If you would like to read the other parts in this article series please go to:
- What's New in Windows Server 2012 Networking? (Part 1)
- What's New in Windows Server 2012 Networking? (Part 2)
- What's New in Windows Server 2012 Networking? (Part 4)
- What's New in Windows Server 2012 Networking? (Part 5)
- What's New in Windows Server 2012 Networking? (Part 6)
I’ve been hearing from a number of network admins who expect to be evaluating the benefits of upgrading their server operating system in the next year. Everyone wants to know whether the new features and functionalities are enough to make it worth the cost and hassle. That’s why I began this series on what’s new and cool in Windows Server 2012 networking. In part 1 of the series, we talked about new and improved features in 801.1x authenticated wired and wireless, BranchCache, Data Center Bridging (DCB), DNS and DHCP. In Part 2, we focused on a biggie: Hyper-V network virtualization.
As a quick refresher, here’s a list of some of the categories that offer new features for Windows Server 2012 networking, showing the ones we’ve already addressed in past articles, those we’ll look at in this article, and those still to come in future articles:
- 802.1x Authenticated Wired and Wireless Access
- Data Center Bridging (DCB)
- Domain Name System (DNS)
- Hyper-V network virtualization
- IP Address Management (IPAM)
- Low Latency Workloads technologies
- Network Load Balancing
- Network Policy and Access Services
- NIC Teaming
- Windows QoS
- DirectAccess and Unified RRAS
- Windows Firewall with Advanced Security
This time we’ll delve into IPAM, a feature that’s brand new to Server 2012.
What is IP Address Management (IPAM)?
We’ve been managing IP addresses for a lot of years, but much of the time, it’s been done in a rather haphazard way. In too many cases, our IP addressing schemes “just grew that way.” It’s gotten more and more confusing as virtualization technologies and the enormous increase in the numbers and types of devices that connect to the network have complicated matters. Now, with IPv6 thrown into the mix, many network admins are finding themselves in over their heads. Keeping track of IP addresses manually has become a time-consuming and tedious task, prone to error. Thus IPAM tools such as Cisco’s Network Registrar and open source utilities such as MyIP and NetDB have been developed to address all that. There’s a plethora of IPAM solutions out there, many of which are sold as expensive hardware appliances.
Microsoft’s implementation of IPAM is a new server feature that’s built into Windows Server 2012, so there’s no need to buy or install additional software. This version of IPAM is robust and attempts to make IP management easier, but like all network management systems, it’s pretty complex itself. It consists of four main components, all aimed at helping you to more easily and accurately manage your corporate network’s IP address space and the servers (particularly DNS and DHCP) that deal most directly with IP addressing.
So what exactly does IPAM do? Broken down into its components, here are four broad categories of functionality:
- Automatically discovers and manages your domain controllers and DHCP and DNS servers.
- Displays IP addresses in the view you prefer and reports tracking and utilization information.
- Logs changes to server configuration and tracks usage of IP addresses by IP, client ID, host name or user name.
- Monitors your DHCP and DNS servers across an entire forest (but not across multiple forests).
IPAM supports both IPv4 and IPv6 addresses and of course is completely integrated with Microsoft’s implementations of DHCP and DNS (unlike some of the third party IPAM tools). Note that IPAM can only manage servers that are running Windows Server 2008 or above and are members of an Active Directory domain.
IPAM manages both static and dynamic addresses, and detects IP addressing conflicts and duplicate addresses as well as detecting and assigning available addresses.
IPAM planning and deployment
Microsoft IPAM is installed via Server Manager through the Add Roles and Features wizard or if you prefer the command line, you can do it via PowerShell. The IPAM server needs to be a member of the domain but it cannot be a domain controller. Depending on your network’s topology and organization, IPAM can be deployed as one central server or you can place IPAM servers at each Active Directory site.
Deploying IPAM on your network does not dictate that all of your DCs, DHCP and DNS servers must be managed by IPAM. You have control over which servers or groups of servers will be managed. You can specify which domains will be managed by each IPAM server. When servers are separated from the IPAM server by a firewall, you may need to configure firewall settings (either manually or via Group Policy) to allow the IPAM server to communicate through the firewall(s).
An IPAM deployment requires some planning; in addition to deciding whether to have one IPAM server or many and which servers will manage what, you might want to plan for a gradual deployment that starts small and then expands the number of servers to be managed by IPAM. If you will have multiple IPAM servers, there are more decisions to make:
- Physical placement of the IPAM servers
- Administration of the IPAM servers (administrative permissions and responsibilities)
- Role(s) to be assigned to each IPAM server
There are three roles/tasks that IPAM servers can perform: IP address management, server monitoring and management, network auditing. You can have each IPAM server perform all of these roles, or you can assign different roles to different IPAM servers.
You should not install IPAM on servers that have the DHCP Server role service running. This can interfere with IPAM’s discovery of DHCP servers. It’s best to use automatic discovery as much as possible, because if you add servers individually, you may have to maintain the server inventory manually.
When you install the IPAM feature, two new local security groups called IPAM Users and IPAM Administrators are created on the IPAM server. IPAM Admins can perform IPAM management tasks. IPAM Users can view most IPAM data (except IP address tracking information) but cannot launch IPAM tasks. Also during set up of the IPAM server, a wizard walks you through the process to select either manual or automatic (using Group Policy) provisioning of managed servers.
The IPAM Client software is installed on the Windows Server 2012 computer when you install IPAM. It can also be installed on Windows 8 computers. The client software connects to IPAM servers (but only one at a time) and is used to manage them. The IPAM Client console lets you view a summary of the IPAM server’s configuration and perform management tasks such as adding or removing managed servers and server groups and address blocks and ranges, importing addresses and ranges, and monitoring and managing servers, DHCP scopes, and DNS zones. Some of the management actions you can perform are shown in the “Quick Links” section of the client console in Figure 1.
You may need to refresh the console interface to see updated changes in the database.
In order to connect to the IPAM server, you need to be logged on as a domain user and a member of the applicable IPAM security group or the local Administrators group on the IPAM server. If you have a problem connecting to the server, check to be sure the Windows Process Activation Service and the Windows Internal Database services are running on the IPAM server.
Provisioning can be done manually or through Group Policy, but if you have more than a few servers that you want to be managed by IPAM, it’s much better to use Group Policy because there are a large number of security settings that have to be applied to each server. To use Group Policy, you should create a domain group named IpamGpoAdmins and add users who will have administrative duties or be authorized to designate whether servers will be managed or unmanaged (by IPAM). Be sure there aren’t any other Group Policies that conflict, especially in terms of security group memberships and blocking of the firewall ports needed for access to or by the IPAM server.
If you have a large number of servers being managed by IPAM, use organizational units for application of the GPOs instead of applying them to the entire domain.
IPAM PowerShell cmdlets
As is true of most Windows Server 2012 administrative tasks, you can use Windows PowerShell to manage IPAM instead of the GUI tool. For example, you can import IP addresses from a comma-separated value (.csv) file to the IPAM server by using the Import-IpamAddress cmdlet. Other relevant commands include:
- Get-IpamConfiguration: gets the IPAM server’s configuration information.
- Invoke-IpamGpoProvisioning: Creates and links Group Policies in a domain for provisioning required access settings on managed servers.
- Set-IpamConfiguration: Sets configuration such as TCP port numbers for the IPAM server so the IPAM RSAT client can connect to it.
For the complete list of IPAM-related cmdlets, use Get-Command –Module IpamServer
IPAM is an important new feature in Windows Server 2012 because, although there are many third party solutions that perform IP address management for Windows networks, they are often costly and don’t always integrate well with Microsoft’s implementations of DHCP and DNS. The built-in IPAM feature will save companies money and ensure better compatibility.
Because IPAM has the potential to be one of the most universally useful new features in Windows Server 2012, we’ve dedicated all of Part 3 to it. Next time, in Part 4 of this “What’s New” series, we’ll move on to Low Latency Workloads technologies and Network Load Balancing. See you then. - Deb
If you would like to read the other parts in this article series please go to: