In this post I will cover how to install and set up IPAM. In my test infrastructure I am using only 1 IPAM server for the whole infrastructure.
The actual installation is very simple. You just need to open Server Manager, go to install roles and features and advance to the features tab. Scroll down to IP Address Management (IPAM) Server and select it. Accept the installation of the extra features that IPAM needs, finish the wizard and you are done.
Set up IPAM
You can set up IPAM directly from the Server Manager as it does not have a separate console for set up and administration. After the feature installation we have to make a primary configuration of the IPAM infrastructure. This initial set up has a couple of steps:
- Connect to the IPAM server
- Provision the IPAM server
- Configure server discovery
- Start the server discovery
- Select servers to be managed
- Retrieve server data
Let’s go over each of these steps and see what each one means.
1. Connect to the IPAM server
For this step just open server manager, find the IPAM feature on the left pane and select it. On the Overview page click on Connect to IPAM Server. In the pop up you will see a list of IPAM servers to connect to. Since there is only one let’s select it. Now that we are connected, let’s set up IPAM.
2. Provision the IPAM server
You can start configuring the provisioning method by clicking on it from the IPAM overview.
The first thing to configure is the database to use. In this case you have 2 choices: Windows Internal Database and SQL Server. If you choose SQL then you first need to install and configure a database and IPAM will configure the tables itself. If you choose WID it is a lot easier: just select the folder where it should be kept.
In case you want to install IPAM in a big infrastructure with a lot of DHCP,DNS servers it might be a good idea to consider the SQL Server option. In our case , since we are just testing the solution, it makes sense to select Windows Internal Database.
The next and also last thing we need to configure is the provisioning method. This means that we must select the way the firewall settings on the managed servers are set up in order for the IPAM server to connect and collect data. The 2 options are Manual and Group Policy. If you choose Manual then you will have to enable all Firewall rules needed on all managed servers; I am pretty sure you don’t want to do this. The Group Policy method creates 3 GPOs which wil be linked to the domain and apply to the managed servers.
I will go with the Group Policy method. Enter a prefix which will be placed at the beginning of each GPOs name. 3 objects will be created and in my case their names will be: ipam1_DNS, ipam1_DC_NPS, ipam1_DHCP
After you complete the wizard one thing to keep in mind is that the GPOs are only created, not linked to anything. In order to link them to a domain we will run a Powershell command. Make sure the user running the command has rights to link Group Policy Objects to the domain. Here is the command for my environment:
Invoke-IpamGpoProvisioning -Domain adfirm.local -GpoPrefixName ipam1 -IpamServerFqdn IPAM-SRV1.adfirm.local
Just replace the domain, the prefix and, of course, the IPAM server with what you need and you are good to go.
If it ran successfully you should see the GPOs linked to your domain in the Group Policy Management console:
3. Configure server discovery
In this step we will be selecting the forest or domain in which IPAM will discover servers. We can also select the services we are interested in from these 3: DNS, DHP and Domain Controller. Just click on Configure server discovery to start the configuration wizard.
I only have one forest with one domain so I can choose the forest directly. If your case is different just select what works for you. As far as the services go, we usually want to select all 3 of them. If you are not interested in Domain Controller data like user logons just keep only the DNS and DHCP roles selected.
4. Start the server discovery
This is the easiest step. To start the server discovery click on Start server discovery from the IPAM Overview pane. A scheduled task will start which scans the forest/domain selected in the previous step for servers with the roles you want.
5. Select servers to be managed
Wait for the discovery task to finish and after that you will be able to view all the found servers. Now that we have our server list, we need to make sure we can manage them. This means that we have to add them to the security filters of the GPOs created earlier. If this step is not performed then the Firewall settings will not be applied to these machines and te IPAM server will not try and probably not be able to get data from them.
First click on the Select or add servers to manage and verify IPAM access to open the configuration wizard for this step.
You will see that the servers found have the Manageability Status set to Unspecified. This means that IPAM is not managing them. What we need to do is to set this status to Managed.
Right lick on each server to set it’s status to Managed and also to select what server type it is (DC, DNS, DHCP, NPS). These check boxes determine in which GPO’s security list the machine will be placed so the firewall rules will be applied.
After you finish this part go to Group Policy Management and look at your 3 GPOs. Are their security filters correctly populated? Here is how my DNS GPO looks like:
Now you can see that the servers are managed but the IPAM Access is blocked. This means that they do not have the firewall configured correctly to permit the IPAM server to collect data. In order to remediate this you first have to wait some time for the GPOs to apply or force this step by running gpupdate /force on them. In either case, after the firewall is configured just right click on the serves and select Refresh Server Access Status.
If you did everything correctly here is how the server list should look like:
6. Retrieve server data
In the last step we will run a task that collects data from the managed servers. You can do this from the Overview page, Tasks menu in the upper right. Just click on Retrieve All Server Data. After the task is finished you can check out all the different menus to see what info has been collected.
From this point you have a configured IPAM server that gets data from managed DNS, DHCP and DC servers. As a note: all things IPAM does, like discovery and data collection is done through scheduled tasks. If you want to see the list of tasks that IPAM has, open Task Scheduler and navigate to Microsoft/Windows/IPAM.
Next we will have a look at the different data you can see and configure from IPAM.