IP ADDRESS MANAGEMENT [IPAM]

What is IPAM?Windows Server 2012 introduces IP address management[IPAM] , which is a framework for discovering, auditing, monitoring utilization, and managing the IP address space in a network. IPAM collects information from domain controllers and Network Policy Servers (NPSs), and then stores that information in the Windows Internal Database. IPAM enables the administration and monitoring of DHCP and DNS, and provides a comprehensive view of where IP addresses are used. IPAM collects information from domain controllers and Network Policy Servers (NPSs), and then stores that information in the Windows Internal Database.

IPAM Features[1]Automatic IP address infrastructure discovery: • IPAM discovers domain controllers, DHCP servers, and DNS servers in the

domains you choose. • You can enable or disable management of these servers by IPAM.Custom IP address space display, reporting, and management: • The display of IP addresses is highly customizable and detailed tracking and

utilization data is available. • IPv4 and IPv6 address space is organized into IP address blocks, IP address ranges,

and individual IP addresses. • IP addresses are assigned built-in or user-defined fields that can be used to further

organize IP address space into hierarchical, logical groups.

IPAM Features[2]Audit of server configuration changes and tracking of IP address usage: • Operational events are displayed for the IPAM server and managed DHCP servers. • IPAM also enables IP address tracking using DHCP lease events and user logon

events collected from Network Policy Server (NPS), domain controllers, and DHCP servers.

• Tracking is available by IP address, client ID, host name, or user name.Monitoring and management of DHCP and DNS services: • IPAM enables automated service availability monitoring for Microsoft DHCP and

DNS servers across the forest. • DNS zone health is displayed, and detailed DHCP server and scope management is

available using the IPAM console.

IPAM SupportCharacteristics of IPAM

A single IPAM server can support up to 150 DHCP servers and 500 DNS servers.

A single IPAM server can support up to 6,000 DHCP scopes and 150 DNS zones.

IPAM stores three years of forensics data for 100,000 users in a Windows Internal Database.• IP address leases• host media access control (MAC) addresses • user logon and logoff information

IPAM Architecture[1]IPAM architecture consists of four main modules

IPAM discovery • Use AD DS to discover servers that are running Windows Server 2008 and newer Windows Server operating systems, and that have DNS, DHCP, or AD DS installed.

• Define the scope of discovery to a subset of domains in the forest.

• Add servers manually. IP address space management

• View, monitor, and manage the IP address space. • Dynamically issue or statically assign addresses. • Track address utilization and detect overlapping DHCP scopes.

IPAM Architecture[2]IPAM architecture consists of four main modules

Multi-server management and monitoring

• Manage and monitor multiple DHCP servers. • Execute tasks across multiple servers. • …configure and edit DHCP properties and scopes, and track the

status of DHCP and scope utilization. • Monitor multiple DNS servers, and monitor the health and

status of DNS zones across authoritative DNS servers. Operational auditing and IP address tracking

• You can use the auditing tools to track potential configuration problems.

• Collect, manage, and view details of configuration changes from managed DHCP servers.

• Collect address lease tracking from DHCP lease logs, and collect logon event information from NPS and domain controllers.

IPAM

IPAM Main ComponentsIPAM server.

• The IPAM server performs the data collection from the managed servers.

• It also manages the Windows Internal Database and provides RBAC. IPAM client.

• The IPAM client provides the client computer user interface.

• Interacts with the IPAM server, and invokes Windows PowerShell to perform DHCP configuration tasks, DNS monitoring, and remote management.

IPAM Implementation Prerequisites:

The IPAM server must be a domain member, but cannot be a domain controller.

The IPAM server should be a single purpose server. Do not install other network roles such as DHCP or DNS on the same server.

To manage the IPv6 address space, you must have IPv6 enabled on the IPAM server.

Sign in on the IPAM server with a domain account, and not a local account.

You must be a member of the correct IPAM local security group on the IPAM server.

Enable logging of account logon events on domain controller and NPS servers for IPAM’s IP address tracking and auditing feature.

Managing IP Addressing Using IPAM

IP address space management allows administrators to manage, track, audit, and report on an organization’s IPv4 and IPv6 address spaces. The IPAM IP address space console provides administrators with IP address utilization statistics and historical trend data so that they can make informed planning decisions for dynamic, static, and virtual address spaces.

Practical ApplicationsPlanning: IPAM replaces manual tools and scripts that can introduce added time, inconsistency and expense into the planning process when business expansions and alterations occur, or new technology and scenario adoptions are required.

Managing: • IPAM provides a single management platform for IP address administration on the

network. • IPAM also allows for optimized utilization and capacity planning for DHCP and DNS

services in distributed environment.Tracking: • IPAM enables tracking and forecasting of IP address utilization. • As the demand for public IPv4 address space continues to grow in an environment

with limited supply, this can be of critical importance to an organization.

Auditing: • IPAM assists with compliance requirements such as HIPAA and Sarbanes-Oxley, and

provides reporting for forensics and change management.

IPAM Specifications[1]The scope of IPAM server discovery is limited to a single Active Directory forest. The forest itself may be comprised of a mix of trusted and untrusted domains.IPAM supports only Microsoft domain controllers, DHCP, DNS, and NPS servers running Windows Server® 2008 and above.DHCP operational event auditing is supported for DHCP servers running Windows Server® 2008 R2 and above.IPAM installation on a DHCP server is not recommended. The IPAM server discovery feature will not be able to discover DHCP roles if DHCP Server is installed on the same computer.IPAM supports only domain joined DHCP, DNS and NPS servers in a single Active Directory forest.IPAM does not support management and configuration of non-Microsoft network elements.IPAM does not support external databases. Only a Windows Internal Database is supported.

IPAM Specifications[2]1.A single IPAM server can support up to 150 DHCP servers and 500 DNS servers.

• A single IPAM server has been tested to support up to 6000 DHCP scopes and 150 DNS zones.

• IPAM stores 3 years of forensics data (IP address leases, host MAC addresses, user login/logoff information) for 100,000 users in a Windows Internal Database.

• There is no database purge policy provided, and the administrator must purge data manually as needed.

• IP address utilization trends are provided only for IPv4.

• IP address reclaiming support is provided only for IPv4.

• No special processing is done for IPv6 stateless address auto configuration private extensions.

IPAM Specifications[3]No special processing for virtualization technology or virtual machine migration.

• IPAM does not check for IP address consistency with routers and switches.

• IPAM does not support auditing of IPv6 stateless address auto configuration on an unmanaged machine to track the user.

• IPAM users must be logged in using domain credentials. Do not log sign in to the IPAM server using the local Administrator account or another local user account on the IPAM server.

• If you are accessing the IPAM server from a remote IPAM client, you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in addition to being a member of the appropriate local IPAM security group.

• If the Group Policy based provisioning method is used, users must have domain administrator privileges to mark servers as managed or unmanaged in the server inventory.

Hardware and Software Requirements

Active Directory: • An IPAM server must be joined to a domain as a domain member server.

Installation in a workgroup environment is not supported, and installation on a domain controller is not supported.

Network: • An IPAM server requires a functional networking environment that includes IPv4

and IPv6 network connectivity to integrate with existing network services in the Active Directory forest.

• Server discovery requires that network settings on the IPAM server be configured to provide access to at least one domain controller and authoritative DNS server.

• Discovery of IPv6 address space requires that IPv6 is enabled on the IPAM server. • The IPAM server must also have network connectivity to all servers that are marked

as managed in the server inventory.

Hardware and Software Requirements

Other roles or features: An IPAM server is intended as a single-purpose server. It is not recommended to collocate other network infrastructure roles such as DNS or DHCP on the same server. IPAM installation is not supported on a domain controller, and discovery of DHCP servers will be disabled if you install IPAM on a server that is also running the DHCP Server service. The following features and tools are automatically installed when you install IPAM Server.

Q&A

Q1• Your network contains an Active Directory domain named contoso.com. The

domain contains two servers named Server1 and Server2 that run Windows Server 2012. Server1 has the IP Address Management (IPAM) Server feature installed. Server2 has the DHCP Server server role installed.

• A user named User1 is a member of the IPAM Users group on Server1.

• You need to ensure that User1 can use IPAM to modify the DHCP scopes on Server2. The solution must minimize the number of permissions assigned to User1.

• To which group should you add User1?

A. DHCP Administrators on Server2

B. IPAM ASM Administrators on Server1

C. IPAMUG in Active Directory

D. IPAM MSM Administrators on Server1

Q1• Your network contains an Active Directory domain named contoso.com. The

domain contains two servers named Server1 and Server2 that run Windows Server 2012. Server1 has the IP Address Management (IPAM) Server feature installed. Server2 has the DHCP Server server role installed.

• A user named User1 is a member of the IPAM Users group on Server1.

• You need to ensure that User1 can use IPAM to modify the DHCP scopes on Server2. The solution must minimize the number of permissions assigned to User1.

• To which group should you add User1?

ANSWER: A. DHCP Administrators on Server2

Explanation:The user need rights to change DHCP not IPAMC. Members of the DHCP Administrators group can view and modify any data at the DHCP server.

Q2• Your network contains an Active Directory domain named contoso.com. The

domain contains two servers named Server1 and Server2. Both servers have the IP Address Management (IPAM) Server feature installed.

• You have a support technician named Tech1. Tech1 is a member of the IPAM Administrators group on Server1 and Server2.

• You need to ensure that Tech 1 can use Server Manager on Server1 to manage IPAM on Server2.

• To which group on Server2 should you add Tech1.A. Remote Management UsersB. IPAM MSM AdministratorsC. IPAM AdministratorsD. WinRM Remote WM1 Users

Q2• Your network contains an Active Directory domain named contoso.com. The

domain contains two servers named Server1 and Server2. Both servers have the IP Address Management (IPAM) Server feature installed.

• You have a support technician named Tech1. Tech1 is a member of the IPAM Administrators group on Server1 and Server2.

• You need to ensure that Tech 1 can use Server Manager on Server1 to manage IPAM on Server2.

• To which group on Server2 should you add Tech1.A. Remote Management UsersB. IPAM MSM AdministratorsC. IPAM AdministratorsANSWER: D. WinRM Remote WM1 Users

Q3• Your network contains an Active Directory domain named contoso.com. The

domain contains a domain controller named DC1 and a member server named Server1. Server1 has the IP Address Management (IPAM) Server feature installed.

• On Dc1, you configure Windows Firewall to allow all of the necessary inbound ports for IPAM.

• On Server1, you open Server Manager as shown in the exhibit. (See the Exhibit-next slide)

• You need to ensure that you can use IPAM on Server1 to manage DNS on DC1.

• What should you do?

A. Modify the outbound firewall rules on Server1.

B. Modify the inbound firewall rules on Server1.

C. Add Server1 to the Remote Management Users group.

D. Add Server1 to the Event Log Readers group

Q3

Q3• Your network contains an Active Directory domain named contoso.com. The

domain contains a domain controller named DC1 and a member server named Server1. Server1 has the IP Address Management (IPAM) Server feature installed.

• On Dc1, you configure Windows Firewall to allow all of the necessary inbound ports for IPAM.

• On Server1, you open Server Manager as shown in the exhibit. (See the Exhibit-next slide)

• You need to ensure that you can use IPAM on Server1 to manage DNS on DC1.

• What should you do?

A. Modify the outbound firewall rules on Server1.

B. Modify the inbound firewall rules on Server1.

ANSWER: C. Add Server1 to the Remote Management Users group.

D. Add Server1 to the Event Log Readers group

Q4: • Your network contains an Active Directory domain named contoso.com. The domain

contains servers named Server1 and Server2 that run Windows Server 2012. Server1 has the IP Address Management (IPAM) Server feature installed.

• You install the IPAM client on Server2.

• You open Server Manager on Server2 as shown in the exhibit. (See the Exhibit-next slide)• You need to manage IPAM from Server2.• What should you do first?

A. On Server1, add the Server2 computer account to the IPAM MSM Administrators group.

B. On Server2, open Computer Management and connect to Server1.

C. On Server2, add Server1 to Server Manager.

D. On Server1, add the Server2 computer account to the IPAM ASM Administrators group.

Q4

Q4: • Your network contains an Active Directory domain named contoso.com. The domain

contains servers named Server1 and Server2 that run Windows Server 2012. Server1 has the IP Address Management (IPAM) Server feature installed.

• You install the IPAM client on Server2.

• You open Server Manager on Server2 as shown in the exhibit. (Click the Exhibit button.)• You need to manage IPAM from Server2.• What should you do first?

ANSWER: A. On Server1, add the Server2 computer account to the IPAM MSM Administrators group.B. On Server2, open Computer Management and connect to Server1.

C. On Server2, add Server1 to Server Manager.

D. On Server1, add the Server2 computer account to the IPAM ASM Administrators group.

Q5• Your network contains an Active Directory domain named contoso.com. • The domain contains a server named Server1 that runs Windows Server 2012. Server1 has

the IP Address Management (IPAM) Server feature installed. • IPAM is configured currently for Group Policy-based provisioning. • You need to change the IPAM provisioning method on Server1. What should you do?A. Run the ipamgc.exe command.

B. Run the Set-IPAM Configuration cmdlet.

C. Reinstall the IP Address Management (IPAM) Server feature.

D. Delete IPAM Group Policy objects (GPOs) from the domain.

Q5• Your network contains an Active Directory domain named contoso.com. • The domain contains a server named Server1 that runs Windows Server 2012. Server1 has

the IP Address Management (IPAM) Server feature installed. • IPAM is configured currently for Group Policy-based provisioning. • You need to change the IPAM provisioning method on Server1. What should you do?A. Run the ipamgc.exe command.

B. Run the Set-IPAM Configuration cmdlet.

ANSWER: C. Reinstall the IP Address Management (IPAM) Server feature.

D. Delete IPAM Group Policy objects (GPOs) from the domain.

Q6

• Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 Both servers have the IP Address Management (IPAM) Server feature installed.

• You have a support technician named Tech1. Tech1 is a member of the IPAM Administrators group on Server1 and Server2.

• You need to ensure that Tech1 can use Server Manager on Server1 to manage IPAM on Server2.

• To which group on Server2 should you add Tech1.A. IPAM MSM Administrators

B. IPAM Administrators

C. Win RMRemote WMIUsers

D. Remote Management Users

Q6• Your network contains an Active Directory domain named contoso.com. The domain

contains two servers named Server1 and Server2 Both servers have the IP Address Management (IPAM) Server feature installed.

• You have a support technician named Tech1. Tech1 is a member of the IPAM Administrators group on Server1 and Server2.

• You need to ensure that Tech1 can use Server Manager on Server1 to manage IPAM on Server2.

• To which group on Server2 should you add Tech1.A. IPAM MSM Administrators

B. IPAM Administrators

ANSWER: C. Win RMRemote WMIUsers Explanation:A. IPAM MSM Administrators can't access remotelyB. IPAM Administrators can't access remotelyC. If you are accessing the IPAM server remotely using Server Manager IPAM client RSAT, then you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in addition to being a member of the appropriate IPAM security group (or local Administrators group).D. Remote Management Users

Q7• Your network contains an Active Directory forest named contoso.com. All servers

run Windows Server 2012.• The domain contains four servers. The servers are configured as shown in the

following table.• You need to deploy IP Address Management (IPAM) to manage DNS and DHCP.• On which server should you install IPAM?

A. DC1

B. DC2

C.DC3

D. Server1

Q7• Your network contains an Active Directory forest named contoso.com. All servers run

Windows Server 2012.• The domain contains four servers. The servers are configured as shown in the following

table.• You need to deploy IP Address Management (IPAM) to manage DNS and DHCP.• On which server should you install IPAM?

A. DC1

B. DC2

C.DC3

ANSWER: D. Server1Explanation: D. IPAM cannot be installed on Domain Controllers. All other servers have the DC role

Q8• Your network contains an Active Directory forest named adatum.com. All servers run

Windows Server 2012. The domain contains four servers. The servers are configured as shown in the following table.

• You need to deploy IP Address Management (IPAM) to manage DNS and DHCP.• On which server should you install IPAM?

A. Server1

B. Server2

C. Server3

D. Server4

Q8• Your network contains an Active Directory forest named adatum.com. All servers run

Windows Server 2012. The domain contains four servers. The servers are configured as shown in the following table.

• You need to deploy IP Address Management (IPAM) to manage DNS and DHCP.• On which server should you install IPAM?

A. Server1

B. Server2

C. Server3

ANSWER: D. Server4

Q9• Your network contains an Active Directory domain named contoso.com. The domain

contains a server named Server1 that runs Windows Server 2012 and has the DHCP Server server role installed.

• An administrator installs the IP Address Management (IPAM) Server feature on a server named Server2. The administrator configures IPAM by using Group Policy based provisioning and starts server discovery.

• You plan to create Group Policies for IPAM provisioning.• You need to identify which Group Policy object (GPO) name prefix must be used for

IPAM Group Policies.• What should you do on Server2?A. From Server Manager, review the IPAM overview.

B. Run the ipamgc.exe tool.

C. From Task Scheduler, review the IPAM tasks.

D. Run the Get-IpamConfiguration cmdlet.

Q9• Your network contains an Active Directory domain named contoso.com. The domain

contains a server named Server1 that runs Windows Server 2012 and has the DHCP Server server role installed.

• An administrator installs the IP Address Management (IPAM) Server feature on a server named Server2. The administrator configures IPAM by using Group Policy based provisioning and starts server discovery.

• You plan to create Group Policies for IPAM provisioning.• You need to identify which Group Policy object (GPO) name prefix must be used for

IPAM Group Policies.• What should you do on Server2?ANSWER: A. From Server Manager, review the IPAM overview.

B. Run the ipamgc.exe tool.

C. From Task Scheduler, review the IPAM tasks.

D. Run the Get-IpamConfiguration cmdlet.