Exam Ref 70-417 Upgrading Your Skills to Windows Server 2012 R2 (2014)
Chapter 13. Configure network services
The Configure Network Services domain includes a single objective: Deploy and manage IP Address Management (IPAM). IPAM is a new feature used for managing your organization’s entire IP address space, public and private.
IPAM is a large topic, but as a new feature, the questions you’ll see on the 70-417 exam will most likely not require unusually deep knowledge. That said, be sure to supplement the information in this chapter with some hands-on practice so that you can develop a feel for how IPAM works.
Objectives in this chapter:
Objective 13.1: Deploy and manage IPAM
Objective 13.1: Deploy and manage IPAM
On the surface, IPAM seems easy. Here’s the quick explanation of how it works: You have an IPAM server that automatically collects information from your infrastructure servers about the IP address ranges used on your network. You then use the IPAM management interface as a reference about these same address ranges. What could be complicated about that?
Unfortunately, IPAM is not quite as easy to master as it might appear at first. The difficulty is not with the feature on a conceptual level, but rather in the sheer number of component features and functionalities that IPAM includes. The first official Microsoft whitepaper about IPAM was almost 100 pages long, which gives you some idea of its feature depth. There’s a lot there—too much, in fact, to be covered in one objective.
The best way to handle the large subject of IPAM, as a result, is to focus on three basic topics: What can you use the feature to accomplish? How do you configure it? And finally, how do you use it?
This section covers the following topics:
Configuring IPAM
Creating and managing IP blocks and ranges
Delegating IPAM administration
Role-based access control
What is IPAM?
IPAM is a useful new feature in Windows Server 2012 and Windows Server 2012 R2 that lets you centrally view, manage, and configure the IP address space in your organization. With IPAM, you can look at all your address blocks and ranges, find free IP addresses, manage DHCP scopes across multiple servers, create DHCP reservations and DNS host records, and even search for address assignments by device name, location, or other descriptive tag.
IPAM works by first discovering your infrastructure servers and importing from them all available IP address data. You then manually add whatever additional data you need to complete the picture of your organization’s IP address assignments. Once you have this information in place, you can track updates to your IP address space.
Problems solved by IPAM
IPAM has many component features that help you manage IP addressing in different ways. To better understand the purpose and functionality of IPAM, it’s helpful to view IPAM as a means to solve the following kinds of administrative problems:
How can I track my organization’s address space and know the addresses that are either in use or available across different locations?
How can I find a free static IP address for a new device and register it in DNS?
How can I find out which DHCP scopes in my organization are full or close to being full?
How can I efficiently change a DHCP option across dozens of scopes residing on multiple servers?
How can I find an unused address range within our organization’s address space to dedicate to a new subnet?
How can I determine which public and private address ranges are used by my organization?
How can I determine which portion of the address space used by the organization is dynamically assigned, and which part is statically assigned?
How can I search for and locate an IP address or set of addresses by name, device, location, or another descriptive tag?
Limitations of IPAM
IPAM is a new feature, and as such, it’s important to recognize some of the limitations in this first release:
1. IPAM can import data only from Windows servers running Windows Sever 2008 and later that are members of the same Active Directory forest.
2. IPAM does not support management and configuration of non-Microsoft network elements.
3. IPAM does not check for IP address consistency with routers and switches.
4. Address utilization trends and reclaiming support are provided only for IPv4.
5. IPAM does not support auditing of IPv6 stateless address auto configuration on an unmanaged machine to track the user.
Installing and configuring IPAM
To install the IPAM feature in Windows Server 2012 and Windows Server 2012 R2, you can use the Add Roles And Features Wizard or the following Windows PowerShell command:
Install-WindowsFeature IPAM -IncludeManagementTools
There are some important limitations you need to know about where to install IPAM. First, you can’t install IPAM on a domain controller. Second, you should not install an IPAM server on a network infrastructure server, such as one running DNS or DHCP. If you install IPAM on a DHCP server, discovery of DHCP servers will be disabled.
Exam Tip
Remember these deployment limitations for the exam because they could easily form the basis of a question. For example, if your IPAM server cannot discover DHCP servers, make sure it is not installed on a DHCP server.
IPAM must be installed on a domain member computer running Windows Server 2012 or later. The IPAM server is intended as a single purpose server. Once IPAM is installed, you configure and manage the feature through the IPAM client in Server Manager, as shown in Figure 13-1, or by using Windows PowerShell cmdlets from the IpamServer module. (There is no other graphical IPAM console.)
FIGURE 13-1 IPAM in Server Manager
Exam Tip
You can install just the IPAM client tool without installing the server component. To accomplish this task by using the Add Roles And Features Wizard, select IPAM in the wizard, choose to install the prerequisite features of IPAM, clear the selection of IPAM you have just selected, and then complete the wizard. The IPAM client doesn’t appear by default in Server Manager, however. To make the IPAM client appear, you need to add the remote IPAM server to Server Manager by using the “Add Other Servers To Manage” option (visible in Figure 13-1).
When you click IPAM in the navigation pane of Server Manager, the navigation pane narrows, and the details pane reveals the IPAM Overview page, shown in Figure 13-2.
FIGURE 13-2 The IPAM Overview page preconfiguration
The Overview page presents the following six links that help guide you through configuration:
1. Connect To IPAM Server
2. Provision The IPAM Server
3. Configure Server Discovery
4. Start Server Discovery
5. Select Or Add Servers To Manage And Verify IPAM Access
6. Retrieve Data From Managed Servers
We’ll use these same steps to cover the configuration process in the next sections.
1. Connect To IPAM Server
You use this step only if you need to connect to a remote IPAM server. By default, Server Manager is connected to the local IPAM server.
2. Provision The IPAM Server
Clicking this step on the Overview page starts the Provision IPAM Wizard. Provisioning the IPAM server is the term used to prepare the IPAM server by performing steps such as creating the IPAM database, creating IPAM security groups, and configuring access to IPAM tasks and folders.
Windows Server 2012 R2 introduces a new page in this wizard, which is the Configure Database page that is shown in Figure 13-3. In the first release of Windows Server 2012, the IPAM database was always a Windows Internal Database (WID). In Windows Server 2012 R2, you can now choose between a WID database and a Microsoft SQL Server database. The Microsoft SQL Server database you connect to, if you choose that option, can be installed on the local machine or on a remote computer.
FIGURE 13-3 Choosing the IPAM database type
The main advantages of choosing a Microsoft SQL Server database are increased scalability, improved disaster recovery capabilities, and enhanced reporting. Remember these advantages for the 70-417 exam.
Exam Tip
The Deploy and Manage IPAM objective for 70-417 was updated for Windows Server 2012 R2 in January 2014 to include just one additional task: Configure IPAM database storage. This task requires you to know the setting shown in Figure 13-3. You should also know the Get-IpamDatabase cmdlet, which provides information about how the IPAM database is currently stored, and the Move-IpamDatabase cmdlet, which lets you migrate the IPAM database to a SQL Server database, either from a WID database or from another SQL Server database.
You also use the Provision IPAM Wizard to determine how you want to configure the infrastructure servers that IPAM will manage. The two choices are to configure the infrastructure servers manually or to do so through Group Policy, as shown in Figure 13-4. If you choose to use Group Policy, you specify a prefix for the three Group Policy Objects (GPOs) that will later be created automatically when you use the Invoke-IpamGpoProvisioning cmdlet.
FIGURE 13-4 Choosing Group Policy configuration with a GPO name prefix
You wouldn’t select Manual here unless there was some sort of unusual factor that made the Group Policy Based option impossible or ineffective. Despite this limited real-world applicability of the Manual option, configuring IPAM manually is one of the tasks officially mentioned in the Deploy and Manage IPAM objective. (The process of manual configuration is discussed in the section “5. Select Or Add Servers To Manage” later in this chapter.)
Exam Tip
In the first release of Windows Server 2012, you couldn’t change the provisioning method after you completed the Provision IPAM Wizard. If you needed to change the provisioning method, your only option was to uninstall and reinstall IPAM.
In Windows Server 2012 R2, the situation has improved. You can use the following Windows PowerShell command after completing the Provision IPAM Wizard to change the provisioning method in one direction only—from manual to GPO-based (automatic).
Set-IpamConfiguration -ProvisioningMethod Automatic
Even in Windows Server 2012 R2, however, you can’t switch from GPO-based (automatic) to manual after you run the Provision IPAM Wizard. If you do need to change the provisioning method from GPO-based to manual, you still have to uninstall IPAM, reinstall IPAM, and finally run the Provision IPAM Wizard again with the proper selection.
Remember these points along with the complete Windows PowerShell command shown above.
3. Configure Server Discovery
Clicking this link on the Overview page opens the Configure Discovery Settings dialog box, shown in Figure 13-5. You use this step to specify which types of infrastructure servers you want to discover. By default, all three possible infrastructure types are selected: Domain Controller, DHCP Server, and DNS Server.
FIGURE 13-5 Selecting infrastructure server types to discover
4. Start Server Discovery
This link begins the process of discovering infrastructure servers in your environment. To determine when the process is complete, click the notification flag in Server Manager, and then click Task Details. The process is complete when the IPAM ServerDiscovery task displays a status of Complete, as shown in Figure 13-6.
FIGURE 13-6 Server discovery complete
5. Select Or Add Servers To Manage
Clicking this link on the Overview page displays the SERVER INVENTORY page in the IPAM context of Server Manager. This page shows the servers that have been discovered by the server discovery task in the previous step. At first, the discovered servers display a Manageability Status of Unspecified and an IPAM Access Status of Blocked, as shown in Figure 13-7. This status simply means you still need to configure the servers for IPAM management. To perform this step, you need to run a Windows PowerShell command and then designate the desired servers as managed. (You need to perform this step if you have chosen the Group Policy Based option on the Select Provisioning Method page shown in Figure 13-4. If you have chosen the Manual option, the entire IPAM configuration process is different. For instructions on manual configuration, see the sidebar “Manual configuration of managed servers” later in this chapter.)
FIGURE 13-7 Discovered servers that need to be configured for IPAM management
To configure the servers through the Group Policy Based provisioning method, you need to create IPAM GPOs. You can do this by running following Windows PowerShell command:
Invoke-IpamGpoProvisioning [-Domain] <String> [-GpoPrefixName] <String> [-IpamServerFqdn
<String> ]
The GPO prefix name should be the same one that you specified in the Provision IPAM Wizard. For example, if you specified a prefix of IPAMGPO in the Provision IPAM Wizard, you could enter the following command at an elevated Windows PowerShell prompt:
Invoke-IpamGpoProvisioning –Domain contoso.com –GpoPrefixName IPAMGPO –IpamServerFqdn
ipam1.contoso.com
This command creates the three GPOs shown in Figure 13-8.
FIGURE 13-8 GPOs created for IPAM
Exam Tip
If you forget the GPO prefix that you specified when you ran the Provision IPAM Wizard, use the Get-IpamConfiguration cmdlet. This cmdlet will display the GPO prefix along with other basic information about the IPAM configuration, such as the version number, the port used, and the provisioning method.
These three new GPOs apply only to servers that you designate as managed, but no servers are designated as managed by default. (Remember this last point for the exam because it could easily serve as the basis for a test question.) To change the manageability status of servers, right-click each server you want to manage on the SERVER INVENTORY page in the IPAM context in Server Manager, and then click Edit Server. In the Add Or Edit Server dialog box that opens, in the Manageability Status drop-down list, select Managed (as shown in Figure 13-9), and then click OK.
FIGURE 13-9 Setting a server’s manageability status to Managed
Note
The IPAM provisioning process creates a domain security group named IPAMUG. This group is used to grant permissions to managed servers.
Finally, you need to force an update of Group Policy on all the servers you have designated as managed. You can do this, of course, either by running Gpupdate /force on each of these servers, by restarting them, or by invoking Gpupdate centrally in the methods described in Chapter 9, “Configure and manage Group Policy.”
Next, click the refresh icon in Server Manager in the menu bar next to the notification flag. (Alternatively, you can right-click your servers on the SERVER INVENTORY page and select the Refresh Server Access Status option. You can see this option on the shortcut menu in Figure 13-11.) After you refresh the server status, the Manageability Status of the servers will appear as Managed, and the IPAM Access Status will appear as Unblocked on the SERVER INVENTORY page, as shown in Figure 13-10. Note that the manageability status can require a relatively long time to be updated in the interface. If it isn’t updated within a few minutes, you might need to wait an hour or more before refreshing reveals the status change.
FIGURE 13-10 Servers that are configured to be managed by IPAM
Manual configuration of managed servers
Configuring IPAM manually from start to finish without the use of Group Policy involves a far more elaborate and cumbersome process than is normally required of you to learn for Microsoft certification exams.
However, there are aspects of manual configuration that are easily summarized and could plausibly appear on the exam, shown in Table 13-1. The most likely elements to appear in an exam question are the firewall ports created on each server and the security groups the IPAM server needs to join.
TABLE 13-1 Manual configuration steps for managed infrastructure servers in IPAM
If you want to learn the full step-by-step procedure for configuring IPAM manually, consult the document entitled “Understand and Troubleshoot IP Address Management (IPAM) in Windows Server “8” Beta,” available at http://www.microsoft.com/en-us/download/details.aspx?id=29012. (The steps for manual configuration appear in the first appendix of the document.)
Exam Tip
The IPAM server needs to be able to read the event logs on the DHCP, DNS, DC and NPS servers. For this reason, it needs to be added to the local Event Log Readers security group on all of these servers.
6. Retrieve Data From Managed Servers
The final step in configuring IPAM is to load data from your managed servers into the IPAM database. To do so, on the Overview page, click Retrieve Data From Managed Servers. Then click the notification flag and wait for all tasks to complete.
Alternatively, you can select and right-click the managed servers on the SERVER INVENTORY page and then select Retrieve All Server Data from the shortcut menu, as shown in Figure 13-11.
FIGURE 13-11 Retrieving data from managed servers
Managing address space
The most basic function of IPAM is to let you view, monitor, and manage the IP address space in your organization. With IPAM, you can search and sort IP blocks, ranges, and individual addresses based on built-in fields or user-defined custom fields. You can also track IP address utilization within scopes or display utilization trends.
Adding your IP address space to the IPAM database