IP Address Management (IPAM) Overview
Applies To: Windows Server 2012 R2, Windows Server 2012
This topic provides a summary of the IP Address Management (IPAM) Server feature in Windows Server® 2012 and Windows Server 2012 R2. For detailed information, see the following topics:
Topic |
Guidance |
---|---|
This topic provides information about additions and changes in IPAM in different Windows Server operating system versions. |
|
Step-by-step procedures are provided for using IPAM in a test environment. |
|
Architectural and planning information for IPAM is provided. |
|
Provides detailed, click-by-click deployment instructions to deploy IPAM in a production environment. |
|
Provides operational, troubleshooting, and best practices guidance for IPAM. |
|
Two virtual labs are available for Windows Server 2012, including Managing Your Network Infrastructure with IP Address Management, which demonstrates IPAM only, and Building a Resilient Network Infrastructure, a virtual lab that combines IPAM with DNSSEC and DHCP failover in Windows Server 2012. Note: Virtual labs might require some time to start. |
|
Provides a list and examples of available Windows PowerShell cmdlets for IPAM server. |
IP Address Management (IPAM) in Windows Server® 2012 and Windows Server® 2012 R2 is an integrated suite of tools to enable end-to-end planning, deploying, managing and monitoring of your IP address infrastructure, with a rich user experience. IPAM automatically discovers IP address infrastructure servers on your network and enables you to manage them from a central interface.
IPAM includes components for:
* Virtual IP address space management is enabled through integration of IPAM with system center virtual machine manager and is available in Windows Server 2012 R2 and later operating systems. This feature is not available with IPAM in Windows Server 2012.
** Role-based access control is available in Windows Server 2012 using local user groups on the IPAM server. This feature was significantly enhanced in Windows Server 2012 R2 to include detailed built-in and custom role-based access groups.
Also see the following sections in this topic:
IPAM deployment options: Provides a summary of IPAM design choice. For detailed information, see IPAM Architecture.
IPAM specifications: Provide a summary of IPAM deployment requirements and capabilities.
For information about getting started with IPAM, see Using the IPAM Client Console.
IPAM’s address space management (ASM) feature enables you to gain visibility into all aspects of your IP address infrastructure from a single console. With IPAM, you can create a highly customized, multi-level hierarchy of address space on your network and use it to manage IPv6 addresses and IPv4 public and private addresses. The ASM feature includes a robust reporting capability that enables detailed tracking of IP address utilization trends with customized thresholds and alerts.
Key features of ASM include the following.
Integrated management of dynamic and static IP address space
Detection and management of conflicts, overlaps, and duplicates in address space across systems
Highly customizable inventory view of IP address space
Centralized monitoring and reporting of address utilization statistics and trends
Support for IPv4 and stateless IPv6 address utilization monitoring
Automated discovery of IP address ranges from DHCP scopes
Export and import of IP addresses and IP address ranges with Windows PowerShell support
IP address usage alerts and notifications with custom thresholds
Detection and assignment of available IP addresses
The following example shows how IPAM’s ASM feature enables you to monitor IP address utilization. In this example, 7 days of utilization data is displayed for the 10.72.144.0/22 IP address range.
For more information, see Managing IP Address Space.
IPAM in Windows Server 2012 R2 includes the ability to manage virtual IP address space that is configured using system center virtual machine manager (VMM).
IPAM’s virtual address space management (VASM) feature enables the same functions and capabilities for your virtual IP address infrastructure as the ASM feature does for physical IP address space.
For more information, see Managing Virtual IP Address Space.
IPAM’s multi-server management (MSM) feature enables you to automatically discover DHCP and DNS servers on the network, monitor service availability, and centrally manage their configuration. Using the Group Policy provisioning mode, IPAM provides quick and painless provisioning of agentless IPAM access settings on managed servers. A manual provisioning mode is also available.
Key features of MSM include the following.
Discovery of Microsoft DHCP and DNS servers automatically across an Active Directory forest
Manual addition or removal of managed servers
End-to end configuration and management of DHCP servers and scopes
Support for advanced constructs to enable add, delete, overwrite, or find and replace operations on multiple DHCP scopes and servers
Simultaneous update of common settings across multiple DHCP scopes or DHCP servers
Availability monitoring for DHCP and DNS services and DNS zones
Management of Microsoft DHCP and DNS servers running Windows 2008 or later operating systems
Addition of custom information to servers enabling visualization using logical groups based on business logic
Monitoring of DHCP scope utilization
Automatic and on-demand retrieval of server data from managed DHCP and DNS servers
DNS zone status monitoring based on DNS zone events
Classify discovered servers and roles as managed or unmanaged
The following example shows how IPAM’s MSM feature enables you to monitor IP DHCP scopes on the network. In this example, detailed data is displayed for the scope US_SEA_zzz3.
For more information, see Multi-server Management.
IPAM’s audit feature provides a centralized repository for all configuration changes performed on DHCP servers and the IPAM server, and for IP addresses issued on the network. IPAM audit tools enable you to view potential configuration problems on DHCP servers by actively tracking and reporting all administrative actions. Detailed IP address tracking data is also provided, including client IP addresses, client ID, host name, and user name. Advanced search capabilities enable you to selectively search for events and obtain results that associate user logons to specific devices and times.
Key features of network audit include the following.
Query the event catalog for DHCP configuration changes across multiple servers from a single console
Track users, devices, and IP addresses for specified intervals with advanced queries using DHCP lease logs and logon events from domain controllers and network policy servers
Track and report changes made to the IPAM server
Export audit findings and create reports
Quickly resolve configuration problems and track service level agreements
The following example shows how IPAM’s network audit feature enables you to track IP addresses on the network. In this example, details are displayed for a lease event in the contoso.com domain.
For more information, see IP Address Tracking and Operational Event Tracking.
IPAM’s role-based access control feature enables you to customize the types of operations and access permissions for users and groups of users on specific objects in IPAM. Role based access control in Windows Server 2012 is less fine-grained than in Windows Server 2012 R2. See the following comparison.
Group |
Windows Server 2012 |
Windows Server 2012 R2 |
---|---|---|
Local IPAM security groups |
IPAM Users IPAM ASM Administrators IPAM MSM Administrators IPAM IP Audit Administrators IPAM Administrators |
IPAM Users IPAM ASM Administrators IPAM MSM Administrators IPAM IP Audit Administrators IPAM Administrators |
Built-in IPAM role-based access groups |
N/A |
DNS Record Administrator IP Address Record Administrator IPAM Administrator IPAM ASM Administrator IPAM DHCP Administrator IPAM DHCP Reservations Administrator IPAM DHCP Scope Administrator IPAM MSM Administrator |
Custom IPAM role-based-access groups |
N/A |
Unlimited |
An IPAM server is a domain member computer.
Importante
You cannot install the IPAM feature on an Active Directory domain controller.
There are three general methods to deploy IPAM servers:
Distributed: An IPAM server deployed at every site in an enterprise.
Centralized: One IPAM server in an enterprise.
Hybrid: A central IPAM server deployed with dedicated IPAM servers at each site.
The following example displays the distributed IPAM deployment method, with one IPAM server located at the corporate headquarters and also at each branch office. There is no communication or database sharing between different IPAM servers in the enterprise. If multiple IPAM servers are deployed, you can customize the scope of discovery for each IPAM server, or filter the list of managed servers. A single IPAM server might manage a specific domain or location, perhaps with a second IPAM server configured as a backup.
IPAM will periodically attempt to locate domain controllers, DNS, and DHCP servers on the network that are within the scope of discovery that you specify. You must choose whether these servers are managed by IPAM or unmanaged. In this way, you can select different groups of servers that are managed or not managed by IPAM.
To be managed by IPAM, security settings and firewall ports on a server must be configured to allow the IPAM server access so that it can perform required monitoring and configuration functions. You can configure these settings manually, or automatically using Group Policy Objects (GPOs). If you choose the automatic method, settings are applied when a server is marked as managed and settings are removed when it is marked as unmanaged.
The IPAM server will communicate with managed servers using an RPC or WMI interface. IPAM monitors domain controllers and NPS servers for IP address tracking purposes. In addition to monitoring functions, several DHCP server and scope properties can be configured from the IPAM console. Zone status monitoring and a limited set of configuration functions are also available for DNS servers. See the following figure.
For more information, see IPAM Architecture.
The scope of IPAM server discovery is limited to a single Active Directory forest. The forest itself may be comprised of a mix of trusted and untrusted domains. IPAM requires membership in an Active Directory domain, and relies on a functional network infrastructure environment to integrate with other server installations across the AD forest.
IPAM has the following specifications:
IPAM supports only Microsoft domain controllers, DHCP, DNS, and NPS servers running Windows Server® 2008 and above.
IPAM supports only domain joined DHCP, DNS and NPS servers in a single AD forest.
In its recommended configuration, IPAM is installed on a standalone server. You cannot install IPAM on a domain controller. If IPAM is installed on the same server with the DHCP Server role service, automatic discovery of DHCP servers on the network will be disabled.
IPAM does not support management and configuration of non-Microsoft network elements. However, you can use Windows PowerShell to import and manage IP address data from non-Microsoft devices.
IPAM in Windows Server 2012 does not support external databases. Only a Windows Internal Database is supported.
A single IPAM server has been tested to support up to 150 DHCP servers and 500 DNS servers.
A single IPAM server has been tested to support up to 40,000 DHCP scopes and 350 DNS zones.
IPAM has been tested to store 3 years of forensics data (IP address leases, host MAC addresses, user login/logoff information) for 100,000 users in a Windows Internal Database. Data is not purged automatically. An administrator must purge data manually as needed.
IP address utilization trends are provided only for IPv4.
IP address reclaiming support is provided for IPv4 and IPv6.
IPAM does not check for IP address consistency with routers and switches.
IPAM does not support auditing of IPv6 stateless address auto configuration on an unmanaged machine to track the user.
IPAM supports integration with System Center Virtual Machine Manager (VMM) using a Windows PowerShell script that is packaged and shipped with System Center VMM. This integration enables IPAM to display detailed utilization and inventory data for IP addresses and IP address ranges used in System Center VMM.
Monitoring and managing the IP address infrastructure on a corporate network is a critical part of network administration, and has become increasingly challenging as networks grow more dynamic and complex. Many IT administrators still track IP address allocation and utilization manually, using spreadsheets or custom database applications. This can be very time consuming and resource intensive, and is inherently prone to user error. IPAM in Windows Server 2012 provides a platform to manage the following IP administration needs.
Planning: IPAM replaces manual tools and scripts that can introduce added time, inconsistency and expense into the planning process when business expansions and alterations occur, or new technology and scenario adoptions are required.
Managing: IPAM provides a single management platform for IP address administration on the network. IPAM also allows for optimized utilization and capacity planning for DHCP and DNS services in distributed environment.
Tracking: IPAM enables tracking and forecasting of IP address utilization. As the demand for public IPv4 address space continues to grow in an environment with limited supply, this can be of critical importance to an organization.
Auditing: IPAM assists with compliance requirements such as HIPAA and Sarbanes-Oxley, and provides reporting for forensics and change management.
See What's New in IPAM.
The installation of the IPAM Server feature can be performed through the Server Manager. The following features and tools are installed automatically when you install IPAM Server:
Feature or Tool |
Description |
---|---|
Remote Server Administration Tools |
DHCP and DNS Server Tools and IP Address Management (IPAM) Client provides for remotely managing DHCP, DNS and IPAM servers. |
Windows Internal Database |
Windows Internal Database is a relational data store that can be used only by Windows roles and features. |
Windows Process Activation Service |
Windows Process Activation Service generalizes the IIS process model, removing the dependency on HTTP. |
Group Policy Management |
Group Policy Management is a scriptable Microsoft Management Console (MMC), providing a single administrative tool for managing Group Policy. |
.NET Framework 4.5 Features |
.NET Framework 4.5 provides a programming model for building and running applications designed for several different platforms. |