Professional Documents
Culture Documents
The following instructions are for configuring a test lab using the minimum number of
computers. Individual computers are needed to separate the services provided on the
network and to clearly show the desired functionality. This configuration is neither
designed to reflect best practices nor does it reflect a desired or recommended
configuration for a production network. The configuration, including IP addresses and
all other configuration parameters, is designed only to work on a separate test lab
network.
Walkthrough: Demonstrate
IPAM in Windows Server 2012
IP Address Management (IPAM) in Windows Server® 2012 is a framework for discovering,
monitoring, managing and auditing IP address space on a corporate network. IPAM provides the
following features:
Automatic IP address infrastructure discovery
Highly customizable IP address space display, reporting, and management
Configuration change auditing for DHCP and IPAM services
Monitoring and management of DHCP and DNS services
IP address lease tracking
In this guide
This guide provides step-by-step instructions for deploying IPAM in a test lab using three server
computers and one client computer. Software and hardware requirements are provided, as well as
an overview of IPAM.
Guide contents:
IPAM overview
o IPAM discovery
o IP address space management
o Multi-server management and monitoring
o Operational auditing and IP address tracking
IPAM architecture
o IPAM security groups
o IPAM tasks
o Privacy
o IPAM requirements
Scenario overview
o Hardware and software requirements
Configuring the test lab
o Configure DC1
o Configure DHCP1
o Configure Client1
o Configure IPAM1
IPAM demonstration
o Address space management
o Infrastructure monitoring and management
o Review audit logs and events
IPAM overview
The IPAM feature consists of four primary modules. The following sections provide a brief
description of these modules.
IPAM discovery
IPAM discovery requires access to Active Directory in order to discover network infrastructure servers.
This discovery is necessary to enable IPAM services. Discovery allows administrators to enumerate
servers running Windows Server® 2008 or later with the DNS Server, DHCP Server and AD DS role
services installed. Administrators can also manually add or delete servers to define a custom scope of
administrative control. The scope of discovery can be modified in real-time by selecting or removing
domains and specific server roles.
IPAM architecture
An IPAM server is a domain member computer. You cannot install IPAM on an Active Directory
domain controller.
There are three general methods to deploy IPAM servers:
1. Distributed: An IPAM server is deployed at every site in the enterprise.
2. Centralized: One IPAM server is deployed in the enterprise.
Hybrid: A central IPAM server deployed with dedicated IPAM servers at each site.
There is no communication or database sharing between different IPAM servers in the enterprise. If
multiple IPAM servers are deployed, you can customize the scope of discovery for each IPAM server,
or filter the list of managed servers. A single IPAM server might manage a specific domain or location,
perhaps with a second IPAM server configured as a backup.
IPAM will periodically attempt to locate network policy servers, domain controllers, DNS servers, and
DHCP servers on the network that are within the scope of discovery that you specify. You must choose
whether these servers are managed by IPAM or unmanaged. In this way, you can select different
groups of servers that are managed or not managed by IPAM. To be managed by IPAM, server security
settings and firewall ports must be configured to allow the IPAM server access to perform required
monitoring and configuration functions. You can choose to configure these settings manually, or
automatically using Group Policy Objects (GPOs). If you choose the automatic method, then settings
are applied when a server is marked as managed and settings are removed when it is marked as
unmanaged. The IPAM server will communicate with managed servers using an RPC or WMI interface.
IPAM monitors domain controllers and NPS servers for IP address tracking purposes. In addition to
monitoring functions, several DHCP server and scope properties can be configured from using IPAM.
Zone status monitoring and a limited set of configuration functions are also available for DNS servers.
IPAM tasks
IPAM launches the following tasks upon installation with the specified periodicity. These tasks can be
viewed in Task Scheduler by navigating to Microsoft > Windows > IPAM.
Default
Task Name Description Duration
Frequency
Privacy
The IP address audit functionality in IPAM audit provides tracking of IP address, hostname and Client
Identifier (MAC address in IPv4, DUID in IPv6) information of computers and devices on a network in
addition to user login information. The IPAM server collects audit logs and events from DHCP servers,
domain controllers and network policy servers, and stores the IP address, hostname, client identifier
and user name of a network user in the IPAM database on the computer running the IPAM Server
feature. An IPAM audit administrator or IPAM administrator can search logs based on IP address,
client identifier, hostname, or user name.
Audit control
IPAM is not enabled by default and must be installed as a server feature. When the IPAM Server
feature is installed, IP address audit functionality is automatically enabled.
To disable IP address audit, start Task Scheduler on the IPAM server, navigate to
Microsoft\Windows\IPAM and disable the audit task.
IPAM requirements
The scope of IPAM server discovery is limited to a single Active Directory forest. The forest may be
comprised of a mix of trusted and untrusted domains. IPAM requires membership in an Active
Directory domain, and is reliant on a prerequisite functional network infrastructure environment in
order to integrate with existing DHCP, DNS, domain controller, and network policy server installations
across the forest.
IPAM has the following specifications:
IPAM supports only Microsoft DHCP, DNS, domain controllers, and network policy servers
running Windows Server® 2008 and above.
IPAM supports only domain joined servers in a single Active Directory forest.
A single IPAM server can support up to 150 DHCP servers and 500 DNS servers.
A single IPAM server can support up to 6000 DHCP scopes and 150 DNS zones.
IPAM stores 3 years of forensics data (IP address leases, host MAC addresses, user login and
logoff information) for 100,000 users in a Windows Internal Database. There is no database
purge policy provided, and the administrator must purge the data manually as needed.
IPAM does not support management and configuration of non-Microsoft network elements
(such as WINS, DHCP relays, or proxies).
IPAM supports only Windows Internal Database. No external database is supported.
IP address utilization trends are provided only for IPv4.
IP address reclaiming support is provided only for IPv4.
No special processing is done for IPv6 stateless address auto configuration private extensions.
No special processing for virtualization technology or virtual machine migration.
IPAM does not check for IP address consistency with routers and switches.
IPAM does not support auditing of IPv6 address (stateless address auto configuration) on an
unmanaged machine to track the user.
Scenario overview
This test lab demonstrates IPAM functionality in Windows Server 2012. Three server computers and
one client computer are used. See the following figure.
Note
You can install DHCP on the same server with AD DS and DNS if desired and adjust
procedures in the test lab accordingly. DHCP and DNS roles are separated in the test lab
to demonstrate discovery and management of multiple servers providing different
services on the network. The IPAM feature must be installed on a separate, domain
member computer. A client computer is required to demonstrate IP address audit
functionality.
The following are required components of the test lab:
1. The product disc or other installation media for Windows Server 2012.
2. Three computers that meet the minimum hardware requirements for Windows Server 2012.
3. The product disc or other installation media for Windows® 8.
4. One computer that meets the minimum hardware requirements for Windows 8.
Tip
The previous step demonstrates new functionality in Windows Server 2012 that enables
you to search and run applications, settings, and files by clicking Start and then typing a
search term. You can also open the Network Connections control panel by clicking
next to Wired Ethernet Connection in Server Manager using the Local Server view.
For more information, see Common Management Tasks and Navigation in Windows
Server 2012 (http://go.microsoft.com/fwlink/p/?LinkId=242147).
6. In Network Connections, right-click Wired Ethernet Connection and then
click Properties.
7. Double-click Internet Protocol Version 4 (TCP/IPv4).
8. On the General tab, choose Use the following IP address.
9. Next to IP address type 10.0.0.1 and next to Subnet mask type 255.255.255.0. It is not
necessary to provide an entry next to Default gateway.
10. Next to Preferred DNS server, type 10.0.0.1.
11. Click OK twice, and then close the Network Connections control panel.
Note
There is a link displayed on the Installation progress page of the Add Roles and
Features Wizard to promote the server to a domain controller after installation of AD
DS is complete. However, if you close the Installation progress page, additional
configuration tasks can always be accessed by clicking the Notification flag.
15. In the Active Directory Domain Services Configuration Wizard, on the Deployment
Configuration page, choose Add a new forest and then next to Root domain name,
typecontoso.com.
16. Click Next, and then on the Domain Controller Options page, under Type the Directory
Services Restore Mode (DSRM) password, type a password next
to Password and Confirm password. Confirm that Domain Name System (DNS)
server and Global Catalog (GC) are selected, and then click Next.
17. Click Next five times and then click Install.
Tip
If An error was detected in the DNS configuration is displayed on the DNS Options
page, you can ignore this message.
18. The computer will restart automatically to complete the installation process.
19. Sign in using the CONTOSO\Administrator account.
Tip
You can use the CONTOSO\Administrator account in this test lab and skip creation of a
domain administrator account if desired. This account has domain administrator
privileges, and other privileges. However, it is a best practice to disable or rename this
account. For more information, see Active Directory Best
Practices(http://go.microsoft.com/fwlink/p/?LinkID=243071).
To create a domain administrator account
1. On the Server Manager menu bar, click Tools, and then click Active Directory Users and
Computers.
2. In the Active Directory Users and Computers console tree, double-click contoso.com,
right-click Users, point to New, and then click User.
3. In the New Object – User dialog box, type user1 under User logon name and next to Full
name, then click Next.
4. Next to Password and Confirm password, type a password for the user1 account.
5. Clear the checkbox next to User must change password at next logon, select
the Password never expires checkbox, click Next, and then click Finish.
6. Double-click user1 and then click the Member Of tab.
7. Click Add, type domain admins under Enter the object names to select, click OK twice,
and then close the Active Directory Users and Computers console.
8. Click Start, click Administrator, and then click Sign out.
9. Sign in to the computer using the user1 credentials by clicking the left arrow next
to CONTOSO\Administrator and then clicking Other user.
Configure DHCP1
DHCP2 is a computer running Windows Server 2012, providing the following services:
A DHCP server.
Initial configuration of DHCP1 consists of the following steps:
Install the operating system and configure TCP/IP on DHCP1
Install and configure DHCP on DHCP1
Install the operating system and configure TCP/IP on
DHCP1
Tip
The procedure below is identical to the steps used to install the operating system and
configure TCP/IP on DC1, with the exception that DHCP1 is configured with an IP
address of 10.0.0.2.
To install the operating system and configure TCP/IP on DHCP1
1. Start your computer using the Windows Server 2012 product disc or other digital media.
2. When prompted, enter a product key, accept license terms, configure clock, language, and
regional settings, and provide a password for the local Administrator account.
3. Press Ctrl+Alt+Delete and sign-in using the local Administrator account.
4. If you are prompted to enable Windows Error Reporting, click Accept.
5. In the Server Manager navigation pane, click Local Server and then click the IP address next
to Wired Ethernet Connection. The Network Connections control panel will open.
6. In Network Connections, right-click Wired Ethernet Connection and then
click Properties.
7. Double-click Internet Protocol Version 4 (TCP/IPv4).
8. On the General tab, choose Use the following IP address.
9. Next to IP address type 10.0.0.2 and next to Subnet mask type 255.255.255.0. It is not
necessary to provide an entry next to Default gateway.
10. Next to Preferred DNS server, type 10.0.0.1.
11. Click OK twice, and then close the Network Connections control panel.
PS C:\Windows\system32> get-dhcpserverv4scopeScopeId
SubnetMask Name State StartRange EndRange
LeaseDuration------- ---------- ---- -----
---------- -------- -------------10.0.0.0
255.255.255.0 Contoso-scope1 Active 10.0.0.1 10.0.0.254
00:02:00
Configure Client1
Client1 is a computer running Windows® 8 that is acting as a DHCP client. Configuration of Client1
consists of the following steps:
Install the operating system and configure TCP/IP on Client1
Join Client1 to the contoso.com domain
During the demonstration portion of the test lab, Client1 will receive DHCP leases from DHCP1.
Configure IPAM1
IPAM1 is a computer running Windows Server 2012, providing the following services:
An IPAM server.
Initial configuration of IPAM1 consists of the following steps:
Install the operating system and configure TCP/IP on IPAM1
Install and configure IPAM on IPAM1
The procedure below is identical to the steps used to install the operating system and
configure TCP/IP on DC1 and DHCP1, with the exception that IPAM1 is configured
with an IP address of 10.0.0.3.
To install the operating system and configure TCP/IP on IPAM1
1. Start your computer using the Windows Server 2012 product disc or other digital media.
2. When prompted, enter a product key, accept license terms, configure clock, language, and
regional settings, and provide a password for the local Administrator account.
3. Press Ctrl+Alt+Delete and sign-in using the local Administrator account.
4. If you are prompted to enable Windows Error Reporting, click Accept.
5. In the Server Manager navigation pane, click Local Server and then click the IP address next
to Wired Ethernet Connection. The Network Connections control panel will open.
6. In Network Connections, right-click Wired Ethernet Connection and then
click Properties.
7. Double-click Internet Protocol Version 4 (TCP/IPv4).
8. On the General tab, choose Use the following IP address.
9. Next to IP address type 10.0.03 and next to Subnet mask type 255.255.255.0. It is not
necessary to provide an entry next to Default gateway.
10. Next to Preferred DNS server, type 10.0.0.1.
11. Click OK twice, and then close the Network Connections control panel.
18. When you are prompted to confirm the action, press ENTER.
19. On the Server Manager menu, click Tools and then click Group Policy Management.
20. In the Group Policy Management console tree, navigate to contoso.com\Group Policy
Objects and verify that three GPOs have been created
named IPAM1_DC_NPS, IPAM1_DHCP, andIPAM1_DNS.
You might need to wait a few minutes and refresh the IPAM console view for IPAM
access status to be updated on managed servers after changing manageability status.
28. In IPAM > OVERVIEW, click retrieve data from managed servers.
29. Click the Notification flag and wait for all tasks to complete.
IPAM demonstration
A demonstration of IPAM on Windows Server 2012 includes the following procedures:
1. Address space management
o Create, delete, import and export IP addresses
o Find available IP addresses and create reservations
o Create custom logical groups
2. Infrastructure monitoring and management
3. Review audit logs and events
Note
The IP address block you create is automatically added to public or private address space according t
3. In the Add or Edit IPv4 Address Block dialog box, next to Network ID, type 10.0.0.0.
4. Next to Prefix Length, choose 8. This is the /8 corresponding to the /24 subnet that is
being dynamically allocated by DHCP1.
5. Click OK, and then next to Current View choose IP Address Blocks.
6. On the Configuration Details tab, next to Utilized Addresses, note that one IP address is
currently in use. This corresponds to the lease issued by DHCP1 for Client1.
7. Next to Current view, choose IP Address Ranges.
8. On the Configuration Details tab, review the information displayed. Details are provided
for Contoso-scope1 supplied by dhcp1.contoso.com.
9. In the lower navigation pane, right-click IPv6 and then click Add IP Address Block.
10. Under Specify the Network ID, type 21da:d3:0:2f3b:: and then move the slider next
to Specify Prefix length to that the prefix is 64, and then click OK.
11. Choose IP Address Blocks next to Current view and confirm that
the 21da:d3:0:2f3b::/64 block was successfully added.
12. Right-click IPv4 and add the following IP address blocks:
o 192.168.0.0/24
o 192.168.1.0/24
13. Right-click IPv4 and add the 207.46.0.0/16 address block. Since this is public address
space, you must choose a regional Internet registry. Choose ARIN, and if desired, supply
dates and a description for this block of public IP address space.
14. Ensure that the Current view selected is IP Address Blocks and click the Network field to
sort by highest to lowest network ID. Also try sorting by some other fields.
15. In the lower navigation pane, under IPv4, click Public Address Space and verify that
the 207.46.0.0/16 IP address block is displayed.
16. Right-click IPv4 and then click Add IP Address Range.
17. Next to Network ID, type 192.168.0.0, choose 25 next to Prefix length, and then click OK.
18. Right-click IPv4 and add the following IP address ranges:
o 192.168.0.128/25
o 192.168.1.0/25
o 192.168.1.128/25
19. Right-click IPv4, and then click Add IP Address.
20. In the Add IP Address dialog box, next to IP address, type 192.168.0.1.
21. Next to MAC address, type 112233445566 and then click OK.
22. Next to Current view, choose IP Addresses and verify that the static IP
address 192.168.0.1 was added, and that it is automatically assigned to the 192.168.0.1-
192.168.0.126 range.
23. With the current view set to IP Addresses, click TASKS and then click Export.
24. Choose a location where you want to save the file.
25. In the Save As dialog box, type ip-addresses next to File name and then click Save.
26. Right-click the ip-addresses.csv file and then click Edit.
27. Highlight the line containing the 192.168.0.1 IP address, right-click the line, and then
click Copy.
28. Paste the contents of the copied line underneath the text four times, so that you create a
total of six rows of text, with the first row containing the column headers.
29. Change the IP address in all five lines from 192.168.0.1 to values ranging from 192.168.0.2 –
192.168.0.6 and then save the file.
30. Right-click IPv4 and then click Import IP Addresses.
31. Select the ip-addresses.csv file and then click Open.
32. In the Import IP Addresses dialog box, verify that 5 out of 5 records successfully
imported is displayed, and then click OK.
33. Verify that five new IP addresses were added to the 192.168.0.1-192.168.0.126 range.
34. Right-click the 192.168.0.6 IP address and then click Delete.
35. Verify that the 192.168.0.6 IP address was removed from the list.
Tip
So far, changes have only been made to the IPAM database. The following steps
will be used to create a DHCP reservation and DNS host record.
15. Right-click the 10.0.0.12 IP address and then click Create DNS Host Record.
16. Right-click the 10.0.0.12 IP address and then click Create DHCP Reservation.
17. On the Configuration Details tab, verify that Create Success is displayed next to DHCP
reservation sync and DNS Host Record sync.
18. On DHCP1, in the DHCP console, verify that the reservation is present in the Contoso-
scope1 DHCP scope.
19. On DC1, in DNS Manager, verify that the host record is present.
20. On IPAM1, right-click the 10.0.0.12 IP address and then click Edit IP Address.
21. Under Basic Configurations, click Select a date next to Assignment date and enter
today’s date.
22. Click Select a date next to Expiry date, select a date one month from today, and then
click OK.
Important
Expiry settings are alerts you can create for objects in the IPAM database. When a
reserved IP address passes the expiry date, it is not removed from reservations on the
DHCP server, but IPAM will provide events and alerts when the expiry date is close.
23. Verify that Valid is displayed under Expiry Status.
24. Click TASKS and then click IP Address Expiry Log Settings.
25. Under Expiry Alert Threshold, type 31.
26. Under Logging Frequency, choose Log all expiry status messages periodically and then
click OK.
Tip
By default, expiry logging begins 10 days before the expiration date. When you choose
to log alerts periodically, they will be logged each time the expiry task runs. The expiry
task runs once each day by default, but can be configured to run more or less frequently.
27. Refresh the IPAM console view and verify that Expiry Due is displayed under Expiry Status.
28. Edit the IP address again and change the assignment date and expiry date to one week in
the past. Verify that the address is now displayed as Expired.
29. Right-click the 10.0.0.12 address and then click Delete DHCP Reservation. This removes
the DHCP reservation from the DHCP server.
30. Right-click the 10.0.0.12 address and then click Delete DNS Host Record. This removes the
forward lookup record from the authoritative DNS server.
31. Click IP Address Blocks in the IPAM navigation pane and change the current view to IP
Address Ranges.
32. Highlight all the available ranges by holding down the SHIFT key and clicking the top and
bottom ranges.
33. Right-click the highlighted IP address ranges, and then click Reclaim IP Addresses.
34. Under Select IP addresses to be reclaimed, select the checkbox next to the 10.0.0.12
address, click Reclaim and then click Close. This removes the IP address from the IPAM
database.
Tip
Reclaiming IP addresses allows you visualize expiry status and delete multiple IP
addresses. You can also right-click one or more IP addresses and click Delete to remove
IP addresses from the IPAM database.
7. Repeat the previous step to add another custom field named Floor with the following two
custom field values:
o First
o Second
8. Click OK twice, and then click Close.
9. Click IP Address Ranges, right-click the 192.168.0.0/25 range, and then click Edit IP
Address Range.
10. Click Custom Configurations, and then next to Custom field to configure,
choose Building.
11. Next to Specify a value, choose Headquarters and then click Add.
12. Choose Floor next to Custom field to configure, choose First, and then click Add.
13. Edit the other three IP address ranges and add a unique building and a floor to each.
Tip
You can also select multiple IP address ranges and add custom fields to all the ranges in
one step.
14. Refresh the IP Address Ranges view, right-click the column header and then
select Building and Floor two of the fields to display. The building and floor is now
displayed with each IP address range in the list.
15. Right-click IPv4 and then click Add IP Address Range Group.
16. Under Provide name of the address range group, type Building/Floor.
17. Under Custom Fields, select Building and then select Floor so that items are grouped first
by Building and then by Floor.
18. Click OK, and then click the arrow next to IPv4.
19. Verify that you can view IP address ranges by building and floor.
9. In the left pane, click DNS Updates, click Options, and click Advanced. Note that all the
scope properties have already been configured identically to the Contoso-scope1 DHCP
scope. You can also edit these values if desired.
10. Click OK and verify that a new DHCP scope is displayed in the list with the Scope
Name Contoso-scope2.
11. Refresh the DHCP console on DHCP1 and verify that the Contoso-scope2 DHCP scope is
configured and activated.
12. On IPAM1, select both DHCP scopes using SHIFT, right-click the scopes and then click Edit
DHCP Scope.
13. In the left pane, click Options.
14. Next to Configuration action, choose Add, and next to Option choose 003 Router.
15. Under IP Address, click 0.0.0.0 and click Delete.
16. Under IP Address, type 10.0.0.10, press ENTER, and then click Add to list.
17. Click OK and verify that a new 003 Router option has been added to both DHCP scopes.
The next time that Client1 renews a DHCP lease it will receive this configuration option.
Tip
You can use this method to bulk-edit options on multiple DHCP scopes at once.
In the previous example, the Add function was used. You can also
choose Overwrite, Find and replace, orDelete.
18. Next to Server Type, choose DNS.
19. Under Details View, review the information provided on the Server Properties, DNS
Zones, and Event Catalog tabs.
20. Right-click DC1.contosol.com and then click Launch MMC. Note that you can directly
configure zones on DC1.
21. In the IPAM navigation pane, click DHCP Scopes and review the information under Details
View on the Scope properties and Options tabs.
22. In the IPAM navigation pane, click DNS Zone Monitoring and review the information on
the Zone Properties and Authoritative Servers tabs.
23. In the IPAM navigation pane, click Server Groups.
24. Right-click IPv4 and note that the same logical group functionality that is available for IP
address ranges is also available for managed servers. Custom fields are available by editing
server properties and selecting the Custom Configuration menu item. This provides a highly
customizable managed server display.
Review audit logs and events
IPAM also allows you to track several types of events on DNS and DHCP servers, including both
client and server data.
To review audit logs and events
1. In the IPAM navigation menu, click EVENT CATALOG.
2. By default, IPAM Configuration Events is selected in the lower navigation pane. Review
the events that are displayed.
3. Click DHCP Configuration Events in the lower navigation pane and review the DHCP
events that are displayed.
4. Under IP Address Tracking, click By Host Name.
5. Type Client1 in the search box, and then type dates in the two text boxes next to and
DHCP lease events between these dates in the format of month/day/year. Enter a range
of dates that includes today, and then click Search.
6. Click TASKS and then click Export.
7. In the Save As dialog box, type client1-events next to File name and then click Save.
8. Open the client1-events.csv file in notepad or Excel to view the list of events.