Tactical Advice

Understanding IP Address Management in Windows Server 2012

Manage your network more efficiently with a framework for maintaining and auditing IP address assignment, DNS zone health monitoring and more.
Understanding IP Address Management in Windows Server 2012
Credit: iStockphoto/ThinkStockPhotos

If you currently have no means of automatically tracking IP address utilization or are manually recording IP addresses in a spreadsheet, IP address management (IPAM) can help you organize address assignment and plan better for growth.

IPAM provides IT workers with an overview of network infrastructure services, such as Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), and stores information about address assignment. The rapid adoption of virtualization and private clouds adds additional challenges to IP address management, but IPAM steps in to record how resources are being used in constantly changing environments.

IPAM integrates with DHCP and Active Directory (AD) to make it easy for IT workers to search IP address records by IP address, client ID, host name or user name and then export that data to a .csv file. IPAM can store up to 3 years of historical IP address information, including which users were logged on to active IP addresses, providing useful forensic information in the event of an investigation.

Managing the IP Address Space

IPAM provides a framework for managing IP addresses in ranges and blocks. A block is a high-level management feature that allows you to group ranges of IP addresses for convenience. You might define blocks to separate public and private IP addresses or to determine IP address ranges for geographical locations. An IP address range usually matches a particular DHCP scope and can belong only to one IP address block.

IP Address Management Windows Server 2012

Figure 1

When IPAM discovers a DHCP scope on your network, it automatically enters the information into its database. Blocks and individual IP addresses are not added automatically but can be added manually or imported from a file.

IP Address management Windows Server 2012

Figure 2

The real power of IPAM lies in its powerful search features, which help you track down how IP addresses are being used, including historical information from the server’s database.

DNS and DHCP Server Management

IPAM can monitor multiple DNS and DHCP servers and can provide DNS and DHCP record synchronization and DHCP server and scope management. IT workers have the ability to edit DHCP scope information, and some IPAM management features can be run simultaneously against multiple servers. IPAM supports a maximum of 150 DHCP and DNS servers, 150 DNS zones and 6,000 DHCP scopes. All infrastructure servers, however, must be part of the same AD forest.

IP Address DHCP management Windows Server 2012

Figure 3

Installing and Provisioning IPAM

IPAM should not be installed on a domain controller (DC), but the server must be a member of the domain. While it is possible to install IPAM on a server running DHCP, it is not recommended, because DHCP server discovery will be disabled.

To install IPAM on Windows Server 2012, log on as a domain administrator, open the PowerShell console with administrative privileges and run the following command:

add-windowsfeature ipam –includemanagementtools

IPAM is managed using Server Manager. In the left pane of Server Manager, select IPAM. This will take you to the Overview page. You should see that the IPAM client is already connected to your newly installed IPAM server. Click Provision the IPAM Server and a new window will open:

  • Click Next on the Before You Begin screen.
  • On the Select Provisioning Method screen, choose Group Policy Based and then enter a prefix, such as IPAM1, in the GPO name prefix box and click Next.
  • Click Apply on the Confirm the Settings screen.
  • Click Close on the Completion screen.

Back in the PowerShell console, let’s provision the Group Policy Objects (GPOs) that will allow this IPAM server to connect to machines in our domain.

The command needed is:

invoke-ipamgpoprovisioning –domain ad.contoso.com –gpoprefixname IPAM1

Replace the domain name in the command above with your AD domain name; the GPO prefix name must match the name that you specified in the IPAM provisioning wizard. Don’t forget that you will need to either wait for Group Policy to refresh on the servers in your domain or run the gpupdate command manually on each server.

  • Back in Server Manager on the IPAM Overview tab, click Configure Server Discovery.
  • In the Configure Server Discovery window, select the domain to discover in the Select Domains to Discover drop down menu, click Add and then OK.

IP address management configure server discovery Windows Server 2012

Figure 4

  • Click Start Server Discovery in the IPAM Overview tab.
  • Once server discovery is shown as completed, click Select, or add servers to manage and verify IPAM access and check that the IPAM Access Status field reads Unblocked for any discovered servers.

IPAM Access Status Blocked!

If you see that IPAM Access Status is shown as Blocked for a discovered server, take the following steps on the discovered server to resolve the issue:

  • If the discovered server is running DHCP, create a share on the server called dhcpaudit for the path c:\windows\system32\dhcp and give only the IPAMUG group read access.
  • On the discovered server, add the IPAMUG group to the following groups: Event Log Readers, DHCP Users and DNSAdmins.
  • Add permission for the IPAM server to the CustomSD registry value under HKLM\SYSTEM\CurrentControlSet\Services\EventLog\DNS Server.
  • To find the SID of the IPAM server, open a PowerShell prompt and type Get-ADComputer , replacing with the name of your IPAM server.
  • Copy the SID from the resulting output and then paste (A;;0x1;;;S-1-5-21-1265560747-2948747198-3383214574-1109) to the end of the existing CustomSD value in Regedit, replacing the highlighted SID with the SID for your IPAM server obtained using the Get-ADComputer cmdlet.
  • Reboot the discovered server.
  • On the IPAM server on the Server Inventory screen, right click the discovered server and select Refresh Server Access Status in the menu. Wait for the IPAM tasks to finish running, and then refresh the Server Manager window using the refresh icon in the top right of the screen.

Managing a Discovered Server

Now we need to change the status of any discovered servers to Managed. To do this, right click a server in the Server Inventory screen and select Edit Server from the menu.

In the Add or Edit Server window, change the Manageability status to Managed and click OK. Right click the server again, and select Retrieve All Server Data from the menu. Repeat this procedure for all discovered servers. Now you are ready to add IP addresses, ranges and blocks to IPAM.

Sign up for our e-newsletter

About the Author

Russell Smith

Russell Smith

Microsoft Technology Best Practices

Russell is a technology consultant and trainer specializing in management and security of Microsoft server and client technologies. A Microsoft Certified Systems Engineer with more than 10 years of experience, Russell’s projects have included everything from deploying Small Business Server to developing security practices on large-scale United Kingdom government IT projects. Russell is also author of Least Privilege Security for Windows 7, Vista and XP published by Packt.

Security

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
Tools to Maintain Mobile Sec... |
Far-flung devices pose serious challenges, but a variety of technologies can help protect...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...
XP-iration Date: Today Is th... |
It’s officially lights out for Windows XP as an operating system. Here’s how the world is...