Você está na página 1de 102

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta


Microsoft Corporation
Published: February 2012

Abstract
This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality,
and troubleshooting methods for IP Address Management (IPAM) in Windows Server 8 Beta. This UTG
provides you with:

A technical overview and functional description of this feature.

Technical concepts to help you successfully install, configure, and manage this feature.

User Interface options and settings for configuration and management.

Relevant architecture of this feature, with dependencies, and technical implementation.

Primary troubleshooting tools and methods for this feature.

Copyright information
This document is provided as-is. Information and views expressed in this document,
including URL and other Internet Web site references, may change without notice.
Some examples depicted herein are provided for illustration only and are fictitious. No real
association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference
purposes.
2012 Microsoft. All rights reserved.
Active Directory, Hyper-V, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, Windows
Server, and Windows Vista are trademarks of the Microsoft group of companies.

All other trademarks are property of their respective owners.

Table of Contents
Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM...............1
About The Understanding and Troubleshooting Guide......................................................
Introducing IPAM..................................................................................................................
What Is IPAM?...................................................................................................................
Purpose/Benefits...............................................................................................................
Functional Overview.........................................................................................................
Technical Overview......................................................................................................... 23
Installing and Provisioning IPAM.........................................................................................30
Deployment Considerations............................................................................................30
Installation Process IPAM Server...................................................................................31
Installation Process IPAM Client....................................................................................35
IPAM Provisioning............................................................................................................ 36
Configuring and Managing IPAM......................................................................................... 43
IPAM Initial Setup............................................................................................................ 43
Address Space Management........................................................................................... 51
Troubleshooting IPAM......................................................................................................... 81
Troubleshooting tools...................................................................................................... 81
Common IPAM problems................................................................................................. 81
Appendix............................................................................................................................ 82
Manual IPAM Provisioning Configuring Access Settings................................................82
GPO Based IPAM Provisioning GPO Setting Details.......................................................90

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Windows Server "8" Beta


Understanding and Troubleshooting
Guide: IPAM
About The Understanding and
Troubleshooting Guide
Understanding and Troubleshooting Guides enable you to learn about technical
concepts, functionality, and general troubleshooting methods for new Windows
features and enhancements. The Understanding and Troubleshooting Guide
supports you in developing understanding of key technical concepts,
architecture, functionality, and troubleshooting tools and techniques. This
understanding will enable more successful testing and early adoption
experiences during the pre-release product evaluation phase, and will support
early ramp-up of help desk and technical support roles.

Introducing IPAM
Internet Protocol (IP) Address Management, which is a critical part of network
administration, has become increasingly challenging, as networks grow more
dynamic and complex. The need for centralized administration of addresses is
increasing dramatically over time as mobile computing, virtualization, and IP
devices continue to consume more IP addresses. The need for management
tools has also increased with deployment and adoption of new Internet
Protocol version 6 (IPv6) networks, which have much larger address pools, and
a more complex 128-bit hexadecimal notation as compared with 32-bit dotted
decimal Internet Protocol version 4 (IPv4) addresses. The length and
complexity of IPv6 addresses makes continued tracking of them in a
spreadsheet impractical.
Currently, third party vendors offer various software-based or appliancebundled management solution options in this space. However, the upfront
overhead of procurement, deployment and integration of such solutions
remains a deterrent in their adoption. Most IT administrators still typically track
IP address allocation and utilization manually, using spreadsheets or custom
database applications. This can be very time consuming and resource
intensive, and is inherently prone to user error. Windows Server "8" Beta
introduces a new feature to meet the IP addressing and naming infrastructure
management needs of network and server administrators.

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

What Is IPAM?
Internet Protocol Address Management (IPAM) is a framework for discovering,
utilization monitoring, auditing, and managing the Internet Protocol (IP)
address space in a network. IPAM encompasses the administration and
monitoring of Dynamic Host Configuration Protocol (DHCP) and monitoring of
Domain Name Service (DNS), which are the services that assign and resolve IP
addresses to devices in a TCP/IP network. IPAM in Windows Server "8" Beta
provides components for planning and allocating IP address space, static IP
inventory management, audit of configuration changes, monitoring and
management of Microsoft DHCP servers, monitoring of Microsoft DNS servers
and DNS zones, and IP address usage tracking and customized visualization.

Purpose/Benefits
The Windows Server "8" Beta IPAM feature provides a unified framework meet the
following administrative requirements of addressing and naming infrastructure for
network and server administration from a central console. IPAM provides the
following benefits:

IPv4 and IPv6 address space planning and allocation

IP address space utilization statistics and trend monitoring

Static IP inventory management, lifetime management and DHCP and DNS


record creation and deletion

Flexible support for import of address space from spreadsheets and


management tools

Periodic update support of address space from systems such as System


Center Virtual Machine Manager (SCVMM) and third party DHCP servers

Multi entity management and monitoring of DHCP services and DHCP scopes

Configuration change event auditing for DHCP and IPAM services

Service and zone monitoring of DNS services

IP address lease and logon event tracking

Automatic server role discovery, through Active Directory integration

Automatic server configuration data collection and dynamic address space


discovery

Granular distribution of data collection tasks with configurable periodicity

Agentless management of roles with Group Policy Object (GPO) based


automated deployment

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Extensive support for user-defined and built-in custom fields or tags

Organizing and visualizing of data into user-defined hierarchical logical


groups

Advanced search and filter support

Reporting support through UI view and Windows PowerShell export


functionality

Role based access control

Remote administration support through Server Manager RSAT from both


Windows Server "8" Beta and Windows 8 Consumer Preview client builds

Support for concurrent client sessions

Built-in relational database support leveraging Windows Internal Database


(WID)

Support for backup, restore, and migration scenarios

Functional Overview
Prerequisites
Windows Server "8" Beta IPAM is an integrated suite of IP addressing and
naming solutions aimed at helping network and system administrators to
manage IP infrastructures across the enterprise. IPAM scope selection across
the managed server nodes is limited to a single Active Directory (AD) forest,
with appropriate trust relationship between the domains.
The IPAM server must be domain joined, and is reliant on a prerequisite
functional network infrastructure environment, including IPv4 and IPv6 network
connectivity, in order to integrate with existing DHCP, DNS, DC, and NPS
installations across the AD forest.
Install the IPAM feature on an Active Directory domain member server intended
as a single-purpose server, and do not attempt to collocate other network
infrastructure roles such as DNS or DHCP on the same server. IPAM installation
and provisioning is not supported on a domain controller.
IPAM users must be logged in using a domain account with appropriate
privileges.
The following are requirements for successful IPAM deployment.

Ensure that the IPAM server is domain-joined.

Ensure that you have network connectivity. Enabling both IPv4 and IPv6 is
recommended. Discovering IPv6 address space and infrastructure will not be
supported unless IPv6 connectivity is enabled.

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Ensure that you log on to the IPAM server using a domain account. Do not log
on to the IPAM server using the local Administrator or a local user account.

Ensure that you are a member of appropriate IPAM local security group (See
the IPAM Local Security Groups section of this guide) or if you are running as
a member of the local Administrators group then you must run elevated.

If you are accessing the IPAM server remotely using Server Manager IPAM
client RSAT, then you must be a member of the WinRMRemoteWMIUsers
group on the IPAM server, in addition to being a member of the appropriate
IPAM security group (or local Administrators group).

Configure network settings on the IPAM server so that it has access to at


least one authoritative domain controller for server discovery. Ensure that
you have network connectivity to all the server roles (DHCP, DNS, DC and
NPS) that you intend to manage through this IPAM instance.

For best performance, do not install any other server roles on the IPAM
server.

IPAM installation and provisioning on a DC is not supported

IPAM installation on a DHCP server is not recommended. The IPAM server


discovery feature will not be able to discover DHCP roles if IPAM is running on
a DHCP server.

Ensure that logging of account logon events is enabled on DC and NPS


servers for the IP Address Tracking feature of IPAM

Recommended server system requirements are as follows:


o
o
o
o

CPU - Dual Core Processor, 2.0 GHz or higher speed


OS Windows Server "8" Beta
RAM 4 GB or more
Hard Drive 80 GB or more

Ensure that network firewall ports and access settings are provisioned to
enable IPAMs access to workloads (DC, DNS, DHCP and NPS) across the
managed roles in the AD forest. For more information on IPAM provisioning
and provisioning methods refer to the Deployment Considerations section of
this guide.

If using Group Policy based provisioning, ensure that the users marking
servers as managed/unmanaged in IPAM server inventory console either
have domain administrator privileges or have delegated rights to edit GPO
security filter lists. For more information on GPO delegation, refer to the
Group Policy Based Provisioning section of this guide.

Ensure that data replication to all AD global catalog servers is functioning


properly at regular intervals. Stale global catalog data can cause problems
with discovery of servers.

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Functional Description
Windows Server "8" Beta IPAM consists of five primary modules, which provide
the management functionality. These modules include the following:

Server inventory management

IP address space management

Management and Monitoring of DHCP and DNS

Event Catalog

IP address tracking

Server Inventory Management


IPAM leverages Active Directory deployment to define the scope of the IP
infrastructure elements to be centrally managed via the IPAM console. IPAM
auto-discovers the configured server roles from the configured domains and
allows you to centrally manage and configure the servers. Discovery of DHCP
prepares the environment to perform management and utilization tracking of
dynamic address space, multi-entity management for DHCP servers and
scopes, service monitoring of DHCP servers, audit of configuration changes to
DHCP servers and IP address usage tracking by collecting lease events from
DHCP. Discovery of DNS roles enables DNS zone monitoring and DNS service
monitoring. Discovery of DC and NPS servers is done to support the auditing of
IP address usage with associated user logon events.
The server discovery component in Windows Server "8" Beta IPAM leverages
your Active Directory (AD) deployment to discover network infrastructure
servers. IPAM facilitates configuring the scope of server discovery by allowing
you to select domains in the AD forest through its Configure Server Discovery
dialog. Discovery allows you to enumerate Microsoft Windows DNS, DHCP and
DC server role types that are available in either the entire AD forest or a
specified subset of domains within the forest. You can also manually add or
delete specific servers (Microsoft Windows DNS, DHCP, DC and NPS servers) to
define a custom scope of administrative control.
The IPAM server discovery and inventory feature also allows you to track
granular IPAM access status on servers. IPAM server inventory management
also plays an important role in managing the security filter list of IPAM GPOs,
which are updated according to the manageability status of the infrastructure
servers in server inventory. The GPO updating functionality is valid only if the
Group Policy Based provisioning method has been selected for IPAM. IPAM also
tracks the status of data retrieval on managed servers.
Note:

IPAM can be used to discover and manage servers running Windows


Server 2008 and above.

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

An overview of the IPAM server inventory functions is provided below:

Configure scope of Server Discovery by selecting domains and server roles


within each domain to be discovered within Active Directory forest.

IPAM uses the following rules during server discovery on configured domains
for selected roles:
o

All domain controllers registered for the configured domains are


discovered

All DNS servers registered as name servers for the domain zone and
DNS suffixes registered for the configured domains are discovered

All DHCP servers authorized for the configured domains that respond
to the DHCP server INFORM message are discovered. This feature
allows IPAM to intelligently discard any inactive DHCP servers that are
listed as authorized in AD.

Add-Remove-Edit servers (and server roles) manually outside of the autodiscovery process

Automated discovery of infrastructure servers and their configuration such


as server roles, OS version, IPv4 and IPv6 interface address, domain name,
DNS suffix, GUID, active roles

Periodic and on-demand refresh of server information across configured


scope of discovery

Disjointed name space support. Separate fields showing the servers DNS
suffix and domain name are maintained by IPAM.

Classify server manageability status as:

Managed IPAM periodic tasks will collect data from the active
(checked) roles on these servers. Inactive (unchecked) roles on these
servers are ignored.

Unmanaged - IPAM periodic tasks will not collect data from these
servers. IPAM deletes all existing information pertaining to these
servers from its database.

Unspecified - IPAM periodic tasks will not collect data from these
servers. However, IPAM retains all existing information pertaining to
these servers in its database. Set a server status as Unspecified in
scenarios where the server is offline temporarily, during temporary
maintenance cycles for example.

Granular control to configure individual server roles as active or inactive on a


server

11

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Automatic organization of server inventory view into hierarchical view based


on interface address and manageability status of the server:
o

Level 1 IPv4 and IPv6 (based on interface address)

Level 2 - Managed and Unmanaged

Level 3 IP Subnet (/16 for IPv4 and /48 for IPv6 based on primary
interface address)

Edit owner and description for servers, and add user-defined or built-in
custom fields/tags to servers

Built-in tracking of server data retrieval status such as In progress,


Complete, Not started

Automatic IPAM access status tracking on servers. IPAM collects granular


access status from the servers listed in the server inventory as Allowed or
Blocked. IPAM rolls up these sub-statuses into overall IPAM access status.
The recommended action field indicates the required action for managed,
unmanaged, unspecified servers as appropriate.

Integrated group policy provisioning mode support with automatic


synchronization of the IPAM GPO security filter list with the server inventory
configuration. IPAM expects the user to have appropriate GPO edit privileges
while performing these operations for the automatic GPO synchronization to
be successful.

Note:
Note:

Auto-discovery of the NPS server role is not supported. These servers


can be added using the Add Server functionality
Removing a configured domain from Server Discovery scope does not
automatically delete the servers that are already discovered from that
domain. If required, the corresponding servers belonging to this domain
can be manually deleted from the server inventory view.

IP Address Space Management


IP address space management provides administrators with the ability to
manage, track, audit, and report on the IPv4 and IPv6 address space of the
enterprise or datacenter. A primary consumer of public Internet-routable IPv4
addresses is cloud-based hosted service providers. These public IPv4
addresses are allocated and assigned by Regional Internet Registries (RIR) in
response to requests from the organization, and are in critically short supply.
Monitoring the utilization and trends for these RIR blocks is of prime
importance. Hosted service providers need to associate specific IP address
subnets or blocks of addresses to specific customers, development
communities, or business divisions by customized logical grouping.
Enterprises with public-facing datacenter entry points need to manage
multiple statically assigned public IP addresses and subnets. Administrators of
13

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

these networks require utilization data to perform actions around address


space management. These actions include finding free IP addresses, tracking
address state, tracking the address lifetime, synchronizing DNS and DHCP
records/reservations, balancing the address usage for optimal utilization of the
available subnets, preparing the subnets for new or changing network
requirements, and reclaiming addresses previously assigned but no longer
deployed in the production environment.
The IP address space console of IPAM provides administrators with IP address
utilization statistics and historical trend data to make informed planning
decisions for dynamic, static and virtual address spaces. IPAM periodic tasks
automatically discover the dynamic address space and utilization data as
configured on the DHCP servers managed in IPAM. Leverage the powerful
import functionality of IPAM IP address space management to bring static and
virtual address spaces under IPAM central management.
The IPAM Address Space Management (ASM) console provides the ability to
efficiently monitor various dimensions of the managed IP address space,
including method of assignment (static or dynamic), address scope (public or
private), and IP version (IPv4 or IPv6). Using IPAM ASM, you can track IP
address utilization, receive threshold-crossing status from the console and
events, or zoom in and out to display utilization trends. The IPAM ASM tools
address the end-to-end IP lifecycle management problem for the static IP
address space in a growing distributed environment by ensuring better
planning, accountability, and control. It further facilitates centralized
management and monitoring of address space using periodic import and
update functionality to bring in virtual address spaces managed through
systems like System Center Virtual Machine Manager (SCVMM) or any third
party DHCP servers and virtual machine (VM) managers.
For efficient network resource planning, administrators need to be able to
visualize IP address attributes in logical groupings. The utilization monitoring
views in IPAM allow you to view the enterprise address space in more
meaningful logical correlation based on specific needs. Some examples of
logical group views are delineation by divisions of the organization,
geographical regions, Regional Internet Registries, offices located across
geographical regions, and categories assigned to customers based on business
profiles. Grouping of addresses by attributes provides meaningful perspective
to utilization monitoring.

Address Space Entities


The various entities recognized by IPAM address space function are defined
below:

IP addresses: are the leaf level entity under IP address ranges. IPAM
enables end-to-end life cycle management of IPv4 and IPv6 addresses,

15

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

including record synchronization with DHCP and DNS servers. IPAM


automatically maps an address to the appropriate range based on the
start and end address of the range. An IP address is uniquely identifiable
by the value of mandatory Managed By Service and Service Instance
fields, that help IPAM to manage and maintain duplicate IP addresses from
the same console. These two fields are also used (and should identically
match) while mapping the IP address to the IP address range.

IP address ranges: are the next hierarchical level of IP address space


entities after IP address blocks. An IP range is conceptually an IP subnet
marked by a start and end IP address, and is typically a DHCP scope or a
static IPv4 or IPv6 address range or address pool used to assign addresses
to hosts. IPAM enables you to centralize address ranges that may span
across many heterogeneous systems, such as across multiple DHCP
servers, VM managers, or legacy spreadsheets using IPAM import
functionality through UI or Windows PowerShell. An IP address range is
uniquely identifiable by the value of the mandatory Managed By Service
and Service Instance fields, which help IPAM to manage and maintain
overlapping or duplicate IP address ranges from the same console. Only
one of multiple overlapping IP address ranges get mapped to the IP
address block. IPAM allows you to map any unmapped overlapping range
to the corresponding IP address block using the Map to Block action. The
currently mapped range will be unmapped because of this action.

IP address blocks: are the highest-level entities of IP address space


organization. An IP block is conceptually an IP subnet marked by a start
and end IP address, and is typically assigned by various Regional Internet
Registries (RIRs) to an organization. Network administrators maintain the
IP address block to carve out and allocate IP address ranges to address
allocation systems like DHCP. IPAM automatically arranges IPv4 address
blocks into public and private address space and IPv6 addresses into
unicast global addresses. IP address blocks can be added, imported,
edited, and deleted. If the start and end IP address of a block lies within
the start and end IP address of another block, it is automatically arranged
as a nested sub-block. IPAM automatically maps IP address ranges to the
appropriate IP address block based on the boundaries of the range. This
enables a hierarchically organized view of the IP address ranges and a
multi-level hierarchy of IP address blocks. IPAM rolls up utilization statistics
and trends at the IP address block or IP address sub-block level based on
the ranges that are contained in the block.

17

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 1 IP Address, Block, and Range Entities

Custom Fields and Logical Groups


IPAM supports user defined extensible metadata that can be associated to IP
address ranges, IP addresses, and servers. You can create metadata with
multiple value types such as Country/Region or single value types, such as
Building. IPAM supports multiple built-in custom fields with built-in values,
which you can further enhance to add new user-defined values. Similarly, you
can add new user-defined custom fields that can either be free-format or
enumerations (multi-value fields). User-defined, multi-value custom fields allow
you to defined associated value tags against them.
While you can delete or edit user-defined custom fields and values, you cannot
edit or delete built-in custom fields and values. You cannot delete any
particular custom field or value while it is assigned to any entity within the
IPAM database.
IPAM allows you to define the logical grouping of entities, and visualize
utilization of address space based on these groups. Custom field and value
tagging is supported for the following entities in IPAM:

IP Address

IP Address Range

Server

You can use custom field tagging for multi-valued custom fields for defining
logical groups. Logical groups enable you to visualize IP address ranges in a
real-life business perspective rather than a conventional hierarchy of IP
subnets. You can customize these logical groups and they can be hierarchical.
Logical groups are defined by selecting the grouping criteria from built-in or
user-defined custom fields. IPAM supports multi-level hierarchy when defining a
logical group for IP address ranges. Similar custom logical groups can be
created to group IP addresses and managed servers. Entities that do not map
to the first level criteria defined for the logical group are displayed under the
unmapped space in the group.
19

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

IPAM also rolls up utilization statistics and trends at the logical group level for
IP address ranges. Logical groups defined for IP address ranges are known as
IP range groups. IPAM supports simultaneous creation of multiple IP range
groups based on different criteria. By default, IPAM creates the built-in IP range
group called Managed By, which groups IP address range by the two-tier
hierarchy of Managed by Service field followed by Service Instance field.
Built-in logical groups cannot be deleted, but the grouping criteria can be
edited.
IPAM supports only one logical group for IP addresses known as IP address
inventory, which is created by default. This built-in IP address logical group
groups IP addresses by a single hierarchy of device type field. Built-in logical
groups cannot be deleted, but the grouping criteria can be edited.

Utilization Monitoring

Utilization data maintained for IP address ranges, IP address blocks and IP


range groups within IPAM

User-configurable thresholds for percentage utilized field, used to mark


entities as over-utilized (above the configured threshold), under-utilized
(below the configured threshold) and optimally utilized (between over and
under the utilization thresholds).

Visualization of utilization state of IP address range, IP address block and IP


range group from the console:
o

Over - Percentage utilized falls above configured over-utilized


threshold

Under - Percentage utilized falls below configured under-utilized


threshold

Optimal - Percentage utilized falls within configured over-utilized and


under-utilized threshold

Utilization threshold crossing events are logged by IPAM whenever an IP


address range changes its utilization state.

Utilization trend building and reporting for IPv4 address ranges, IPv4 address
blocks and IPv4 range groups.

Capability to zoom in and out of utilization trend window. While you may
select from standard trend periods of 1 day, 7 days, 1 month, 3 months, 6
months, 1 year, 2 years and 5 years, Custom start and end date
configuration for viewing the utilization trend is also supported.

Auto-discovery of dynamic IP address ranges and utilization data from DHCP


scopes configured on the managed Microsoft DHCP servers.

The utilization calculation for utilized addresses be set to

21

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Automatic Auto-calculation based on the IP addresses within IPAM


database that map to the IP range

User defined Configured by the user agnostic of the IP addresses


that map/do-not-map to the IP range.

Utilization statistics for an IP address range is available as following


counters:
o

Assigned addresses The number of addresses between start IP


address and end IP Address of the block

Utilized addresses The summation of assigned addresses counter of


IP address ranges that map to this block

Percentage utilized Utilized addresses as a percentage of assigned


addresses

Two additional utilization counters are supported for dynamic IPv6 address
ranges discovered from Microsoft DHCP servers. Together these counters add
up to the total number of utilized addresses for this range:
o

DHCP stateless addresses Number of stateless address leases


serviced by the Microsoft DHCP range

DHCP stateful addresses Number of stateful address leases serviced


by the Microsoft DHCP range

Utilization trend for an IPv4 address range is plotted for following line graphs:
o

Percentage assigned (always 100%)

Percentage utilized

Utilization statistics for an IP address block is available as following counters:


o

Total addresses The number of addresses between start IP address


and end IP address of the block

Assigned addresses The summation of assigned addresses counters


of IP address ranges that map to this block

Utilized addresses The summation of Utilized addresses counters of


IP address ranges that map to this block

Percentage assigned Assigned addresses as a percentage of total


addresses

Percentage utilized Utilized addresses as a percentage of total


addresses

Utilization trend for an IPv4 address block is plotted for following line graphs:
o

Percentage total (always 100%)

23

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Percentage assigned

Percentage utilized

Utilization statistics for an IP range group is available as following counters:


o

Assigned addresses The summation of assigned addresses counters


of IP address ranges that map to this group

Utilized addresses The summation of utilized addresses counters of


IP address ranges that map to this group

Percentage utilized Utilized addresses as a percentage of assigned


addresses

Utilization trend for an IPv4 range group is plotted for following line graphs:
o

Percentage assigned (always 100%)

Percentage utilized

IP address management features

Multiple consoles/views for organizing and visualizing address space to


facilitate address space monitoring, reporting and utilization data roll up.

Auto-discovery of DHCP scopes and scope utilization information. Autodiscovered DHCP scopes appear as IP address ranges with Managed by
Service set as MS DHCP and Service Instance set as the name of DHCP
server

Support for identifying and managing overlapping address spaces from a


single console. Overlaps and duplicates are identified and displayed in the UI

IPAM allows you to uniquely identify IP address ranges and IP addresses


using the Managed By Service and Service Instance fields that augment
the key fields for these entities. For example, all ranges discovered from
managed DHCP servers are marked to be Managed By Service set as MS
DHCP and Service Instance set as the name of the DHCP server.
o

IP address blocks allow easy Auto discovery of DHCP scope and


utilization information from managed MS DHCP servers and
visualizing them as IP address ranges

Plan and allocate address space by carving out multi-level hierarchy of IP


address blocks. Visualize rolled up utilization trends and statistics for IP
address blocks

Arrange address space into multi-level hierarchy of real-world custom group


view. Visualize rolled up utilization trends and statistics for group nodes.

Customizable inventory view for IP addresses

25

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Support for detecting and visualizing stateless IPv6 address utilization


information

Add/Edit/Delete IP Addresses, IP address range and IP address blocks

Detect and manage conflicts, overlaps, duplicates in address space across


systems. Map desired overlapping IP address range to the IP address block.

Use intuitive interface for import of address, range and block from
spreadsheets and databases

Find and allocate an available IP Address from a dynamic or static IP address


range:
o

For Microsoft DHCP ranges, IPAM queries the corresponding DHCP


server in real-time to finding an available IP address. The logged in
user must have at least DHCP Users privileges on the DHCP server to
complete this action. If the IP address found is already
reserved/allocated in the IPAM database, IPAM discards it and goes on
to find another available IP address.

For any other range, IPAM queries the local IPAM database to find an
available IP address.

Further validation of free IP address using ping expect no reply, and DNS
lookup expect no record found. Anomalies to the expected result are called
out so that appropriate action can be taken to synchronize the IPAM IP
address inventory with the DNS records and servers active on the network.

Allocate the free IP Address and maintain its state as active/inactive/reserved


or any other custom state value. Tag the assignment type of IP address as
static/dynamic/VIP/auto.

Configure appropriate assignment date for the IP address

Assign and track IP address lifetime by assigning an expiry date to the IP


address. By default, the expiry date is not set and the address is assumed to
be valid indefinitely.

Visualize addresses as not expired, expiry due, expired based on the


configured expiry date for the address and the system-wide configurable
threshold for expiry log settings. The IP address transitions to expiry due
state x days before the configured expiry date, where x is the expiry alert
threshold.

Receive alerts on changing the expiry status of address is a configurable


setting to receive expiry alerts periodic or only on state changes.

Manage all DHCP reservations from a central console. Create/delete DHCP


reservations for IP addresses

27

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Manage all DNS records from a central console. Create/delete DNS A/AAAA
records for IP addresses. Create/delete DNS PTR records for IP addresses

Build upon import and update functionality of IPAM to populate the IP


Address inventory view leveraging IPAM Windows PowerShell
o

Periodically import and update the IP address inventory from third


party systems like SCVMM or other virtual address management
systems

Periodically import and update the IP address inventory from DHCP


reservations on Microsoft DHCP or third party DHCP servers

Periodically import and update the IP address inventory from DNS


records on Microsoft DHCP or third party DNS servers

Detect duplicate IP addresses. IPAM allows creation and management of


duplicate IP addresses (assuming your internal network has valid scenarios
around maintaining duplicate IPs)

Automatically map IP addresses to the corresponding IP range

Tag basic and custom configuration fields against IP addresses

Reclaim IP addresses from selected IP address ranges using the reclaim


wizard

Address Space Data Import


IPAM supports flexible schema for importing IP address, IP address range and
IP address block entries from a comma separated value (csv) file. The field
names list in the header of the csv file should match the IPAM field names
corresponding to the entity being imported. You can add new fields into IPAM
using the custom field support. Column names can be ordered in any way in
the csv file.
IPAM supports the following two types of import

Regular import operation for IP addresses, IP address ranges and IP


address blocks new records are added and existing records are edited
during this operation. This Windows PowerShell cmdlet imports IP address
range objects from the specified csv file into the IPAM server. IPAM does
not support import of IP address ranges whose Managed By Service
value is MS DHCP since this is reserved for DHCP scopes automatically
discovered by IPAM from the managed Microsoft DHCP servers.

Import and update operation for IP addresses belonging to the specified


IP range Along with adding new addresses and editing existing
addresses as in the case of regular IP address import, this operation
deletes those addresses from IPAM which map to the specified IP address
range, but are not present in the csv being imported. A typical scenario

29

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

for this operation can be to periodically import and synchronize DHCP


lease or DNS record information from servers into IPAM.

Import and update operation for IP address ranges belonging to the


specified Managed By Service and Service Instance values Along
with adding new ranges and editing existing ranges as in the case of
regular IP address range import, this operation deletes those ranges from
IPAM which have the same value of Managed By Service and Service
Instance fields but are not present in the csv being imported. IPAM
provides you the option of deleting the IP addresses mapping to the IP
address ranges that are deleted during this import operation. A typical
scenario for this operation can be to periodically import and synchronize
IP pool or DHCP scope information from systems like SCVMM and third
party DHCP servers.

The UI import-export supports localized format while the Windows PowerShell


import-export supports fixed English format for the csv field names and values.
Interoperability between both formats is supported. The general rules for
Windows PowerShell import-export fixed schema is as follows:
1. Field names will be the same as English localized resource names of the
corresponding entries in IPAM. However, blank spaces in the field name will
be omitted to comply with the Windows PowerShell object header name
convention. IP address import in fixed format is identified by the presence of
the mandatory field IPAddress in the csv file. Similarly, IP address range
import in fixed format is identified by the presence of the mandatory field
NetworkId in the csv file. The corresponding field names for localized
English schema import are IPAddress and Network respectively.
2. Enum value names will be same as English localized resource names of the
corresponding values in IPAM. Enum value in this context refers to built-in
custom field values and built-in enumeration field values such as utilization,
expiry status, etc. Fixed format names for values of built-in custom field
Country is not supported and the input-output for this field will always be
localized.
IPAM generates an error csv file with details about records that failed to import
along with the reason for failure. By default, this error file is generated in the
Documents folder of the users profile.

Windows PowerShell support for IP range import


IPAM supports the following Windows PowerShell cmdlets for range import:
Import-NamsRange [-Path] <string> [-AddressFamily] <string> [-ErrorPath <string>] [Force]
Import-NamsRange [-Path] <string> [-AddressFamily] <string> [-ManagedByService]
<string> [-ServiceInstance] <string> [-AddManagedByService] [-AddServiceInstance]
[-DeleteMappedAddresses] [-ErrorPath <string>] [-Force]

31

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

The AddressFamily parameter specifies if the csv contains IPv4 or IPv6


records. Only one address family can be specified at a time with this cmdlet,
and the records in the csv should match the specified AddressFamily. The
Path parameter is used to specify the csv file containing IP address range
objects that need to be imported. The Force switch can be used with the
cmdlet to suppress the default confirmation text. The ErrorPath parameter
specifies the literal path (and not name) of the error csv file which will be
created if one or more records fail to import. The file name is generated
automatically by IPAM for the error csv file. The default value of ErrorPath is
the Documents folder of the user.
The cmdlet supports two parameter sets. The default invocation of the cmdlet
adds new IP address range objects from the csv into IPAM and edits the
existing address ranges with updated information specified in the csv. The
second parameter set can be used to periodically import and update all IP
address range objects that belong to the specified unique combination of
ManagedByService and ServiceInstance parameters. This parameter set
provides the option of deleting the IP addresses mapping to the IP address
ranges that are deleted during import by using the DeleteMappedAddresses
switch.
Import and update of IP address ranges for the specified ManagedByService
and ServiceInstance will succeed if these values are present in IPAM at the
time of import. The parameters AddManagedByService and
AddServiceInstance can be used to create the specified
ManagedByService and ServiceInstance values within IPAM at run time
before the import operation, if not already present in IPAM.

Management and Monitoring of DHCP and DNS


IPAM enables administrators to monitor hundreds of DNS and DHCP servers
spread across various regions from a centralized console. Administrative tasks
are frequently repetitive, such as altering a scope option setting on multiple
DHCP scopes. The ability to execute such tasks uniformly across servers
reduces both the effort involved as well as the probability of error.
Administrators can use the IPAM multi server management (MSM) view to
easily edit and configure key properties of multiple DHCP servers across the
organization, simultaneously. This functionality does not require installation of
additional agents or software on the target servers.
IPAM uses DHCP and DNS RPC for monitoring and management functionality.
The logged in user must have appropriate administrative privileges on the
target server in order to perform any configuration change on the target server
using IPAM UI or by launching the MMC from IPAM. The data collection and

33

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

monitoring functions do not require any special privileges on the target server
for the logged in user.

DHCP Server Management


IPAM allows managing multiple DHCP servers from a central console. The
following actions are available for DHCP servers:

Edit DHCP Server Properties - This allows setting a number of server


properties of the DHCP server

Edit DHCP Server Options - Allows addition, deletion or editing of


options at the servers level. Action can be performed on multiple DHCP
servers simultaneously to update multiple options across servers.

Create DHCP scope - Create a scope on a DHCP server, and set


numerous scope properties.

Configure predefined options and values - Create predefined options


and set option values. Select one or more servers and launch the action to
configure predefined options on multiple servers simultaneously

Configure User Class - Multi-select servers and launch the action to


configure user classes on multiple servers simultaneously.

Create and edit new and existing user classes - Multi-select servers
and launch the action to configure user classes on multiple servers
simultaneously.

Configure Vendor Class - Multi-select servers and launch the action to


configure user classes on multiple servers simultaneously.

Launch MMC - Launch the MMC for the selected DHCP server

Retrieve server data - Multi-select servers and launch the action to


retrieve server data from the selected set of servers.

DNS Server Management


IPAM allows launching MMC for DNS servers from a central console. The actions
that can be performed on DNS servers are as below:

Launch MMC - Launch the MMC for the selected DNS server

Retrieve server data - Multi-select servers and launch the action to


retrieve server data from the selected set of servers.

Multi-Entity Management
A primary benefit of IPAM functionality is its ability to simultaneously manage
multiple DHCP servers or DHCP scopes spread across one or more DHCP
servers. This significantly reduces the administrative effort needed by

35

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

eliminating repetitive steps and reducing the possibility of error during these
operations. Some of the advanced multi-edit constructs are explained below:

Create/Overwrite/Delete User Class on multiple DHCP servers


simultaneously

Create/Overwrite/Delete Vendor Class on multiple DHCP servers


simultaneously

Add/Edit/Delete Predefined Options and Values on multiple DHCP servers


simultaneously

Edit DHCP server properties like DNS update settings and DNS credentials
on multiple DHCP servers simultaneously

Add/Overwrite/Delete/FindAndReplace multiple DHCP options across


multiple DHCP servers simultaneously

Edit DHCP scope properties such as DNS updates, lease duration, and
advanced properties on multiple DHCP scopes spread across multiple
DHCP servers simultaneously

Add/Overwrite/Delete/FindAndReplace multiple DHCP options on multiple


DHCP scopes spread across multiple DHCP servers simultaneously

Activate/Deactivate multiple DHCP scopes spread across multiple DHCP


servers simultaneously

Server Monitoring
The IPAM monitoring view provides the ability to view from a single console the
status and health of selected sets of Microsoft DNS and DHCP servers. The
monitoring view of IPAM displays the basic health of servers along with recent
configuration events that occurred on these servers. The monitoring view also
provides the ability to organize the managed servers into logical sever groups.
Note:

The custom field tagging can only be done for DHCP servers from the
Monitor and Manage console by invoking the Edit DHCP Server
Properties dialog. Both DHCP and DNS servers can be configured with
custom field values from the Server Inventory view using Edit Server
dialog.

Basic configuration settings are displayed in the view and in the preview panes
in the server monitoring view. For DHCP servers, the server view enables
tracking of various server settings, server options, number of scopes, and
number of active leases, that are configured on the server. For DNS servers,
the view enables tracking of all zones configured on the server along with
details of the zone type. The view also allows you to see the total number of
zones configured on the server, as well as overall zone health status as
derived from the zone status of individual zones on the server.

37

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

IPAM also facilitates periodic service monitoring of DHCP and DNS service
status from a central console. The service status is appropriately displayed as
Running, Stopped, or Paused for each managed server in the DHCP and
DNS Servers view.
If the server role is running and IPAM still shows the availability state as Not
Reachable, ensure that

The service is running on the managed server as expected

There is proper network connectivity to the managed server

Remote service management firewall ports are open

IPAM machine SID (or IPAMUG SID for GPO provisioning) is added to the
service ACL

DNS zone monitoring


IPAM enables DNS zone monitoring for DNS forward and reverse lookup zones.
The zone status is derived by IPAM based on zone events.

Forward Lookup node


o

IPAM displays a list of all forward lookup zones that are hosted by
managed DNS servers with their overall status based on status from
all the servers hosting that zone, as well as duration that the zone
has been in that state. The zone status for all servers is shown as
OK if the zone is being serviced by each of the Authoritative
servers. The zone status for all servers is shown as Warning, if
one or more authoritative servers is not servicing the zone. The
zone status for all servers of the zone is shown as Error if none of
the authoritative servers are servicing the zone. An authoritative
server is considered to be servicing the zone if the zone status of
the zone on that server and the server availability state of the
server are not in red state.

IPAM also displays a list of all authoritative servers for that zone in
the preview pane along with the zone type and zone health status
information.

DNS zone node


o

IPAM enables automatic hierarchical navigation of forward lookup


zones. For the zone selected on the navigation tree, all DNS servers
hosting the zone are displayed. IPAM displays the zone status on
that server and the status duration. Other details such as zone
type, server availability, and IP address are displayed. IPAM also
provides a catalog of all zone events from the server to assist with
troubleshooting.

39

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

IPv4 Reverse Lookup node - IPAM enables the user to visualize all IPv4
reverse lookup zones configured on the managed DNS server. A list of all
authoritative servers hosting the selected reverse lookup zone is
presented in the preview pane.

IPv6 Reverse Lookup node - IPAM enables the user to visualize all IPv6
reverse lookup zones configured on the managed DNS server. A list of all
authoritative servers hosting the selected reverse lookup zone is
presented in the preview pane.
IPAM does not support reverse lookup zone health monitoring.

Note:

Event Catalog
In a distributed network with multiple DHCP servers, the task of monitoring
configuration changes across the infrastructure can be challenging. Individual
servers log configuration events in their log channel which roll over periodically
and are difficult to query and track centrally.
IPAM event catalog provides a centralized repository to audit all configuration
changes performed on DHCP servers managed from a single IPAM
management console. Another console in event catalog gathers all of the
configuration events from the IPAM configuration event channel.
These configuration event catalogs provide the ability to view, query and
generate reports of the consolidated configuration changes, along with details
specific to each record. IPAM audit tools enable monitoring for any potential
misconfiguration of the IP infrastructure by leveraging network audit logs for
tracking and reporting of any administrative actions required. The advanced
query and filtering support from IPAM enables tracking of Service Level
Agreements (SLAs) based on time, administrator identity, server name and
additional detail from a single console.
The IP address management audit specifically provides for:

Periodic and on-demand configuration event data collection from DHCP


and IPAM servers.

Enterprise wide view of all configuration changes on DHCP servers made


by administrators with the following details
o

Event ID

Time of event

DHCP server name (from where the event is collected)

User name (who made the change)

Domain name of the user

41

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Description of the event

In addition to the event parameters listed above, IPAM provides advanced


query constructs within the event Description field for filtering DHCP
configuration events such as scope id, scope name, option id, option
name, and reservation address.

Enterprise wide view of all configuration changes on IPAM servers made


by administrators with the following details
o

Event ID

Time of event

User name (who made the change)

Domain name of the user

Description of the event

Task category (server discovery, address space management, etc.)

Keywords (server, IPv4-range, etc.)

Opcode (add, delete, etc.)

In addition to the event parameters listed above, IPAM provides advanced


query constructs within the event Description field for filtering IPAM
configuration events such as network id, IP address, group name, and
custom field name.

Data purge facility for event catalog database tables to clean up disk
space (after backup if intended). You can select the time window before
which data must be purged and the data type (IPAM configuration, DHCP
configuration, IP address tracking). It is advisable to schedule the data
purge operation in the night or at the time when IPAM activity is low.

IP Address Tracking
In certain network forensics scenarios, it is useful to establish a trail of the
computers or devices used by a user within a specific time. In an environment
where IP addresses are dynamically assigned using DHCP, the IP addresses
assigned to devices on a network are temporary and can change over time. IP
addresses do not necessarily uniquely identify a computer or device. A host
name assigned to a computer or device can also change, and cannot be relied
upon for unique device or computer identification. Establishing a
comprehensive record or trail of the computers or devices used by a user
within a specific period, complete with IP address, host name, and MAC (Media
Access Control)/DUID (DHCP Unique Identifier) address of a computer or device
may be difficult or impossible if based solely on IP lease events.

43

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

A DC or NPS server logs events for user and machine authentication, which
also identify the IP address from which an authentication request was received.
An intelligent audit system that collects and maintains a historical trail of IP
address lease events from the DHCP server and authentication events from DC
and NPS servers can help administrators to track and associate IP addresses
with the users and devices in their environment.
The IP address tracking feature of IPAM enables you to select a search criteria,
such as IP address, client ID (MAC/DUID), host name or user name, and specify
a query time interval in terms of start and end date and time. IPAM intelligently
correlates results from the repository of DHCP leases and DC/NPS logon events
based on advanced algorithms to provide the results. This enables you to
search events for a given time frame and obtain results mapping a user
account to particular devices identified by the IP address, MAC address, and/or
host name.
The IP address tracking feature collects the following events to build the
search database:

DHCP lease events: new lease, renew lease and lease expiry events from
the DHCP audit log of the managed DHCP servers

Windows security event ID 4768- Kerberos authentication ticket (TGT) was


requested from domain controllers

Windows security event ID 672 - An authentication service (AS) ticket was


successfully issued and validated from NPS servers

The IP address tracking feature enables two query modes over the specified
time:

Exclude co-related logon and lease events - All direct matches to the
search criteria between the specified search start time and end time from
the DHCP lease logs collected in the IPAM database are returned. This
mode is supported for all search pivots except User Name.
Include co-related logon and lease events - All the co-related lease
and logon logs based on intelligent processing are returned along with the
direct search matches on the specified search criteria are returned. This
mode is supported for all searches.

Note:

The events displayed in the query result are +/- 5 minutes from the
search period specified. This is done to accommodate server time lags
or discrepancies between IPAM and managed servers. The timestamp
of events collected from managed DHCP, DC and NPS servers is stored
in UTC in the IPAM database. The timestamp on the events mined as
the result of the search operation is displayed in the context of the time
and time zone configured on the IPAM client.

45

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

The advanced co-relation logic used by IPAM is comprised of three main steps
briefly explained below:
Step 1: Finding all DHCP lease events based on direct match
For user name based search, IPAM finds the co-related host names based on
logon events and then uses the host name to determine the valid DHCP lease
events to be used for further co-relation.
Step 2: Deriving DHCP lease chunks for the specified search interval
Using the various new lease, release, and/or expire lease events determined
for the specific IP address, different distinct lease period start and end values
can be ascertained. Such different lease periods are referred to as lease
chunks. Each ascertained lease chunk will have an IP address, MAC address
and host name associated with it, picked up from the DHCP lease event logs.
Step 3: Obtain co-related events for each of the derived lease chunks For each of the ascertained lease chunks, a query is then made of the
authentication events collected in the data store to find events that match
common elements, which could be one or more of the IP address, MAC
address, or host name within the specified lease chunk. Using multiple
different common elements for the search returns additional correlated
information.

Advanced UI features

Group navigation control - Divides the data into major functional areas
followed by entities/views. The lower navigation tree further arranges the
entities into appropriate pivots such as subnets or logical groups.

View switcher on management list To toggle the view between associated


entities, for example Servers and Scopes or Address Range and Blocks.

Customize the default view - Add or remove columns of your choice in the
default view displayed. All built-in and user-defined basic and custom fields
are available for selection in the view.

Group by functionality Select to group the view using the selected criteria

Ordering Order the displayed rows based on any field.

Support for free format query on all fields Start typing any value in the
search pane to return the matching string search results filtered from the
displayed rows

Advanced query/filtering support Use multiple criteria to create advanced


queries. Select between advanced comparison constructs for each query
criteria. Save the query along with customized view and reload it later.

Export filtered records into csv reports

47

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Dedicated event catalog monitoring for each address space entity, servers,
scopes and zone, in the preview pane for each row selected

Limitations
The Windows Server "8" Beta IPAM implementation does not provide a global
solution for every possible management scenario. Notable limitations are listed
below.

Supports only Microsoft DHCP, DNS, DC, and NPS servers running Windows
Server 2008 and above

IPAM supports only domain joined DHCP, DNS and NPS servers.

Supports management of DHCP and DNS servers in a single AD forest

Supports only Windows Internal Database, and no external database is


supported

IP address utilization trend is provided only for IPv4

IP address reclaim support is provided only for IPv4

The IPAM provisioning method cannot be modified after completion of the


provisioning wizard

The only management features supported for DNS are DNS A/AAAA and PTR
record creation and deletion.

Limited support for Windows PowerShell - only a subset of functionality is


enabled through the Windows PowerShell interface.

Advanced DHCP management features such as failover management, Policy


Based Assignment (PBA) management, and backup and restore are not
supported. You can launch the DHCP MMC from within the IPAM console to
initiate these operations.

DNS management features beyond creation and deletion of A/AAAA and PTR
records are not supported. You can launch the DNS MMC from within the
IPAM console to initiate these operations.

Automatic DHCP lease enumeration is not supported by the IPAM data


collection tasks.

Automatic DNS record enumeration is not supported. You can enable this
scenario by building upon IPAM periodic address import features available
from IPAM Windows PowerShell cmdlets.

Granular delegated administration is not supported by IPAM.

49

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Technical Overview
IPAM Architecture
IPAM is comprised of two main modules, which are available as two Server
Manager features:

IPAM Server This feature provides the IPAM backend, which implements
periodic data collection tasks to gather configuration and event
information from managed servers. It also manages the relational
database hosted in the Windows Internal Database (WID) and the
Windows Communication Foundation (WCF) server endpoint, which
enables remote management of the IPAM server, provides the IPAM
Windows PowerShell module, and implements role based access control.

IPAM Client This feature includes the IPAM client UI component that
interacts with the IPAM server to perform remote management using the
WCF. The IPAM client also directly invokes the relevant Windows
PowerShell interfaces to interact with DHCP server for configuration tasks,
with DNS server for record management, and with group policy for
security filter list synchronization.

The IPAM client UI communicates with the IPAM server to perform remote
management. This is done using the WCF with TCP as the transport.
Specifically, the NetTcpBinding is used. See WCFBinding-MSDN for more detail
on the various bindings and their capabilities. The TCP binding is performed on
port 48885 on the IPAM server. This port number falls into the Registered
Ports range of IANA but is not currently assigned. The default port choice is
not made from the ephemeral port range, as this server-side functionality that
the socket is listening for traffic at all times once the server feature is enabled.
When there is a port conflict or there is a need to reconfigure the server port,
the port number on the server can be configured. Prior to connecting to the
IPAM server, the client UI queries the configured server port by using a
Windows PowerShell cmdlet provided by IPAM. This leverages Windows
PowerShell remoting. Windows PowerShell remoting is built on the WinRM
layer, which is enabled by default. IPAM Windows PowerShell cmdlets getipamconfiguration and set-ipamconfiguration can be leveraged to get and set the
WCF communication port respectively.
The figure below illustrates high level IPAM architecture.

51

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 2 IPAM High Level Architecture

IPAM also allows you to specify the group policy objects to manage the
DHCP/DNS/NPS/DC server configuration for use with IPAM during setup. These
group policy objects must be created in advance for each server role (DHCP,
DNS, DC/NPS). The security filtering lists for these group policy objects will be
updated when the servers are enabled or disabled for management through
the IPAM console.
The IPAM server communicates with all the managed DHCP servers to get the
DHCP scope utilization for both IPv4 and IPv6 (stateless as well as stateful),
server configuration and scope configuration using DHCP Windows PowerShell
commands. The DHCP Windows PowerShell commands use Microsoft Dynamic
Host Configuration Protocol (DHCP) Server Management Protocol Specification
[MS-DHCPM] to communicate with the DHCP server.
The DHCP address lease information is available in an audit log file on the
DHCP server. The IPAM server retrieves the address audit text file (for both
IPv4 as well as IPv6) using the SMB protocol. This text file is parsed to get the
address assignment information. The address audit text file for IPv6 clients
(stateful and stateless) is available only in Windows Server "8" Beta DHCP
servers. The DHCP server generates events for auditing the configuration
changes. The IPAM server reads the configuration changes from the DHCP
server event log and EventLog Remoting Protocol Version 6.0 Specification
[MS-EVEN6] is used for reading these events. The IPAM server also retrieves

53

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

the service status of the DHCP/DNS servers using the Service Control Manager
Remote Protocol Specification [MS-SCMR] protocol.
The IPAM server communicates with DNS servers to get the server
configuration and DNS zone settings. The DNS Windows PowerShell commands
use Domain Name Service (DNS) Server Management Protocol Specification
[MS-DNSP] to communicate with the DNS server.
The IPAM server communicates with DCs to get the logon events. Whenever a
user authenticates with DC, a logon event is generated and the IPAM server
collects these events for audit trail analysis. The remote event collection uses
[MS-EVEN6]. In order to discover the DHCP servers, the IPAM server reads the
DHCP server list stored in the DHCPServers group contained in the NetServices
container
(CN=NetServices,CN=Services,CN=Configuration,DC=domain,DC=com) in AD.
The IPAM server reads the DHCPServers group using the LDAP protocol. LDAP is
also used to query the list of domains. This list of domains is used for
discovering the DNS servers.
The IPAM server communicates with NPS server to get the authentication
events. Whenever NPS authenticates a user, it generates an authentication
event. The IPAM server collects these events for audit trail analysis. The
remote event collection uses [MS-EVEN6].
The following table lists the different interactions between the IPAM system
and other servers.
Managed
Role

From
IPAM
compone
nt
IPAM
Server

Protocol

Comments

MSDHCPM/MSEVEN6 /MSSMB /MSSCMR

DHCP

IPAM
Client

MS-DHCPM

DHCP
address
audit file

IPAM
Server

MSSMB

IPAM server interacts


with DHCP server to
perform IP address
utilization, DHCP
server configuration
retrieval, DHCP server
monitoring and IP
address audit trail
data.
IPAM Client uses MSDHCPM (used by
Windows PowerShell
provider) to remotely
manage the DHCP
servers.
DHCP address lease
information is stored in
a file and IPAM

DHCP

55

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

(IPv4/IPv6)
DNS

IPAM
Server

MS-DNSP/
[MS-EVEN6]

DNS

IPAM
Client

MS-DNSP

AD

IPAM
Server

RFC2251/MSEVEN6

NPS

IPAM
Server

MS-EVEN6

DC

IPAM
Client

MS-GPOL

DC

IPAM
Client

RFC2251/LDA
P

IPAM Server

IPAM
Client

[MS-PSRP]

retrieves this file. This


qualifies as a new file
format protocol.
IPAM server interacts
with DNS server to
perform DNS server
configuration retrieval,
DNS server
monitoring.
IPAM client uses MSDNSP (used by
Windows PowerShell
provider) to remotely
manage DNS servers.
IPAM server interacts
with AD server to
perform discovery of
DHCP and DNS server
and IP address audit
trail data.
IPAM server interacts
with NPS server to
perform IP address
audit trail data.
IPAM client uses the
MS-GPOL to configure
the administrator
specified group policy
object with the list of
servers that are
enabled for
management through
IPAM.
Used to retrieve server
information from the
machine object in AD
(such as machine
GUID, OS installed
etc.)
Used to query the
server-port
configuration from the
IPAM server using the
Windows PowerShell
cmdlet for the same.

IPAM Local Security Groups


IPAM setup creates appropriate security groups to isolate and restrict the
permissions available to different sets of IPAM administrators and users. The
installation process creates local security groups on the IPAM server, which

57

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

provide permissions required for administering and using the multiple services
employed by IPAM. For example, IP lease audit collection could be restricted to
a specific set of administrators only. It is possible to display MSM configuration
data to all DHCP Users, while MSM configuration rollout itself may be restricted
to only a relevant subset of administrative accounts.
IPAM installation automatically creates the following local user groups:
Group Name

Description

IPAM Users

Members of this group can view all information


in server inventory, IP address space, and server
management consoles of IPAM. They can view
IPAM and DHCP server operational events, but
cannot view IP address tracking information.

IPAM MSM Administrators

IPAM ASM Administrators

Members of this group have all the privileges of


IPAM User group and can perform IPAM common
management tasks as well as server
management tasks.
Members of this group have all the privileges of
IPAM User group and can perform IPAM common
management tasks as well as server
management tasks.

IPAM IP Audit
Administrators

Members of this group have all the privileges of


IPAM User group and can view IP address
tracking information.

IPAM Administrators

Members of this group have privileges to view


all IPAM information and perform all IPAM tasks.

Note:

In order to perform the Find Available IP task of IPAM address space


management on a DHCP range, the user must additionally have DHCP
Users privileges on the relevant DHCP server. Only IPAM
Administrators can perform the Purge Event Catalog Data task.
IPAM IP Audit Administrators do not have this privilege. IPAM MSM
Administrators can edit IP address range information for MS DHCP
ranges in the IP Address Space console.

IPAM Tasks and Service Account


IPAM schedules the following tasks to retrieve data from managed servers:

ServerDiscovery - Automatically discovers domain controllers, DHCP


servers and DNS servers in the domains you select.

59

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

ServerConfiguration - Collects configuration information from DHCP and


DNS servers for display in IP address space and server management
functions.

AddressUtilization - Collects IP address space usage data from DHCP


servers for display of current and historical utilization.

Audit - Collects DHCP and IPAM server operational events. Also collects
events from domain controllers, NPS, and DHCP servers for IP address
tracking.

ServerAvailability - Collects service status information from DHCP and


DNS servers.

ServiceMonitoring Collects DNS zone status events from DNS servers.

AddressExpiry Tracks IP address expiry state and logs notifications.

All Windows tasks required for IPAM services need to present credentials to the
managed node for authentication before accessing protected data and logs
from server roles. For example, accessing event logs on the managed server
nodes requires that the IPAM tasks authenticate under the context of a
member of the Event Log Reader security group on the target node. All IPAM
tasks launch under the Network Service account, which presents the local
computers credentials to remote servers.
During installation, IPAM tasks are added with the following default frequency
of execution, which can be modified from the Task Scheduler from the path
Task Scheduler Library -> Microsoft -> Windows -> IPAM
Task Name

Frequency

For Duration

ServerDiscovery
AddressUtilization

1 Day
2 Hours

Indefinitely
Indefinitely

Audit
ServerConfiguration

1 Day
6 Hours

Indefinitely
Indefinitely

ServerAvailability
ServiceMonitoring

15 Minutes
30 Minutes

Indefinitely
Indefinitely

AddressExpiry
1 Day
Indefinitely
Apart from periodic data gathering IPAM also supports on-demand data refresh
from all the servers in its scope or only from a subset of servers in context of
the selected entity for which data retrieval has been triggered. IPAM further
supports on demand data refresh for specific functional areas such as address
space or event catalog. The following on-demand data retrieval actions are
supported by IPAM:

61

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Action
Name

Type

Scope

Launch
Point

Periodic
Tasks Run

Start
Discovery

NonContextua
l

Across all
configured
domains

Manage
Menu

ServerDiscove
ry

Retrieve
All Server
Data

NonContextua
l

All servers (and


server roles)
managed by IPAM

All tasks
except
Discovery

Refresh
Server
Access
Status

Contextua
l

Selected server(s)

Manage
Menu OR
Tasks
Menu in
Server
Inventory
view
Right click
menu on
(multi)sele
cting
servers in
the Server
Inventory
view

Retrieve
All Server
Data

Contextua
l

Selected server(s)

All tasks
except
Discovery

Retrieve
Address
Space
Data

NonContextua
l

All DHCP servers


managed by IPAM

Right click
menu on
(multi)sele
cting
managed
servers in
the Server
Inventory
view
Tasks
Menu in IP
Address
Space
view

Retrieve
Address
Space
Data

Contextua
l

(Multi)Selected
IPAM ranges (and
associated DHCP
servers)

Right click
menu on
(multi)sele
cting
ranges in
the IP
Address
Space

ServerConfigur
ation,
AddressUtilizat
ion,
AddressExpiry,
Audit

Discovery task
for access
status(es)
check

ServerConfigur
ation,
AddressUtilizat
ion,
AddressExpiry,
Audit

63

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Retrieve
Server
Data

NonContextua
l

All DHCP and DNS


servers managed
by IPAM

Retrieve
Server
Data

Contextua
l

(Multi)Selected
servers (or
servers associated
with (multi)
selected scopes or
zones)

Retrieve
Audit
Data

NonContextua
l

All DHCP, DC and


NPS servers
managed by IPAM

view
Tasks
Menu in
Monitor
and
Manage
view
Right click
menu on
(multi)sele
cting
servers,
scopes or
zones in
the
Monitor
and
Manage
view
Tasks
Menu in
Event
Catalog
view

ServerConfigur
ation,
ServerAvailabil
ity,
ServiceMonitor
ing, Audit
ServerConfigur
ation,
ServerAvailabil
ity,
ServiceMonitor
ing, Audit

Audit

Installing and Provisioning IPAM


Deployment Considerations
IPAM is an agentless multi-server, multi-service management feature and
leverages standard Windows remote management protocols to manage,
monitor and collect data from the distributed servers in the enterprise. IPAM
must be installed on a domain member computer.
IPAM relies on a host of remote management technologies to provide full
functionality. Various IPAM modules need to communicate with multiple
network elements throughout the enterprise for data gathering and
configuration management. Depending on the scope of managed elements,
this communication may need to traverse multiple security boundaries or
domains.

Important:

IPAM does not support multi-forest topology. All domains in a single


Active Directory forest can be managed.

65

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

IPAM supports the following topologies for deployment in an enterprise:

Distributed: An IPAM server deployed at every site in an enterprise

Centralized: One IPAM server in an enterprise

Hybrid: Central IPAM server deployed alongside dedicated IPAM servers


per site

There is no automatic built-in communication or database sharing between


different IPAM servers in the enterprise. If multiple IPAM servers are deployed,
you can customize the scope of discovery for each IPAM server, or filter the list
of managed servers.
Note:

If required, you can leverage the IPAM Windows PowerShell based


export-import mechanism to periodically update IPAM range and
address information between multiple IPAM instances running across
the enterprise.

You can choose to limit the IPAM scope, depending on the deployment. A single
IPAM server may be implemented to manage IP addressing for the entire
enterprise. Alternately, an IPAM server may be deployed at every geographical
site in the enterprise, or in each child domain in the AD forest. If multiple IPAM
servers are used, you can limit the server discovery and management scope of
each to include only infrastructure servers managed by the individual IPAM
installations.
The IPAM server manages and monitors the DHCP and DNS servers within the
site or child domain, and collects the forensics information from DHCP, DC and
NPS servers. IPAM correlates and stores the collected information in the IPAM
servers local database using Windows Internal Database (WID).

67

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 3 IPAM Multi-Site Hybrid Deployment Model

Installation Process IPAM Server


The Windows Server "8" Beta IPAM feature integrates with the Server Manager
console for installation and uninstallation. The Server Manager console eases
the task of managing and securing multiple server roles through the Add Roles
and Features Wizard.
Note:

You cannot install the IPAM server feature on an Active Directory


domain controller. Installing IPAM on a physical server with co-located
DHCP server role is not recommended. This negatively impacts the
DHCP server discovery function of IPAM.

Installation UI/Wizard
In Server Manager, Dashboard, click Add roles and features.

69

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 4 Server Manager Dashboard

Click through the Add roles and features wizard screens to select Role or
Feature Based Install and the target server. On the Select Features screen,
select IP Address Management (IPAM) Server. Click Add Features when
prompted.

Figure 5 Add Roles and Features Wizard IPAM Server Selection

IPAM installation ensures that all IPAM dependencies are also installed at the
time of installation. IPAM Installation is not successful unless all the dependent
modules are first installed. Installation dependencies include the following:
Feature or Tool

Description

Remote Server
Administration Tools
Windows Internal Database

DHCP and DNS Server Tools provides for


remotely managing DHCP and DNS servers.
Windows Internal Database is a relational
data store that can be used only by Windows

71

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Windows Process
Activation Service
Group Policy Management

.NET Framework 4.5


Features
IPAM Client (optional)

roles and features.


Windows Process Activation Service
generalizes the IIS process model, removing
the dependency on HTTP.
Group Policy Management is a scriptable
Microsoft Management Console (MMC),
providing a single administrative tool for
managing Group Policy.
.NET Framework 4.5 provides a programming
model for building and running applications
designed for several different platforms.
For managing any local or remote IPAM
server.

The IPAM dependency list dialog allows you to select the installation of IPAM
client along with installation of the IPAM server feature using the checkbox
Include management tools (if applicable). By default, IPAM client is preselected for installation along with IPAM server.
After selecting Install in the wizard, installation progress is shown until the
feature is installed successfully.

Figure 6 Installation Progress

73

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Verifying Installation
When the Add Features wizard completes, it will display a message indicating
that the installation succeeded. IPAM server can now be managed using local
or remote instance of IPAM client UI.

Figure 7 Successful Installation Confirmation

Uninstalling/Disabling
The Windows Server "8" Beta IPAM feature integrates with the Server Manager
console for installation and uninstallation. The console eases the task of
managing and securing multiple server roles through the Remove Roles and
Features Wizard. The IPAM uninstallation process ensures that all IPAM
dependencies are removed, and that all IPAM local security groups and
scheduled tasks are deleted. Uninstallation also ensures that the IPAM
database is detached from WID and all the database data and schema files are
deleted.

75

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 8 Remove Roles and Features Wizard

Installation Process IPAM Client


Although the IPAM client feature is automatically installed on a Windows Server
"8" Beta server, along with installation of the IPAM Server feature, this
component can also be installed or uninstalled on its own. Click through the
Add roles and features wizard screens to select Role or Feature Based Install
and the target server. On the Select Features screen, select Remote Server
Administration Tools -> Feature Administration Tools -> IP Address
Management (IPAM) Client. Click Add Features when prompted.

77

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 9 Add Roles and Features Wizard IPAM Client Selection

In order for the IPAM client to connect to an IPAM server, you must ensure that
the target IPAM server is added to the Server Manager purview using the Add
Servers wizard launched from the Manage menu. If both IPAM client and IPAM
server are running on the same server, then by default the IPAM UI connects to
the local IPAM server instance.
Note:
A domain user connecting to the IPAM server from a remote IPAM client must be a member
of the WinRMRemoteWMIUsers__ group on the IPAM server, in addition to being a member
of the appropriate IPAM security group. IPAM client is an integrated component with the
Server Manager RSAT. Server Manager RSAT is also available for download and installation
on a Windows 8 Consumer Preview client machine. The IPAM node will appear in the Server
Manager navigation tree by default on the Windows 8 Consumer Preview client RSAT.

IPAM Provisioning
IPAM installation sets up various periodic data collection tasks to collect
relevant data from managed DNS, DHCP, DC and NPS servers to enable
address space management, multi-server management and monitoring and
event catalog scenarios. All IPAM tasks launch under the Network Service
account, which presents the local computers credentials to remote servers.
To accomplish this, administrators must enable read access and security
permissions for the required resources over managed servers for the IPAM

79

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

servers computer account. Further the relevant firewall ports need to be


configured on these managed servers.
Note:

The term IPAM scope in this context and throughout this document refers
to the IP network elements (DHCP/DNS/NPS/DC servers within the forest)
which are discovered or added, and activated for various IPAM services.
In other words these are the Managed server roles within IPAM.

IPAM Access Settings


The following table provides a mapping of the IPAM functionality and managed
server role type to access setting and FW rule required by IPAM periodic tasks:
Role
Type

DHCP

DNS

Access Setting

FW Rule

Associated IPAM
functionality

Membership of
DHCP Users
security group

DHCP Server
(RPC-In)

DHCP address space,


settings and utilization
data collection

Read access in the


DHCP Server
service ACL

Remote Service
Management
(RPC)

Membership of
Event Log
Readers security
group

Creation of
Network share
dhcpaudit of the
DHCP audit file
location (default
location for logs is
%windir
%\system32\dhcp)
and read access on
the same
Read access in the
domain wide DNS
ACL* (for DC colocated DNS

DHCP Server
(RPCSS-In)

Remote Service
Management
(RPC-EPMAP)
Remote Event
Log Management
(RPC)

DHCP Service
monitoring

DHCP configuration
event monitoring

Remote Event
Log Management
(RPC-EPMAP)
File and Printer
Sharing (NBSession-In)

DHCP lease event


collection for IP address
tracking

File and Printer


Sharing (SMB-In)

DNS Service RPC


DNS Service RPC
Endpoint Mapper

DNS zone configuration


collection

81

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

servers)
OR
Membership of
local
Administrators
group on DNS
server (for DNS
servers not colocated with DC)
Membership of
Event Log
Readers security
group
Read access in the
ACL stored in the
DNS CustomSD
registry key
Read access in the
DNS Server
service ACL

DC/NPS

IPAM
(local
server)

Note:

Note:

Membership of
Event Log
Readers security
group

Membership of
Event Log
Readers security
group

Remote Event
Log Management
(RPC)

DNS zone event


collection for DNS zone
monitoring

Remote Event
Log Management
(RPC-EPMAP)

Remote Service
Management
(RPC)
Remote Service
Management
(RPC-EPMAP)
Remote Event
Log Management
(RPC)

DNS service monitoring

Logon event collection


for IP address tracking

Remote Event
Log Management
(RPC-EPMAP)
N/A

IPAM configuration
event monitoring

For DNS servers co-located with a DC, the RPC read access can be
enabled by adding the IPAM machine account to the domain wide DNS
ACL. This setting needs to be propagated only once for the entire domain
and not for every individual DNS server.
For access to local event logs on the IPAM server to enable the IPAM
Configuration Events cataloguing, the Network Service account is
automatically added to the IPAM servers Event Log Readers group at
the time of IPAM installation and provisioning.

83

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

IPAM Access Monitoring


IPAM access monitoring tracks the provisioning state of the following statuses
on the server roles, which are displayed in the details pane of the IPAM server
inventory view:
Role Type

DHCP

DNS

DC/NPS

Access Setting Tracked by


Server Discovery

Access tracking fields


name in Server Inventory
view

Membership of DHCP Users


security group and
corresponding remote
management firewall rules
enablement

DHCP RPC Access Status

Membership of Event Log


Readers security group and
corresponding remote
management firewall rules
enablement

Event Log Access Status

Creation and read access of


Network share dhcpaudit of
the folder where DHCP audit
files are located and remote
file transfer firewall rules
enablement
Read access in the domain
wide DNS ACL and
corresponding remote
management firewall rules
enablement

DHCP Audit Share Access


Status

Membership of Event Log


Readers security group and
corresponding remote
management firewall rules
enablement
Membership of Event Log
Readers security group and
corresponding remote
management firewall rules
enablement

Event Log Access Status

DNS RPC Access Status

Event Log Access Status

85

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

The following recommended actions are tracked by IPAM server inventory view
related to access settings:
Recommended
Action
IPAM access
Unblocked
IPAM access
Blocked

Unblock IPAM
access

Block IPAM access

Set manageability
status

Note:

Scenario
Server manageability status
is Managed and overall IPAM
access status is Allowed
Server manageability status
is Unmanaged and overall
IPAM access status is Blocked
Server manageability status
is Managed but overall IPAM
access status is Blocked

Server manageability status


is Unmanaged but overall
IPAM access status is Allowed

Server manageability status


is Unspecified

Action Required
No action required

No action required

Refer to sub-access
status listed in the
Details pane and
provision the required
access setting
Refer to sub-access
status listed in the
Details pane and unprovision the read
access for IPAM
Set server
manageability status
to Managed or
Unmanaged

The following access sub-statuses are not tracked by IPAM server


inventory view in Windows Server "8"Beta.
- DNS zone event access
- DHCP server service access
- DNS server service

Additional Considerations
The IPAM server must collect DHCP lease events and DC/NPS logon events to
enable IP address tracking functionality. This section explains some of the
deployment related details to consider on the target DHCP, DC and NPS
servers from which IPAM collects this information.
DHCP audit file is generated by default in the %windir%\system32\dhcp folder,
but the path can be changed by editing IPv4 and IPv6 properties (Properties ->
Advanced -> Audit log file path setting). For IP addressing to work, the IPv4
and IPv6 audit log file path should both be set to a common folder location.
Ensure that the DHCP audit log file size is appropriately configured to hold
audit events for the entire day on the DHCP server.

87

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Similarly, for DC and NPS servers, enable the required events for logging. The
security log settings determine enabling/disabling of these events. The
relevant setting to enable logging of these events is available under group
policy (Computer Configuration -> Windows Settings -> Security Settings ->
Local Policies -> Audit Policy -> Audit Account Logon Events). For a heavily
loaded DC, ensure that the periodicity of IPAM AuditTask is less than the time
window in which the security logs on DC and NPS servers roll over.

Provisioning Methods
IPAM allows users to choose between manual or GPO based configuration of
these access settings on managed servers. Given the fair amount of
administrative complexity in configuring these settings, IPAM recommends
using GPO based mechanism to automatically provision IPAM access settings.
Using GPOs for IPAM access provisioning also enables ongoing automatic
maintenance of these settings and adjustments to the changing needs and
alterations made to the IPAM scope.

Group Policy Based Provisioning


IPAM allows automated discovery of the required server roles across domains
within the forest. The IPAM setup process automatically defines and sets
required remote management permissions to enable administrative actions
performed by IPAM tasks by applying relevant pre-staged Group Policy Objects.
After the initial configuration is completed, IPAM setup processes regular
updates so that the environment remains current across any incremental
scope changes.
For DHCP and DNS servers, IPAM GPOs are configured using a combination of
standard GPO settings and custom script that is maintained in the SYSVOL
share. There were multiple reasons to use the custom script for propagating
some of the settings versus using the standard GPO settings. These reasons
are provided below:

To append and not replace any custom setting on the DNS and DHCP
service ACL

To append and not replace any custom setting on the DNS event log
CustomSD registry entry

To configure the dhcpaudit network share on any non-default location


configured on the DHCP server

To ensure that the read access for the dhcpaudit share is enabled only for
IPAM and not for Everyone

To ensure that any localized string name for the DHCP Users group would
be automatically taken care of while adding the IPAM account

89

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

More
Information:
Note:

For details of GPO settings created by IPAM, refer to the GPO


settings detail section of the Appendix to this guide:
GPO Based IPAM Provisioning - GPO Setting Details
The IPAM GPO based access provisioning is done by creating a universal
group in the domain and adding the IPAM machine account to this
universal group. All the access propagation by the GPO is done for the
group and not for the specific IPAM machine account.

Creating Group Policy Objects


IPAM provides a Windows PowerShell cmdlet, - Invoke-IpamGpoProvisioning, to
automate the creation of IPAM GPOs.
Invoke-IpamGpoProvisioning [-Domain] <string> [-GpoPrefixName] <string> [IpamServerFqdn <string>] [-User <string[]>][-Group <string[]>] [-PassThru] [-Force]
[-WhatIf] [-Confirm] [<CommonParameters>]

The Invoke-IpamGpoProvisioning cmdlet creates and links three group


policies in the specified domain for provisioning required access the server
roles managed by IPAM. GpoPrefixName provided here should be the same as
the prefix configured in the IPAM provisioning wizard. The three GPOs are
created with the suffix '_DHCP', '_DNS' and '_DC_NPS' appended to the
GpoPrefixName. These suffixes signify the three different types of access
settings that are propagated depending on the type of server role managed by
IPAM.
For example, if the group policy name prefix is IPAMGPO, then the cmdlet will
create the following three GPOs in the specified domain.

IPAMGPO_DHCP

IPAMGPO_DNS

IPAMGPO_DC_NPS

The access settings propagated by these GPOs are required by the periodic
IPAM data collection tasks that run under the Network Service account. Access
settings are propagated for the IPAM server machine account, since that is the
credential presented by Network Service to access remote resources. By
default, IPAM uses the IPAM server FQDN of the local machine from where the
cmdlet is run. If required, you can explicitly specify the FQDN name of the IPAM
server using the IpamServerFqdn parameter.
The cmdlet creates a universal group named IPAMUG in the specified domain (if
not already present), and adds the computer account of specified
IpamServerFqdn to it. Access setting propagation by IPAM GPOs are done for
the universal group IPAMUG. The cmdlet also modifies the domain wide DNS
ACL to enable DNS RPC access for IPAM.

91

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

IPAM auto-detects the available DC in order to invoke the GPO related


operations. The GPO objects created by this cmdlet can be returned using the
PassThru switch.

Delegate IPAM GPOs


After creation of IPAM GPOs, it is feasible to delegate subsequent GPO edit
privileges to the appropriate IPAM administrators (who are not domain or
enterprise administrators) by using the parameters User or Group available
with the Invoke-IpamGpoProvisioning cmdlet. This delegation will be
required when you select the servers to be managed within the IPAM console,
and IPAM automatically attempts to add them in the appropriate GPOs using
the logged in user credentials. IPAM recommends creating a domain level
group IPAMGPOAdmins and delegating the GPO edit privileges to that group
using the Group parameter, as opposed to adding an individual user list for
delegation.

Adding Managed Servers to GPO


At the time of creation of GPOs, the security filter list of IPAM GPOs is empty.
When the manageability status of a server is edited in IPAM server inventory
view, IPAM automatically adds or removes the server in the appropriate GPO
security filter list. Managed servers are added to the GPO security filtering and
unmanaged servers are deleted. IPAM GPO editing privileges can be delegated
to IPAM administrators who are not domain or enterprise administrators, using
User and Group parameters in Invoke-IpamGpoProvisioning cmdlet.
IPAM follows the logic below to update the GPO security filter list:

When a server role is marked as managed IPAM automatically adds it to


the appropriate IPAM GPOs based on the active roles on this server.

When a server is marked as unmanaged IPAM automatically deletes it


from the appropriate IPAM GPOs based on the active roles on this server.

When a server role is marked as active (checked) on a managed server,


IPAM automatically adds it to the appropriate IPAM GPO.

When a server role is marked as inactive (unchecked) from a managed


server, IPAM automatically deletes it from the appropriate IPAM GPO.

Note:

IPAM considers GPO update failures during server edit operation due to
GPO not existing, insufficient privileges, or any other issue, as nonblocking. In other words, server edit operation will continue irrespective
of any failures encountered during GPO update. A detailed report of the
failures will be presented, and can be used to manually edit the IPAM
GPOs. Newly discovered IPAM roles on managed servers (in periodic
server discovery cycle) are marked as Managed. However, since the IPAM
task does not have GPO editing privileges, these roles will not be
automatically added in the relevant IPAM GPO. You must add such roles
manually to the relevant IPAM GPO. A critical event is logged in IPAM

93

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

administrative channel to allow you to easily track this scenario if it


occurs.

Manual Provisioning
It is possible to bypass the wizard-based automated deployment and set a
custom scope for IPAM management. To deploy a limited pilot implementation
of IPAM, you can manually add administrators and server computer accounts
to appropriate predefined AD security groups, and configure firewall rules to
allow communication to a set of manually selected and configured network
nodes.
More
Information:

For details of enabling IPAM access settings on managed roles


manually, refer to the Manual IPAM Provisioning section of the
Appendix to this guide:
Manual IPAM Provisioning - Configuring Access Settings

Configuring and Managing IPAM


IPAM Initial Setup
The IPAM overview page on IPAM Client UI navigates the user across six basic
steps required to complete initial setup for an IPAM Server:
1. Connect to an IPAM server
2. Provision the IPAM server
3. Configure server discovery
4. Start server discovery
5. Select or add servers to manage and verify IPAM access
6. Retrieve data from managed servers

Connect to IPAM Server


IPAM enables connecting to a remote or local IPAM server using the first step
listed in sequence on the IPAM Overview page. By default, the IPAM Client UI
automatically connects to the local instance of IPAM server (if running). The
Connect to IPAM Server dialog allows the user to select from the local and
remote IPAM server instances detected by Server Manager from the pool of
servers being managed.

95

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 10 Select IPAM server to connect IPAM client

Note:

Remote IPAM servers must be added to the Server Manager purview


using the Add Servers dialog available in the Manage menu, before
they are listed in the Connect dialog.

IPAM Provisioning Wizard


The IPAM provisioning wizard needs to be completed one time on every IPAM
server. The IPAM provisioning stage sets up IPAM security groups and IPAM
database.
Note:

The logged in user must have Administrator privileges (running elevated)


in order to complete IPAM provisioning.

The IPAM provisioning wizard prompts you to select between manual and
group policy based provisioning methods. Once the provisioning wizard is
complete, this setting cannot be changed. For more information on IPAM
provisioning methods refer to the corresponding section in this guide.

97

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 11 Provision IPAM Wizard Select Provisioning Method

If Manual deployment is selected, the IPAM wizard does not take any action to
deploy settings, and the administrator can consult the help files and IPAM
deployment guide to determine necessary settings to apply manually.
If Group Policy Based deployment is selected, supply the unique GPO prefix
name for this IPAM instance. The IPAM wizard does not take any action to
actually create the group policies, and you can use the IPAM Windows
PowerShell cmdlet Invoke-IpamGpoProvisioning to create the group policies.
The GPO prefix name selected in this step must be as the one specified as
GpoPrefixName parameter with the GPO creation cmdlet.

Important:

The provisioning method selected is simply committed in the IPAM


database in this step. The IPAM provisioning wizard does not perform
any corresponding action such as creating the group policy objects or
provisioning the servers.

Once the IPAM provisioning wizard successfully completes, the IPAM database
and security groups are in place. You can add the required users to the IPAM
security groups based on their roles. For more information on IPAM security
groups, refer to the relevant section in this guide.

Configure Discovery
Next, click configure server discovery to launch the Configure Discovery
settings wizard. Use the discovery settings wizard to add all domains in the forest
on which you intend to run discovery. You must add each domain to the list
explicitly, even if the forest root domain has been selected. For each domain
added to the scope of discovery, you can select which type of servers to discover.

99

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

By default, domain controller, DHCP server, and DNS server check boxes are all
selected.

Figure 12 Configure Server Discovery

Create IPAM GPOs


Although there is no strict ordering in terms of when IPAM group policies
should be created, IPAM recommends that at the time of adding any domain
into the server discovery configuration, the corresponding group policies
objects should also be created using the Windows PowerShell cmdlet InvokeIpamGpoProvisioning. Domain administrator privileges are required to
create IPAM GPOs and the IPAM GPO edit privileges should be delegated to
appropriate IPAM administrators who do not have domain or enterprise
administrator privileges.

Start server discovery


The Discovery task runs periodically and uses these settings to discovery the
specified server roles running on the selected domains. The default periodicity
of the discovery task is set as one day and is user configurable from the task
scheduler. User can also start server discovery on demand by clicking on
Start Server Discovery from the Overview page or by clicking Start
Discovery from the global action Manage from any other page.

101

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 13 Start Server Discovery

Select or add servers to manage and verify IPAM


access
Once the discovery process completes, the discovered servers are listed in the
Server Inventory view of the IPAM management console. The action column
initially displays each discovered server manageability status as Unspecified
until an administrator classifies the server as managed or unmanaged.

Figure 14 Discovered Servers View

Servers are arranged under IPv4 or IPv6 nodes based on their network
interface address. It is possible that the same server may appear in both IPv4
and IPv6 node, if it has two types of IP addresses.

Add Server
Use the Add or Edit Server dialog to set the manageability status to
Managed for servers that you intend to manage via IPAM. Servers (and their

103

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

corresponding roles) can also be added manually into the IPAM management
span. This is especially useful for adding NPS servers (required for IP Address
tracking feature), which cannot be auto-discovered by IPAM. In order to add a
server manually, right click on IPv4/IPv6/Managed servers/Unmanaged servers
on the left navigation tree to trigger the Add server dialog.

Figure 15 Add or Edit Server Dialog

Set Server as Managed


You can select one or more servers to be marked as managed from the
discovered set of servers. Right-click on the server to display the server menu
and select Edit server action.

105

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 16 Edit Server Task

Verify IPAM Access


Discovered or added servers are shown along with their Server Type and
IPAM Access Status. Server type refers to the workloads (DHCP/DC/DNS)
running on the server and IPAM access status refers of the status of IPAM
specific management settings which are required to be configured on these
servers.

GPO based provisioning


As the servers are set to be managed in IPAM, the server is added to the
security filtering for relevant GPOs based on the roles that are active on the
server. Ensure that the GPOs are created on the domain in advance, and the
logged in user has the permissions to edit the GPO at the time of marking
server as managed. If for some reason the server fails to get added to the
GPO, the edit operation is not aborted and you must manually add the server
to the required GPO. IPAM recommends multi-editing all the relevant servers
simultaneously to mark their status as managed, in order to optimize the
number of GPO updates done by IPAM.
Once the server is added the appropriate GPOs either wait for automatic
periodic policy update to take place or run GPUpdate /Force on the target
managed servers. This should enable the required access settings propagated
by the standard GPO settings. For DHCP and DNS servers, IPAM installs a
scheduled task to execute a custom Windows PowerShell script in order to
propagate the access settings. Ensure that the task is successfully completed
on the target server.

107

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Manual provisioning
For manual provisioning, ensure that the required access settings are
appropriately configured on the target server manually.

Refresh Access Status


The typical refresh period of the server access status as checked by the
ServerDiscovery task is one day. For the initial setup, IPAM recommends to
multi-select all managed servers, right click and select Refresh Server
Access Status task to trigger on-demand refresh. Running server discovery
again will also update the IPAM access status.

Figure 17 Refresh Server Access Status

Verify Access
Verify that IPAM access status is listed as unblocked indicating that manual or
GPO based provisioning is successfully complete.

Figure 18 IPAM Access Unblocked

For the IPAM access status value to be allowed, all of the access sub-states
shown in the details pane should be marked as allowed. These access states
are:

DNS RPC access status

109

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

DHCP RPC access status

Event log access status

DHCP audit share access status

Troubleshooting Access Issues


If any of the access sub-states for managed server roles is showing in the
Blocked state, check that the corresponding setting is enabled on the target
server. For details of access setting to sub-state mapping refer to the IPAM
Access Monitoring section in this guide. For GPO based provisioning, the
GPResult command line tool can be used to troubleshoot group policy update
issues. The provisioning task setup by IPAM DHCP and DNS GPOs creates a
troubleshooting log in the location %windir%\temp named IpamDhcpLog.txt
and IpamDnsLog.txt respectively.

Retrieve data from managed servers


Multiple IPAM tasks run periodically to collect data from the set of servers
marked as Managed. The default period of collection depends upon the data
being collected and varies from 15 minutes to 6 hours. This interval of
collection is configurable from the task scheduler. Data can also be retrieved on
demand. In order to retrieve data from all managed server, the Retrieve All
Server Data action can be invoked from the global management menu.
This completes the initial setup of IPAM for DHCP, DNS, DC and NPS server
management and monitoring across various consoles on the UI.

Server Inventory Management


From the Server Inventory view, right click on one or more servers to take an
action on only the selected servers.

Figure 19 Server Inventory Management

The available actions are:


Edit Server: Edit manageability status of the server and roles on the
servers.
Retrieve All Server Data: Retrieve data for all selected roles on the
selected server.
Refresh Server Access Status: Refresh Server Access Status for the
selected servers only
Delete: Remove a server from the inventory view, along with all its data.

111

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Address Space Management


The IPAM address space management (ASM) feature provides the ability to
efficiently view, monitor, and manage IP address space on the network. ASM
supports IPv4 public and private addresses and IPv6 global and unicast
addresses. Searching and sorting of IP addresses, IP address ranges and IP
address blocks can be based on built-in fields or user defined custom fields,
such as region, Regional Internet Registries (RIR), device type, or customer
name. You can track IP address utilization and threshold-crossing status, or
display utilization trends. IPAM ASM feature address the IP address space
management problem in a growing distributed environment by ensuring better
planning, accountability, and control. IPAM also enables you to detect
overlapping IP address ranges defined on different DHCP servers, find free IP
addresses within a range, create DHCP reservations, and create DNS records.

IP Address Blocks
A user can view the IP address blocks, IP address ranges or IP addresses in this
view by selecting the appropriate view in the current view combo box. This
view allows you to visualize the address space by automatically segregating
the IP address ranges, IP address blocks and IP addresses into private address
and public address categories for IPv4 address and global and unicast
categories for IPv6 addresses.

113

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 20 IP Address Blocks

Adding an IP Address Block


To create an IPv4 IP address block, right click the IPv4 node and select Add IP
Address Block. Similarly, to add an IPv6 IP address block, right click on the
IPv6 node and select Add IP Address Block. Based on the network ID, IPAM
can automatically group smaller sub-blocks under larger IP Address blocks,
forming a hierarchy of blocks. This hierarchy is presented in the navigation
pane in a tree view, and clicking on each IP address block or sub-block allows
you to view IP address ranges or IP addresses mapped to that block.

115

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 21 Add IP Address Block

Adding an IP Address Range


To add an IPv4 IP address range, right click on the IPv4 node and select Add IP
Address Range. Similarly, add a new IPv6 IP address range by right clicking
on the IPv6 node and selecting Add IP Address Range. To view the ranges,
select IP address ranges from the current view combo box. IPAM can also
automatically enumerate scopes from managed DHCP servers and these
scopes will appear as dynamic ranges in ASM views. However, these dynamic
ranges are not editable. For dynamic ranges, you must edit the corresponding
scopes through MSM views.

Adding an IP Address
To Add an IPv4 IP address, right click on the IPv4 node and select Add IP
Address. Similarly, to add an IPv6 address, right click on the IPv6 node and
select Add IP Address. To view the IP addresses, switch to IP address view by
selecting IP Addresses from the current view combo box.

Viewing the utilization statistics and utilization trend


You can view the utilization statistics, such as percent utilization and total
number of addresses of an IP address block or IP address range in the
Configuration Details panel. To view the utilization statistics of an IP address

117

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

range, you must first switch to IP address range view by clicking on the current
view combo box and then clicking on the range in which you are interested.
Similarly, you can view the utilization statistics of an IP block. IPAM
automatically calculates the utilization statistics of an IP address block by
rolling up the utilization statistics of the IP address ranges mapped to it.
You can view the utilization trend of an IP address range by first clicking on the
IP address range, clicking on the utilization trend tab, and then selecting the
appropriate time window for generating the trend graph. You can view the
utilization trend graph of an IP address block by clicking on the block, and then
clicking on the utilization trend tab.

Figure 22 Utilization Statistics and Trend

Configuring utilization threshold


You can configure the over- and under-utilized threshold values by selecting
IPAM Settings -> Configure Utilization Threshold from the Manage menu.
The threshold determines the value of utilization state of IP address ranges, IP
adddress blocks and IP range groups.

119

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 23 Configure Utilization Threshold

IP Address Inventory
In this view, you can see a list of all IP addresses available in the system, along
with their device names, device types, etc. You can choose to selectively view
IP address with a particular device type by clicking on the appropriate device
type node in the navigation pane. For example, to view IP addresses belonging
to firewalls, you can click on the firewall node and the view will be populated
with IP addresses with device type set as firewall. You can create a DNS record
or DHCP reservation for an IP address by right clicking on the IP address and
selecting Create DHCP Reservation or Create DNS Host Record.

121

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 24 IP Address Inventory

Finding a Free IP Address


To find a free IP address from an IP address range, right click on the range and
select Find and Allocate Available IP Address. This will launch the Find and
Allocate Available IP Address dialog. IPAM will automatically select an available
IP address from the selected range, ping it, and check whether a DNS record
exists for the IP address. You can chose to allocate the IP address or click Find
Next to find the next available IP address. Once you have found an available IP
address, fill in the parameters such as Expiry Date, Device type, Device Name,
and then click OK to create an IP address record in IPAM.
Provide the DNS server and DHCP server information for the IP address by
clicking on DHCP reservation and DNS record tabs in the dialog. Clicking OK
merely creates a record in IPAM, and a DHCP reservation or DNS record is not
automatically created.

123

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 25 Find an Available Address

Configure expiry alert threshold


User may change the system-wide expiry alert threshold by selecting IP
Address Expiry Log Settings dialog from the Tasks menu.

Figure 26 Expiry Alert Threshold

125

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Synchronizing DHCP and DNS records


IPAM allows you to fill optional DHCP reservation parameters and DNS record
information for the IP address on the Add/Edit IP address dialog by clicking on
DHCP reservation and DNS record tabs respectively.
IPAM auto-populates the relevant DHCP servers against the reservation server
name based on the discovered scopes to which the IP address can map. A
reservation can only be created or deleted against the DHCP server being
managed by this instance of IPAM.

Figure 27 Reservation Synchronization

IPAM auto-populates the discovered DNS zones and the corresponding primary
DNS servers in the IP address dialog. All the relevant reverse lookup zones to
which the address can map along with the corresponding primary DNS servers
are also made available for easy selection and configuration. A DNS record can
only be created or deleted against the DNS server being managed by this
instance of IPAM.

127

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 28 DNS Record

Clicking OK merely creates a record in IPAM, and a DHCP reservation or DNS


record is not automatically created during the IP address add or edit operation.
You must explicitly invoke the create or delete operation as intended after
providing all the values. You may select multiple IP addresses at a time to
simultaneously synchronize add/delete of any of these records. The
success/failure of this operation can be tracked by status fields maintained for
the IP address.

129

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 29 Create or Delete DHCP and DNS Records

IP Address Range Groups


In this view, you can visualize and organize IP address range by logical groups
based on user defined business logic. For example, you can choose to visualize
and organize IP address range based on what geographical location or
business unit they are serving. You can create a logical group based on country
and business unit and apply the appropriate custom field value to IP address
ranges for country and business unit custom fields. You will then be able to
view the IP address ranges serving a particular business unit in a particular
country by clicking on appropriate logical group node in navigation pane.

Creating a Custom field


To create a custom field, click on Manage menu and select IPAM Settings.
Click the Configure Custom Fields link to open Configure Custom Fields
dialog. Specify a name for the new custom field and type of the custom field.
In case of a multi-valued custom field you can specify the various values that
the custom field can take.

131

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 30 Configure Custom Fields

Applying a Custom Field to an IP Address Range


To apply a custom field to an IP address range, right click on an IP address
range and select Edit IP Address Range. You can apply a custom field to
more than once IP address range simultaneously by selecting multiple IP
address ranges and right clicking followed by selecting Edit IP Address
Range. You can then click on custom configuration pane in the dialog to apply
custom fields to the IP address ranges.

133

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 31 Multiple IP Address Selection

135

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 32 Edit IP Address Range

137

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Creating an IP Address Range Logical Group


To Create an IP address range group, right click on the IPv4 node and select
Add IP Address Range Group. Specify what custom fields should be used to
group the IP address ranges together. Specify several groups by criteria, which
will be applied one after another when IPAM organizes the IP address ranges
into IP address range groups. For example, you may choose to first group the
IP address ranges by country and then by business unit. Once the IP address
range group is created, it will appear in the navigation pane. You can then click
on any node of the group to select the IP address ranges that fulfill the
grouping criteria.

Figure 33 Add IP Address Range Group

139

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 34 View Address Range Groups

141

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Import Data
IPAM allows you to export out the IP address block, IP address range, and IP
address records in comma separated value (csv) format. You can import the IP
address block, IP address range, and IP address records from csv files. The
names of column in the csv file from which data is being imported must be
same as the name of columns on IPAM views. For example, if the csv file
contains IP address block records, then the column names in the csv file must
be the same as column names in IP address blocks view of IPAM.
To import data, click the tasks menu and select Import IP Address Block,
Import IP Address Range, or Import IP Addresses based on the type of
data contained in csv file. Once the file is selected, the import process begins
and displays a progress bar.

Figure 35 Import Data

IPAM supports periodic import and update operations for IP address ranges
belonging to the specified Managed By Service and Service Instance
values. Along with adding new ranges and editing existing ranges as in the
case of regular IP address range import, this operation also deletes those
ranges from IPAM which have the same value of Managed By Service and
Service Instance fields but are not present in the csv being imported. IPAM
provides the option of deleting the IP addresses mapping to the IP address
ranges that are deleted during this import operation. The dialog can be
launched from the tasks menu in the IP address space console.

143

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 36 Periodic Address Range Import Settings

IPAM also supports periodic import and update operations for IP addresses
belonging to the specified IP address range. Along with adding new addresses
and editing existing addresses as in the case of regular IP address import, this
operation deletes those addresses from IPAM that map to the specified IP
address range, but are not present in the csv being imported. Launch the
dialog by right clicking on the relevant IP address range in the UI.

Figure 37 Import IP Address Inventory

Export Data
To export out data from IPAM views, navigate to the appropriate view, clicks
the Tasks menu and select Export. You may filter out the required subset of
records to be imported by running basic or advanced queries before export.

145

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 38 Export Data

147

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Monitor and Manage DNS and DHCP Servers


From the DNS and DHCP Servers view, you can view and monitor the health
and configurations of all the DNS and DHCP server roles being managed by
IPAM.

Service Health Monitoring


The Server Availability state, Duration in current state and Last
Refreshed fields together show the state of the server at time of last poll and
the duration it has been continuously in that state.
From this view you can use the Server Type drop box to view only DNS or
DHCP server roles or use the navigation pane to view servers with network
interfaces in the same /16 subnet for IPv4 and /48 subnet for IPv6.

Figure 39 DNS and DHCP Servers

Configuration Monitoring
The details view shows the server properties of the server selected. In case of
DHCP servers, server options and DHCP events are shown. In case of DNS
servers, the zones on the server and the DNS zone events are shown.

DHCP Server Management


Right clicking on a server from this view shows the list of actions that can be
performed on the server. The list of actions available is specific to the server

149

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

role selected. The actions that can be performed on DHCP servers are as
follows:

Edit DHCP Server Properties - This allows setting a number of server


properties of the DHCP server

Figure 40 Edit DHCP Server Properties

Edit DHCP Server Options - Allows addition, deletion or editing of


options at the servers level. Action can be performed on multiple DHCP
servers simultaneously to update multiple options across servers.

Figure 41 Edit DHCP Server Options

Create DHCP scope - Create a scope on a DHCP server, and set


numerous scope properties.

151

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 42 Create DHCP Scope

Configure predefined option and values - Create predefined options


and set option value. Select one or more servers and launch the action to
configure predefined options on multiple servers simultaneously

Figure 43 Configure Predefined Options

Configure User Class - Multi-select servers and launch the action to


configure user classes on multiple servers simultaneously.

153

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 44 Configure User Classes

Create and edit new and existing user classes - Multi-select servers
and launch the action to configure user classes on multiple servers
simultaneously.

Configure Vendor Class - Multi-select servers and launch the action to


configure user classes on multiple servers simultaneously.

Launch MMC - Launch the MMC for the selected DHCP server

Retrieve server data - Multi-select servers and launch the action to


retrieve server data from the selected set of servers.

DNS Server Management


The actions that can be performed on DNS servers are the following:

Launch MMC - Launch the MMC for the selected DNS server

Retrieve server data - Multi-select servers and launch the action to


retrieve server data from the selected set of servers.

DHCP Scopes
In this view you can see all the DHCP scopes configured on all the DHCP
servers being managed by IPAM. The utilization of each scope is shown in this
view along with key properties and options configured on the scope. You can
view all IPv4 or all IPv6 scopes or only scopes that lie within a specific IP
address block.

155

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 45 DHCP Scopes View

The actions that can be performed on DHCP scopes are as follows:

Edit a DHCP scope - This allows setting a number of scope


properties of the DHCP server. Action can be performed on multiple
DHCP scopes across servers simultaneously.

157

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 46 Edit DHCP Scope Options

Duplicate DHCP scope - Allows using a scope as a template to create


another scope with an identical set of properties. These properties can
also be selectively edited before the new scope is created. This is
performed as a single operation.

Activate / Deactivate DHCP scope - Activate or deactivate a scope.


Action can be performed on multiple DHCP scopes across servers
simultaneously.

Delete - Delete the selected scope(s).

DNS Zone Monitoring


This view shows all the forward lookup and reverse lookup zones on all the
DNS servers being managed by IPAM.
For the forward lookup zones, IPAM also displays all the servers hosting the
zone and the aggregate health of the zone across all these servers and the
zone properties.

159

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 47 DNS Zone Monitoring

To navigate to any zone, use the navigation pane to view the health status of
the zone on each of the authoritative servers. In case of an error in the zone,
the event catalog displays the specific event that is causing the error. Rightclick on the authoritative server to launch the MMC and investigate further to
fix the cause of the problem. The server properties and the other zones
hosted by the server are shown in the details pane.

Figure 48 Launch MMC

Server Groups
IPAM allows servers to be tagged with custom fields. Servers so tagged can be
auto-arranged in hierarchical logical groups. Creation of custom fields is
161

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

described in section titled Creating a Custom field. Servers can be tagged with
custom fields from the Custom Configurations page or the Add or Edit
Server dialog described in the section Server Inventory Management.

Figure 49 Assigning Custom Fields to Servers

A logical group for servers can be created by right-clicking the IPv4 or IPv6
node and selecting Add Server Group

163

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 50 Add Server Group

Event Catalog Management


IPAM allows you to keep a track of the configuration changes at managed
DHCP servers as well as the IPAM server itself. In addition, IPAM allows you to
track IP address and user activity on the network through the IP address
tracking feature.

IPAM Configuration
To track the configuration changes at the IPAM server, click on IPAM
Configuration Events. View all the configuration changes that have occurred
on the IPAM server along with the user name of the person who changed the
configuration. You can choose to filter out the events based on user name or
other filter criteria like time of the event, or operational code.

165

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 51 IPAM Configuration Events

DHCP Configuration Events


View the configuration changes at managed DHCP servers by clicking on the
DHCP Configuration Events node.

167

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 52 DHCP Configuration Events

IP Address Tracking
IP address tracking feature of IPAM enables you to track the IP address and
user activity on the network. Begin the trail by selecting a time window and
using an IP address, client ID (MAC), hostname or username as query criteria.
For example, to start tracking an IP address, click By IP Address, select a
time window, and enter the IP address.
The query will return all the DHCP lease events gathered from managed DHCP
servers that match the given IP address. You can include or exclude the
correlated user and computer logon events collected from managed DCs and
NPS servers. For detail on how IPAM correlates the DHCP lease events with
user and computer logon events, refer to IP Address Tracking in the Functional
Description section of this guide.

169

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Figure 53 IP Address Tracking

Database Purging
IPAM supports on-demand purging of configuration event log and IP address
tracking related records. You can select the time window before which data
must be purged and the data type (IPAM configuration, DHCP configuration, IP
address tracking). It is advisable that data purge operation should be initiated
during the night or at a time when IPAM activity is low. IPAM recommends a
moving window of historical event log data for only last 6 months for best
performance and disk space utilization.

Figure 54 Purge Audit Data

171

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Troubleshooting IPAM
Troubleshooting tools
Event Logging
IPAM logs events under multiple channels in Event Viewer under the path
Application and Services Logs > Microsoft > Windows > IPAM. The
channels are as follows:

Admin channel:
Unexpected errors arising from either from a user action or a periodic
task are logged here.

ConfigurationChange channel:
This captures events related to configuration changes made to the IPAM
server

Operational channel:
This channel captures informational events and can give greater insight
to the health and operations of the various IPAM tasks. Logging on this
channel is Disabled by default.

Analytic channel and the Debug channel


These channels are Disabled and hidden by default. To view these
logs, right click on the IPAM node in Event Viewer and select View >
Show Analytic and debug logs. Events in these channels are
targeted for debugging purposes only.

Events in IPAMs admin channel and the operational channel can also be
viewed from the IPAM server within Server Managers Dashboard view.

Common IPAM problems


Connection issues
Unable to connect to IPAM server

Ensure the WID service is running on the IPAM server.


Ensure the Windows Process Activation service is running.

173

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Provisioning issues
IPAM Access status shows as blocked for a server or
unable to fetch data

In the server inventory view details pane, check that the access status is
unblocked or Not applicable for each of the following fields:
o DHCP RPC Access Status
o DNS RPC Access Status
o DHCP Audit Share Access Status
o Event Log Access Status

If any access status is listed as Blocked, check that the firewall rules for the
target server have been set as per IPAM Access Settings.

Check that the servers have been correctly provisioned. Refer to the section
Manual IPAM Provisioning Configuring Access Settings.

Discovery issues
A DNS server not co-located with a DC, is not being
discovered

Ensure that the DNS server is registered as a name server for the domain
zone and the DNS suffix is registered for the configured domain.

A DHCP server is not being discovered

Ensure that the DHCP server is authorized for the configured domains and
responds to the DHCP server INFORM message and the message is reaching
IPAM

Monitoring and Management Issues


Server Availability state is showing Not Reachable

Ensure that there is no network connectivity issue between the IPAM server
and the target server

Open DNS MMC / DHCP MMC to the target DNS / DHCP server and ensure that
the service is running.

Check that the service read access status has been provisioned. Refer to the
section Manual IPAM Provisioning Configuring Access Settings on how to do
this.

175

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Appendix
Manual IPAM Provisioning Configuring
Access Settings
Configuration required at DHCP servers
Steps described below should be repeated at each DHCP server expected to be
managed through IPAM
More
Information:

For more information on configuring firewall rules, see:


Windows Firewall and IPsec Policy Deployment Step-by-Step Guide

1. Create a Network file share to the directory %windir%\System32\dhcp


by the share name DHCPAudit and allow read-only access to the IPAM
server computer account on this share.

2. Add the IPAM server computer account to the DHCP Users local security
group on the DHCP servers.
3. Update DHCP service access settings.
a. Get the IPAM computer account SID - From the domain controller,
launch Windows PowerShell and type Get-ADComputer <IPAM
server name>. In the example below the name of the IPAM
server is S4-IPAM

177

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Add the IPAM SID to the DHCP service read access status
i Find the string corresponding to the current permissions
using sc sdshow dhcpserver

ii Create the string corresponding to the new permissions to


be added by typing (A;;CCLCSWLOCRRC;;; followed by the
IPAM SID followed by a closed parenthesis. In the example
above (A;;CCLCSWLOCRRC;;;S-1-5-21-17937638113486041751-3179139019-1609) is the string corresponding
to the additional permissions that needs to be set.
iii Update permissions by adding the new permission string to
the current permissions using sc sdset dhcpserver

179

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

New permissions added are show highlighted in yellow above. Note that the
permissions are added to the DACL (starting from D: ) and not the SACL
(starting from S:)
2

Unblock the inbound traffic on DHCP RPC Firewall ports by enabling


following inbound firewall rules
a

DHCP Server (RPC-In)

DHCP Server (RPCSS-In)

Unblock the inbound traffic on Remote Service Management Firewall ports


by enabling following inbound firewall rules
a

Remote Service Management (RPC)

Remote Service Management (RPC-EPMAP)

Unblocking the inbound File and Printer Sharing Firewall ports to enable
sharing of DHCP audit logs by enabling following inbound firewall rules:a

File and Printer Sharing (SMB-In)

File and Printer Sharing (NB-Session-In)

Enable Remote Event Log Management RPC access by enabling the


following inbound firewall rules
a

Remote Event Log Management (RPC)

Remote Event Log (RPC-EPMAP)

Add the IPAM server computer account to the Event Log Readers local
security group on the DHCP servers.

Configuration required at DNS servers


1

Enable DNS RPC access by enabling the following inbound firewall rules
a

DNS Service (RPC)

DNS Service (RPC Endpoint Mapper)

Enable remote management access by enabling following inbound


firewall rules
a

Remote Service Management (RPC)

Remote Service Management (RPC-EPMAP)

Configure the Discretionary Access Control List (DACL) This setting is


required once per domain and not per DNS server for DC co-located DNS
servers. For non-DC-co-located DNS servers, alternately add the IPAM
computer account to the local Administrators group on each standalone
DNS server.

181

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

On the domain controller, from the Start screen, type


dnsmgmt.msc, and press ENTER. The DNS Manager console will
open.

Right-click on the server and then click Properties.

Click the Security tab, click Add, click Object Types, and select
Computers.

Click OK, type the name of the IPAM server (IPAM01 in this
example), and click OK.

Verify that the IPAM server is configured with Allow for Read
access. See below.

183

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Get the IPAM computer account SID - From the domain controller, launch
Windows PowerShell and type Get-ADComputer <IPAM server
name>. In the example below, the name of the IPAM server is S4-IPAM

Add the IPAM SID to the appropriate registry entry to get access to DNS
zone event logs.
a

Open regedit and navigate to


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\
eventlog\DNS Server.

Click CustomSD and then modify the setting. See below.

185

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Add the IPAM SID at the end of this registry entry. Type (A;;0x1;;;
and then paste the IPAM SID (obtained through Windows
PowerShell in step 4 above - the text string that you copied from
the Windows PowerShell prompt). Enter closed parentheses to
complete the value data. In the example above (A;;0x1;;; S-1-5-211793763811-3486041751-3179139019-1609) will be added to the
registry. Note that the permissions are added to the DACL (starting
from D: ) and not the SACL (staring from S:)

Add the IPAM SID to the DNS service read access status
a

Find the string corresponding to the current permissions using sc


sdshow dns

187

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Create the string corresponding to the new permissions to be


added by typing (A;;CCLCSWLOCRRC;;; followed by the IPAM SID
(obtained through Windows PowerShell in step 4 above - the text
string that you copied from the Windows PowerShell prompt)
followed by a closed parenthesis. In the example above
(A;;CCLCSWLOCRRC;;;S-1-5-21-1793763811-34860417513179139019-1609) is the string corresponding to the additional
permissions that needs to be set.

Update permissions by adding the new permission string to the


current permissions using sc sdset dns

New permissions added are show highlighted in yellow above.


Note that the permissions are added to the DACL (starting from
D: ) and not the SACL (staring from S:)

Configuration required at DC/NPS servers


Steps described below should be repeated at each Domain Controller expected to
be managed through IPAM
1

Enable Remote Event Log Management RPC access by enabling following


inbound Firewall rules
a

Remote Event Log Management (RPC)

Remote Event Log Management (RPC-EPMAP)

Add the IPAM Server computer account to the Event Log Readers domain
security group on the domain controller and NPS servers.

189

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

GPO Based IPAM Provisioning GPO Setting


Details
IPAM DHCP GPO Settings
Standard GPO Settings

Provisioning PS Script
Settings

Add the IPAMUG account SID to the Event


Log Readers security group

Enable DHCP RPC access by unblocking


the following inbound DHCP Management
Windows Firewall ports

Read the localized name of


the DHCP Users group and
add IPAMUG account SID to
this localized group name.

Read the configured


location of the DHCP audit
log file generation and
create a network file share
to this directory by the
name of dhcpaudit and
enable read access for
IPAMUG SID on the network
share

Read the current service


ACL settings for dhcpserver
service and add read
access for IPAMUG account
SID in the DACL

Generate trace logs in the


file %windir
%\temp\ipamdhcplog.txt on
the target server

Enable Remote Management RPC access


by unblocking the following inbound
Remote Service Management Windows
Firewall ports

Remote Service Management RPC


and RPC-EPMAP

Enable Audit File access by unblocking the


following inbound File and Printer Sharing
Windows Firewall ports

DHCP Server Management RPC-In


and RPCSS-In

File and Printer Sharing SMB-In and


NB-Session-In

Enable Remote Event Log Management


RPC access by unblocking the following
inbound Windows Firewall ports

Remote Event Log Management


RPC and RPC-EPMAP

Setup an advanced scheduled task


IpamDhcpProvisioning under the path
Task Scheduler Library -> Microsoft. The
task will get trigged upon gpupdate to
execute the Ipam provisioning script
IpamProvisioning.ps1 - from the GPO
startup script location in the SYSVOL
folder.

Use item-level targeting setup a basic


scheduled task IpamDhcpProvisioning for

191

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

Windows 2008 servers under the path


Task Scheduler Library -> Microsoft.. The
task will tigger every 60 minute to
execute the bat file IpamProvisioning.bat
from the GPO startup script location in the
SYSVOL folder. The bat file does the
following:

copies the IpamProvisioning.ps1 to


the %windir%\temp folder on the
target server,

installs Windows PowerShell,

saves executionpolicy on the target


servers and sets executionpolicy to
unrestricted,

executes the PS script for


provisioning and

restores the original


executionpolicy.

IPAM DNS GPO Settings


Standard GPO Settings

Provisioning PS Script
Settings

Add the IPAMUG account SID to the Event


Log Readers security group

Enable DNS RPC access by unblocking the


following inbound DHCP Management
Windows Firewall ports

Read the current ACL


setting in the CustomSD
item in the registry key
HKLM:\System\CurrentCon
trolSet\Services\EventLog\D
NS Server and add read
access for IPAMUG account
SID in the DACL

Read the current service


ACL settings for dnsserver
service and add read
access for IPAMUG account
SID in the DACL

Generate trace logs in the


file %windir
%\temp\ipamdnslog.txt on
the target server

Enable Remote Management RPC access


by unblocking the following inbound
Remote Service Management Windows
Firewall ports

Remote Service Management RPC


and RPC-EPMAP

Enable Remote Event Log Management


RPC access by unblocking the following
inbound Windows Firewall ports

DNS RPC and DNS RPC EPMAP

Remote Event Log Management


RPC and RPC-EPMAP

Setup an advanced scheduled task

193

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

IpamDnsProvisioning under the path Task


Scheduler Library -> Microsoft. The task
will get trigged upon gpupdate to
execute the Ipam provisioning script
IpamProvisioning.ps1 - from the GPO
startup script location in the SYSVOL
folder.

Use item-level targeting setup a basic


scheduled task IpamDnsProvisioning for
Windows 2008 servers under the path
Task Scheduler Library -> Microsoft. The
task will tigger every 60 minute to
execute the bat file IpamProvisioning.bat
from the GPO startup script location in the
SYSVOL folder. The bat file does the
following:

copies the IpamProvisioning.ps1 to


the %windir%\temp folder on the
target server,

installs Windows PowerShell,

saves executionpolicy on the target


servers and sets executionpolicy to
unrestricted,

executes the PS script for


provisioning and

restores the original


executionpolicy.

195

DRAFT V5.0

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta

IPAM DC/NPS GPO Settings


Standard GPO Settings

Add the IPAMUG account SID to the Event


Log Readers security group

Enable Remote Management RPC access


by unblocking the following inbound
Remote Service Management Windows
Firewall ports

Provisioning PS Script
Settings

N/A

Remote Service Management RPC


and RPC-EPMAP

Enable Remote Event Log Management


RPC access by unblocking the following
inbound Windows Firewall ports

Remote Event Log Management


RPC and RPC-EPMAP

197