IPAM: 1 Installation and configuration

IPAM stands for IP Address Management. It’s a feature in Windows Server 2012 R2 that enables you manage your DHCP and DNS servers as a whole rather than at the individual service or server level.

Installation of IPAM follows the standard approach for any Windows feature. Note that you can install IPAM on a Domain Controller but it won’t configure. IPAM is designed to be installed on a member server.

Full details on deploying IPAM server are available from here https://technet.microsoft.com/en-us/library/hh831353.aspx

I’m not going to run through the full deployment and configuration – just point out some issues and where you can use PowerShell to make things easier.

Once the IPAM feature is installed you have to provision the IPAM server. There isn’t a separate MMC for IPAM admin – you use Server Manager.  Provisioning an IPAM server can be done manually or by GPO.  Manual seemed best for lab/experiment/initial set up as can’t swap from GPO to manual. You can use Windows Internal Database (WID) or SQL Server – I used WID.

You then need to configure your DHCP servers, DNS servers and domain controllers. This involves a number of group membership changes, firewall rule changes and a registry setting.

Create a group called IPAMUG and add the IPAN server into it.

New-ADGroup -Name IPAMUG -DisplayName IPAMUG -SamAccountName IPAMUG    -Description ‘IPAM management group’ -GroupCategory Security -GroupScope Universal

Add-ADGroupMember -Identity IPAMUG -Members (Get-ADComputer -Identity W12R2SUS)

Add IPAMUG to a number of groups

Add-ADGroupMember -Identity ‘Event Log Readers’ -Members (Get-ADGroup -Identity IPAMUG)

Add-ADGroupMember -Identity ‘DHCP Users’ -Members (Get-ADGroup -Identity IPAMUG)

Add-ADGroupMember -Identity ‘DNSAdmins’ -Members (Get-ADGroup -Identity IPAMUG)

I also found I had to add the IPAM server to the domain Administrators group to get the DNS data to come through.

Modify some firewall rules

$cs = New-CimSession -ComputerName W12R2SCDC01

Enable-NetFirewallRule  -DisplayName ‘Remote Service Management (RPC)’ -CimSession $cs -PassThru
Enable-NetFirewallRule  -DisplayName ‘Remote Service Management (NP-In)’ -CimSession $cs -PassThru
Enable-NetFirewallRule  -DisplayName ‘Remote Service Management (RPC-EPMAP)’ -CimSession $cs -PassThru

Get-NetFirewallRule -DisplayGroup ‘Remote Service Management’ -CimSession $cs |
ft  DisplayName, Enabled, Direction,Profile –a

There are a bunch of firewall rules that need setting. You can find the full list in the TechNet documentation.

For DHCP servers create an audit share

New-SmbShare -Name dhcpaudit -Path ‘C:\Windows\System32\dhcp’ -ReadAccess ‘manticore\IPAMUG’
Set-SmbShare -Name dhcpaudit -Description ‘DHCP audit share for IPAM’ -Force

## restart DHCP service
Get-Service -Name DHCPServer | Restart-Service -PassThru

Enable event log monitoring on the DNS servers

$csd = Get-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\DNS Server’ -Name CustomSD |
select -ExpandProperty CustomSD
$ipamsid = (Get-ADComputer -Identity W12R2SUS | select -ExpandProperty SID).value
$csd = $csd + “(A;;0x1;;;$ipamsid)”
Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\DNS Server’ -Name CustomSD -Value $csd –PassThru

I also had to manually add the IPAMUG group into the security permissions for the DNS servers. Didin’t seem to be a way to automate that bit.

IPAM has a PowerShell module – IpamServer – which contains lots of cmdlets:

Add-IpamAddress
Add-IpamAddressSpace
Add-IpamBlock
Add-IpamCustomField
Add-IpamCustomFieldAssociation
Add-IpamCustomValue
Add-IpamDiscoveryDomain
Add-IpamRange
Add-IpamServerInventory
Add-IpamSubnet
Disable-IpamCapability
Enable-IpamCapability
Export-IpamAddress
Export-IpamRange
Export-IpamSubnet
Find-IpamFreeAddress
Get-IpamAddress
Get-IpamAddressSpace
Get-IpamAddressUtilizationThreshold
Get-IpamBlock
Get-IpamCapability
Get-IpamConfiguration
Get-IpamConfigurationEvent
Get-IpamCustomField
Get-IpamCustomFieldAssociation
Get-IpamDatabase
Get-IpamDhcpConfigurationEvent
Get-IpamDiscoveryDomain
Get-IpamIpAddressAuditEvent
Get-IpamRange
Get-IpamServerInventory
Get-IpamSubnet
Import-IpamAddress
Import-IpamRange
Import-IpamSubnet
Invoke-IpamGpoProvisioning
Invoke-IpamServerProvisioning
Move-IpamDatabase
Remove-IpamAddress
Remove-IpamAddressSpace
Remove-IpamBlock
Remove-IpamConfigurationEvent
Remove-IpamCustomField
Remove-IpamCustomFieldAssociation
Remove-IpamCustomValue
Remove-IpamDhcpConfigurationEvent
Remove-IpamDiscoveryDomain
Remove-IpamIpAddressAuditEvent
Remove-IpamRange
Remove-IpamServerInventory
Remove-IpamSubnet
Rename-IpamCustomField
Rename-IpamCustomValue
Set-IpamAddress
Set-IpamAddressSpace
Set-IpamAddressUtilizationThreshold
Set-IpamBlock
Set-IpamConfiguration
Set-IpamCustomFieldAssociation
Set-IpamDatabase
Set-IpamDiscoveryDomain
Set-IpamRange
Set-IpamServerInventory
Set-IpamSubnet
Update-IpamServer

Now I’ve got my IPAM server up and running its time to see what I can do with it

This entry was posted in Networking, Powershell, Windows Server 2012 R2. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s