Question

You are setting up an IPAM solution for your Active Directory forest. The forest contains a single domain, adatum.com, with 10 large sites and 10 small sites. The large sites have between 800 to 1,000 users; the small sites have 100-200 users. All domain controllers are now running Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012. The forest and domain functional levels are at Windows Server 2008 R2. Your CTO has asked you to ensure that you can manage all DHCP and DNS servers from the IPAM server. You also need to keep the data for three years. Explain what you would do, including how you would deploy and configure IPAM.

Answer 1

IP Address management is a new feature introduced in windows server 2012 that allows you to configure, manage and have a general overview of the network's IP addresses and ranges. With IPAM, you can search for desired IP addresses and ranges, manage and configure DHCP scopes and DNS entries, view the status of your IP addresses blocks and search for free IP address. Large enterprises usually deploy one or multiple IPAM servers because, as the network evolves, the complexity of its IPs and subnets increses significantly.

I will show you how to configure IPAM and we'll also cover some of its basic features. Note that i will be using a virtual machine hosted in my VMware testing environment running windows server 2012. My VM is also a member of an active directory forest so make sure to cover this aspect as well.

Step 1 - Installation

IPAM can be installed in two ways: using Windows Powershell or by accessing the Roles and Features section from server manager Console with windows powerShell this operation can be performed much faster by executing the following command

install-windowsFeature IPAM-IncludeManagementTools

Step 2 - Provisioning

Once the installation has been successfully completed, open the Server Manager Console and navigate to the IPAM section. Here you will discover all available IPAM server tasks

Select the second option, Provision the IPAM, to start the IPAM configuration wizard. in this section is where the IPAM database, security groups, tasks and folders are created.

Step 3 - Provisioning Method

You must configure how the IPAM server interacts with network servers, there are two options avaible: manually or by using GPOs. Simply put, by selecting the first option, an administrator would have to configure security groups, firewall rules and network shares manually on each machine. This method is really not recommend since it adds a lot of extra configurations and increases the overall complexity of the IPAM deployment.

The second option is much easier to implement since it uses group policy objects to configure all IPAM managed server. Unless you simply cannot you use the second option, you should always use GPOs to configure servers managed by IPAM. Note that you have to specigy a prefix that will be set to the IPAM GPOs

Once the wizard has been successfully completed, three group policy objects will be created: one for DNS servers, one for DHCP servers and one for domain controllers.

Step 4 - Configure Server Discovery

Select the third task from the IPAM console to configure server discovery. This is where we specify what servers should be discovered by our IPAM machine. You will need to select and add domains to discover. By default, all three types of servers are selected: DNS, DHCP and domain Controllers. You can change the discovery options by selecting only desired types of server:

Step 5 - Start Discovery

Once this section has been covered, select the 4th task to start the server discovery procedure

If you receive an error stating that discovered machines were blocked, you need to execute the following PowerShell command to create the GPOs that later will be assigned to your machines:

Invoke-IpamGpoProvisioning -Domain ppscu.com -GpoPrefixName IPAMPPSCU

Step 6 - Verify GPOs

You can now verify the GPOs in the group Policy Management Console. Connect to the blocked machine and execute gpupdate /force to propagate the newly created GPOs.

For each machine you will have to change its manageablility status to managed, you can do so if you right click on the blocked machine and select edit server, The machine should change its IPAM Access status to Unblocked.

Step 7 - Import Data

Now that the server has been added to IPAM, you can retrieve and import its data to the IPAM server if you right click on the machine and select Retrieve All server data. You can also execute the 6th available task from the IPAM console to retrieve data from managed servers:

That's about it for the configuration part of an IPAM server. We've convered the most important steps that you need to take in order to successfully deploy IPAM within your enterprise. If you have followed these steps precisely. you should have installed and configured an IPAM machine with at least one discovered host. Note that same principles are applied when used in a large organization with multiple hosts.

I hope that will help you