DHCP and DNS are widely used Windows Server roles providing the foundation for connectivity in enterprise networks. While DHCP enables the assignment of IP addresses and configuration of hosts on demand, DNS allows Internet names like “www.microsoft.com” to be resolved to the corresponding IP address. To make use of DHCP and DNS in an enterprise environment, however, a number of operational issues must be addressed. Some of these are:
- What is the IP address space that should be assigned for each location of an enterprise?
- What part of this address space is public and what part is private?
- How many static IP addresses are needed? What part of the address space should static IP addresses be assigned from?
- What part of the address space is dynamic, i.e., assigned through DHCP servers? How to easily configure and update the corresponding DHCP servers?
- How to determine an available static address to assign to a new host or device, and reclaim unused addresses?
- How to easily create and update DNS records corresponding to hosts or other devices?
- How to keep track of IP address utilization in various locations?
- How to determine the IP address association with various devices and users for auditing and compliance purposes?
IP Address Management (IPAM for short) refers to solutions that help with the planning, allocation, usage, and monitoring of IP addresses, and the associated configuration and management of DHCP and DNS server roles. Many organizations have traditionally been performing these functions manually by keeping track of usage and allocations in spreadsheets. Aside from the obvious issues of keeping such information up to date manually, this approach suffers from high operational costs and it is becoming impractical with the increasing complexity of enterprise networks. An effective and capable IPAM solution is needed to keep the network administrators in control, help them respond to changes quickly, and ease the operational complexities in providing 24x7 network connectivity – all with low up-front and operational costs. Windows Server 2012 provides such a solution as a built-in feature.
At a high level, Windows Server 2012 IPAM supports the following functions:
Address planning and allocation
Centralized server discovery and management
Windows Server 2012 IPAM is designed for high scale and robustness, and provides built-in role-based access control. The following describes some of these features in more detail.
Provisioning and set-up
Windows Server 2012 IPAM comprises a server feature (called the IPAM server) and a Remote Server Administration Tool (RSAT)-based client (called the IPAM client). The IPAM server feature is integrated with the Server Manager console and it is installed easily through the Add Roles and Features Wizard.
The IPAM server leverages standard Windows remote management protocols to discover, manage, and monitor DHCP and DNS servers, and collect data from DHCP and DNS servers, Domain Controllers (DC), and Network Policy Servers (NPS). The IPAM server must be installed on a domain-joined computer and currently works only with Microsoft DNS and DHCP servers.
The following topologies are supported for deployment in a multisite enterprise:
- Distributed: An IPAM server is deployed at every site;
- Centralized: One IPAM server is deployed for the entire enterprise; and
- Hybrid: A central IPAM server is deployed along with a dedicated IPAM server per site.
Figure 1 depicts a distributed IPAM deployment topology. There is no built-in synchronization between different IPAM servers in an enterprise. If multiple IPAM servers are deployed, you – as an administrator - can customize the set of DHCP and DNS servers managed by each IPAM server.
Figure 1: Distributed IPAM deployment topology
The IPAM client is part of the Server Manager RSAT that can be downloaded from the Microsoft download center and installed on any Windows 8 client machine to remotely manage IPAM servers.
IPAM automatically discovers all the domain controllers, and DHCP and DNS servers in the network. You can choose to manage some or all of the discovered servers. IPAM will collect data only from the servers that you mark as "managed".
IPAM does not require installation of any agents on the managed servers. However, you must configure settings such as firewall exceptions, user group memberships, and permissions on the managed servers to open them up to IPAM. Configuring each server manually can be a significant overhead in large enterprises. To mitigate this, IPAM gives you the option of Group Policy Object (GPO)-based deployment. In this mode, IPAM makes use of role-specific GPOs to automatically configure the managed servers.
Managing and monitoring the IP address space
The overall IP Address space of an organization can be classified into static and dynamic address spaces. Static addresses are manually assigned and they do not change or get reassigned for long periods of time. Dynamic addresses are assigned through DHCP servers and are valid only during relatively short lease periods. Because static addresses are manually assigned, they have to be tracked and managed separately from dynamic addresses. Many organizations use spread sheets or custom tools/scripts to manage the static address space. Windows Server 2012 IPAM allows the management of both the static and the dynamic address spaces through a single console. You can migrate existing static address data from spread sheets into IPAM. You can organize the address space into blocks – which are larger units of the address space used for internal planning and allocation - and ranges – which are smaller units of the address space from which static and dynamic addresses are assigned. This allows structured management of the overall address space and easy visualization. Figure 2 depicts an IPAM screen showing the categorization of the IP address space into IPv4 and IPv6, public and private address spaces, the hierarchy of IP address blocks, the address ranges belonging to an IP address block, and the utilization of a selected
IPAM allows you to define your own custom data fields and attach these to IP address records. For example, you might want to track the location and department to which an IP address range is allocated to. You create two custom fields called “Location”
and “Department”, and associate them with IP address ranges. In addition, you can create logical groups of IP address ranges based on built-in and custom fields to visualize the address space according to the business logic. For example, you can group the IP address ranges together first by “Location” and then by “Department”. IPAM will then automatically arrange IP address ranges into a hierarchy based on the grouping criteria.
IPAM makes static address management really simple. You can not only see addresses in use, where they are in use, and utilization of the static address space, but you can also find the next available static address, mark it as assigned to a particular device, and update the DNS record corresponding to that device – all from the IPAM console.
Figure 2: IP Address Space Management View
Managing Microsoft DHCP servers and scopes
IPAM automatically collects the dynamic address ranges (also called scopes) along with their utilization statistics from the managed DHCP servers. IPAM allows you to create, duplicate, edit, or delete DHCP scopes just as you would do from a DHCP MMC. However, with IPAM you can see scopes from all of the managed DHCP servers in one consolidated view. You can filter and query based on certain properties. You can even select multiple scopes – maintained by different DHCP servers - and carry out a bulk operation on them. You can configure and manage scope-level and server-level properties across multiple DHCP servers from the IPAM console.
Figure 3 depicts a snapshot of scopes from all of the managed DHCP servers. In this view, you can check the utilization statistics of the scopes and monitor the service availability status of the managed DHCP servers. The over, under, and optimally-utilized
scopes will appear with red, yellow and green icons, respectively.
Figure 3: Manage and Monitor view depicting
Monitoring Microsoft DNS servers and zones
IPAM allows you to monitor the service availability status of all the managed DNS servers. You can also view the status of DNS zones hosted on these servers. You can select a zone and view all the authoritative servers for the zone along with their zone status, as depicted in Figure 4. If a zone has multiple sub-zones then the sub-zones are shown as a hierarchy, and the status of sub-zones is rolled up to indicate the status of top level zone. The status of a zone is represented by the color of its status icon. You can also view the zone events for the selected zone and server by clicking on the Event Catalog tab.
Figure 4: IPAM DNS Zone monitoring view
Tracking IP addresses and configuration changes
IPAM automatically collects IP address lease logs from DHCP servers. It also collects user and machine authentication events from domain controllers and Network Policy Servers, and stores this data in its database. IPAM provides an interface to query this data, and intelligently correlates this data in the right context and provides a view of the IP address activity on the network.
You can search the events database pivoted on an IP address, client ID (MAC address), host name, or user name to retrieve the associated DHCP lease events. IPAM automatically correlates the DHCP lease events with user and machine authentication events allowing you to quickly get a perspective on which user had logged on from which machine at a particular time, or which IP Address was allocated to which machine and user, making it a very useful tool for forensic investigators. Figure 5 depicts a view wherein the query pivot is the host name (ipam-test), and the displayed search result indicates all the DHCP lease events involving the host during the specified dates.
IPAM also allows you to track configuration changes occurring on the IPAM server itself as wellas on managed DHCP servers. This enables you to quickly resolve misconfigurations as well as track SLAs.
Figure 5: IP Address tracking view depicting query by
Integration with other systems
IP address management is typically part of a larger work flow in many enterprise environments. An IPAM solution may therefore be required to work with data from different sources including proprietary systems. Similarly, the data maintained by IPAM may be of use to other systems, particularly to reporting, analysis and forensics tools. To accommodate these requirements, Windows Server 2012 IPAMallows the export of IP address block, IP address range, and IP address records in comma separated value (CSV) format. In fact all the views of IPAM can be exported in the CSV format. IP address data (blocks, ranges, and addresses) can also be imported into IPAM from CSV files.
You can leverage IPAM PowerShell cmdlets to build upon the import functionality of IPAM. For instance, IP address inventory from third party systems like SCVMM or other virtual address management systems can be periodically imported into IPAM for central management of these addresses. With IPAM supporting custom fields, one can import any meta-data associated with the imported entities such as the source of data such as SCVMM and the particular instance of SCVMM from which sourced the data. If there are address space overlaps as part of the multi-tenancy support in SCVMM, this data can also be imported and visualized in IPAM without any address overlaps or conflicts.
Our aim in this article was to present a broad view of the features and capabilities of Windows Server 2012 IPAM. There is, however, much more to IPAM than what we could capture in this short article. We encourage you to try out IPAM in your environment
and see how it facilitates your network operations. We are looking forward to hear your feedback and comments.