Install and set up IPAM

    In this post I will cover how to install and set up IPAM. In my test infrastructure I am using only 1 IPAM server for the whole infrastructure.

    Install IPAM

    The actual installation is very simple. You just need to open Server Manager, go to install roles and features and advance to the features tab. Scroll down to IP Address Management (IPAM) Server and select it. Accept the installation of the extra features that IPAM needs, finish the wizard and you are done.

Install IPAM

Install IPAM

    Set up IPAM

    You can set up IPAM directly from the Server Manager as it does not have a separate console for set up and administration. After the feature installation we have to make a primary configuration of the IPAM infrastructure. This initial set up has a couple of steps:

  1.     Connect to the IPAM server
  2.     Provision the IPAM server
  3.     Configure server discovery
  4.     Start the server discovery
  5.     Select servers to be managed
  6.     Retrieve server data

    Let’s go over each of these steps and see what each one means.

    1. Connect to the IPAM server

    For this step just open server manager, find the IPAM feature on the left pane and select it. On the Overview page click on Connect to IPAM Server. In the pop up you will see a list of IPAM servers to connect to. Since there is only one let’s select it. Now that we are connected, let’s set up IPAM.

Set up IPAM: Connect to server

Set up IPAM: Connect to server

Set up IPAM: Select server

Set up IPAM: Select server

    2. Provision the IPAM server

    You can start configuring the provisioning method by clicking on it from the IPAM overview.

Set up IPAM: Open provisioning

Set up IPAM: Open provisioning

    The first thing to configure is the database to use. In this case you have 2 choices: Windows Internal Database and SQL Server. If you choose SQL then you first need to install and configure a database and IPAM will configure the tables itself. If you choose WID it is a lot easier: just select the folder where it should be kept.

    In case you want to install IPAM in a big infrastructure with a lot of DHCP,DNS servers it might be a good idea to consider the SQL Server option. In our case , since we are just testing the solution, it makes sense to select Windows Internal Database.

Set up IPAM: Select database option

Set up IPAM: Select database option

    The next and also last thing we need to configure is the provisioning method. This means that we must select the way the firewall settings on the managed servers are set up in order for the IPAM server to connect and collect data. The 2 options are Manual and Group Policy. If you choose Manual then you will have to enable all Firewall rules needed on all managed servers; I am pretty sure you don’t want to do this. The Group Policy method creates 3 GPOs which wil be linked to the domain and apply to the managed servers.

    I will go with the Group Policy method. Enter a prefix which will be placed at the beginning of each GPOs name. 3 objects will be created and in my case their names will be: ipam1_DNS, ipam1_DC_NPS, ipam1_DHCP

Set up IPAM: Select provisioning method

Set up IPAM: Select provisioning method

    After you complete the wizard one thing to keep in mind is that the GPOs are only created, not linked to anything. In order to link them to a domain we will run a Powershell command. Make sure the user running the command has rights to link Group Policy Objects to the domain. Here is the command for my environment:

 Invoke-IpamGpoProvisioning -Domain adfirm.local -GpoPrefixName ipam1 -IpamServerFqdn IPAM-SRV1.adfirm.local 

    Just replace the domain, the prefix and, of course, the IPAM server with what you need and you are good to go.

Set up IPAM: Run provisioning command

Set up IPAM: Run provisioning command

    If it ran successfully you should see the GPOs linked to your domain in the Group Policy Management console:

GPOs linked to the domain

GPOs linked to the domain

    3. Configure server discovery

    In this step we will be selecting the forest or domain in which IPAM will discover servers. We can also select the services we are interested in from these 3: DNS, DHP and Domain Controller. Just click on Configure server discovery to start the configuration wizard.

Set up IPAM: Start configuring server discovery

Set up IPAM: Start configuring server discovery

    I only have one forest with one domain so I can choose the forest directly. If your case is different just select what works for you. As far as the services go, we usually want to select all 3 of them. If you are not interested in Domain Controller data like user logons just keep only the DNS and DHCP roles selected.

Set up IPAM: Configure discovery

Set up IPAM: Configure discovery

    4. Start the server discovery

    This is the easiest step. To start the server discovery click on Start server discovery from the IPAM Overview pane. A scheduled task will start which scans the forest/domain selected in the previous step for servers with the roles you want.

Set up IPAM: Start server discovery

Set up IPAM: Start server discovery

    5. Select servers to be managed

    Wait for the discovery task to finish and after that you will be able to view all the found servers. Now that we have our server list, we need to make sure we can manage them. This means that we have to add them to the security filters of the GPOs created earlier. If this step is not performed then the Firewall settings will not be applied to these machines and te IPAM server will not try and probably not be able to get data from them.

     First click on the Select or add servers to manage and verify IPAM access to open the configuration wizard for this step.

Set up IPAM: Open select mnaged servers

Set up IPAM: Open select mnaged servers

    You will see that the servers found have the Manageability Status set to Unspecified. This means that IPAM is not managing them. What we need to do is to set this status to Managed.

Set up IPAM: View server list

Set up IPAM: View server list

    Right lick on each server to set it’s status to Managed and also to select what server type it is (DC, DNS, DHCP, NPS). These check boxes determine in which GPO’s security list the machine will be placed so the firewall rules will be applied.

Set up IPAM: Manage server

Set up IPAM: Manage server

    After you finish this part go to Group Policy Management and look at your 3 GPOs. Are their security filters correctly populated? Here is how my DNS GPO looks like:

Check the GPO security filter

Check the GPO security filter

    Now you can see that the servers are managed but the IPAM Access is blocked. This means that they do not have the firewall configured correctly to permit the IPAM server to collect data. In order to remediate this you first have to wait some time for the GPOs to apply or force this step by running gpupdate /force on them. In either case, after the firewall is configured just right click on the serves and select Refresh Server Access Status.

Set up IPAM: Refresh server access status

Set up IPAM: Refresh server access status

    If you did everything correctly here is how the server list should look like:

Unblocked servers

Unblocked servers

    6. Retrieve server data

    In the last step we will run a task that collects data from the managed servers. You can do this from the Overview page, Tasks menu in the upper right. Just click on Retrieve All Server Data. After the task is finished you can check out all the different menus to see what info has been collected.

Set up IPAM: Retrieve server data

Set up IPAM: Retrieve server data

    From this point you have a configured IPAM server that gets data from managed DNS, DHCP and DC servers. As a note: all things IPAM does, like discovery and data collection is done through scheduled tasks. If you want to see the list of tasks that IPAM has, open Task Scheduler and navigate to Microsoft/Windows/IPAM.

IPAM scheduled tasks

IPAM scheduled tasks

    Next we will have a look at the different data you can see and configure from IPAM.

Leave a Comment

Your email address will not be published. Required fields are marked *