under Add custom fields below, scroll to the
bottom of the list, type Building for the Custom Field Name, and then
select Yes under Multi-Value.
5. Press ENTER or TAB to commit the new custom field name. A blank line will open that can
be used for additional custom fields.
6. Click Building and then under Custom Field Value type the following values. Press ENTER
after you type each one:
a. Headquarters
b. Operations
c. Sales
d. Data Center

7. Repeat the previous step to add another custom field named Floor with the following two
custom field values:
o First
o Second
8. Click OK twice, and then click Close.
9. Click IP Address Ranges, right-click the 192.168.0.0/25 range, and then click Edit IP
Address Range.
10. Click Custom Configurations, and then next to Custom field to configure,
choose Building.
11. Next to Specify a value, choose Headquarters and then click Add.
12. Choose Floor next to Custom field to configure, choose First, and then click Add.
13. Edit the other three IP address ranges and add a unique building and a floor to each.

Tip

You can also select multiple IP address ranges and add custom fields to all the ranges in
one step.
14. Refresh the IP Address Ranges view, right-click the column header and then
select Building and Floor two of the fields to display. The building and floor is now
displayed with each IP address range in the list.
15. Right-click IPv4 and then click Add IP Address Range Group.
16. Under Provide name of the address range group, type Building/Floor.
17. Under Custom Fields, select Building and then select Floor so that items are grouped first
by Building and then by Floor.
18. Click OK, and then click the arrow next to IPv4.
19. Verify that you can view IP address ranges by building and floor.

Infrastructure monitoring and management


The following procedure demonstrates how DHCP and DNS servers can be monitored from the
IPAM server.
To monitor and manage DHCP and DNS servers
1. In the IPAM navigation pane, under MONITOR AND MANAGE, click DNS and DHCP
Servers.
2. Next to Server Type, note that you can choose DNS, DHCP, or DNS and DHCP. The server
availability, duration in current state, server name, server role, domain name, and IP address
is displayed.
3. Click dhcp1.contoso.com, and then under Details View review the information provided on
the Server Properties, Options, and Event Catalog tabs.
4. Right-click the DHCP server and note that you can directly configure the DHCP server from
the IPAM console.
5. Next to Server Type choose DHCP and then next to View choose Scope properties.
6. Right-click the Contoso-scope1 DHCP scope and then click Duplicate DHCP Scope.
7. In the Duplicate DHCP Scope dialog box, change the Scope name to Contoso-scope2.
8. Type the following values under General Properties:
o Start IP address: 10.0.1.1
o End IP address: 10.0.1.254
o Subnet mask: 255.255.255.0

9. In the left pane, click DNS Updates, click Options, and click Advanced. Note that all the
scope properties have already been configured identically to the Contoso-scope1 DHCP
scope. You can also edit these values if desired.
10. Click OK and verify that a new DHCP scope is displayed in the list with the Scope
Name Contoso-scope2.
11. Refresh the DHCP console on DHCP1 and verify that the Contoso-scope2 DHCP scope is
configured and activated.
12. On IPAM1, select both DHCP scopes using SHIFT, right-click the scopes and then click Edit
DHCP Scope.
13. In the left pane, click Options.
14. Next to Configuration action, choose Add, and next to Option choose 003 Router.
15. Under IP Address, click 0.0.0.0 and click Delete.
16. Under IP Address, type 10.0.0.10, press ENTER, and then click Add to list.
17. Click OK and verify that a new 003 Router option has been added to both DHCP scopes.
The next time that Client1 renews a DHCP lease it will receive this configuration option.

Tip

You can use this method to bulk-edit options on multiple DHCP scopes at once.
In the previous example, the Add function was used. You can also
choose Overwrite, Find and replace, orDelete.
18. Next to Server Type, choose DNS.
19. Under Details View, review the information provided on the Server Properties, DNS
Zones, and Event Catalog tabs.
20. Right-click DC1.contosol.com and then click Launch MMC. Note that you can directly
configure zones on DC1.
21. In the IPAM navigation pane, click DHCP Scopes and review the information under Details
View on the Scope properties and Options tabs.
22. In the IPAM navigation pane, click DNS Zone Monitoring and review the information on
the Zone Properties and Authoritative Servers tabs.
23. In the IPAM navigation pane, click Server Groups.
24. Right-click IPv4 and note that the same logical group functionality that is available for IP
address ranges is also available for managed servers. Custom fields are available by editing
server properties and selecting the Custom Configuration menu item. This provides a highly
customizable managed server display.
Review audit logs and events
IPAM also allows you to track several types of events on DNS and DHCP servers, including both
client and server data.
To review audit logs and events
1. In the IPAM navigation menu, click EVENT CATALOG.
2. By default, IPAM Configuration Events is selected in the lower navigation pane. Review
the events that are displayed.
3. Click DHCP Configuration Events in the lower navigation pane and review the DHCP
events that are displayed.
4. Under IP Address Tracking, click By Host Name.
5. Type Client1 in the search box, and then type dates in the two text boxes next to and
DHCP lease events between these dates in the format of month/day/year. Enter a range
of dates that includes today, and then click Search.
6. Click TASKS and then click Export.
7. In the Save As dialog box, type client1-events next to File name and then click Save.
8. Open the client1-events.csv file in notepad or Excel to view the list of events.

Das könnte Ihnen auch gefallen