Configure network services - Exam Ref 70-417 Upgrading Your Skills to Windows Server 2012 R2 (2014)

Exam Ref 70-417 Upgrading Your Skills to Windows Server 2012 R2 (2014)

Chapter 13. Configure network services

The Configure Network Services domain includes a single objective: Deploy and manage IP Address Management (IPAM). IPAM is a new feature used for managing your organization’s entire IP address space, public and private.

IPAM is a large topic, but as a new feature, the questions you’ll see on the 70-417 exam will most likely not require unusually deep knowledge. That said, be sure to supplement the information in this chapter with some hands-on practice so that you can develop a feel for how IPAM works.

Objectives in this chapter:

Image Objective 13.1: Deploy and manage IPAM

Objective 13.1: Deploy and manage IPAM

On the surface, IPAM seems easy. Here’s the quick explanation of how it works: You have an IPAM server that automatically collects information from your infrastructure servers about the IP address ranges used on your network. You then use the IPAM management interface as a reference about these same address ranges. What could be complicated about that?

Unfortunately, IPAM is not quite as easy to master as it might appear at first. The difficulty is not with the feature on a conceptual level, but rather in the sheer number of component features and functionalities that IPAM includes. The first official Microsoft whitepaper about IPAM was almost 100 pages long, which gives you some idea of its feature depth. There’s a lot there—too much, in fact, to be covered in one objective.

The best way to handle the large subject of IPAM, as a result, is to focus on three basic topics: What can you use the feature to accomplish? How do you configure it? And finally, how do you use it?

This section covers the following topics:

Image Configuring IPAM

Image Creating and managing IP blocks and ranges

Image Delegating IPAM administration

Image Role-based access control

What is IPAM?

IPAM is a useful new feature in Windows Server 2012 and Windows Server 2012 R2 that lets you centrally view, manage, and configure the IP address space in your organization. With IPAM, you can look at all your address blocks and ranges, find free IP addresses, manage DHCP scopes across multiple servers, create DHCP reservations and DNS host records, and even search for address assignments by device name, location, or other descriptive tag.

IPAM works by first discovering your infrastructure servers and importing from them all available IP address data. You then manually add whatever additional data you need to complete the picture of your organization’s IP address assignments. Once you have this information in place, you can track updates to your IP address space.

Problems solved by IPAM

IPAM has many component features that help you manage IP addressing in different ways. To better understand the purpose and functionality of IPAM, it’s helpful to view IPAM as a means to solve the following kinds of administrative problems:

Image How can I track my organization’s address space and know the addresses that are either in use or available across different locations?

Image How can I find a free static IP address for a new device and register it in DNS?

Image How can I find out which DHCP scopes in my organization are full or close to being full?

Image How can I efficiently change a DHCP option across dozens of scopes residing on multiple servers?

Image How can I find an unused address range within our organization’s address space to dedicate to a new subnet?

Image How can I determine which public and private address ranges are used by my organization?

Image How can I determine which portion of the address space used by the organization is dynamically assigned, and which part is statically assigned?

Image How can I search for and locate an IP address or set of addresses by name, device, location, or another descriptive tag?

Limitations of IPAM

IPAM is a new feature, and as such, it’s important to recognize some of the limitations in this first release:

1. IPAM can import data only from Windows servers running Windows Sever 2008 and later that are members of the same Active Directory forest.

2. IPAM does not support management and configuration of non-Microsoft network elements.

3. IPAM does not check for IP address consistency with routers and switches.

4. Address utilization trends and reclaiming support are provided only for IPv4.

5. IPAM does not support auditing of IPv6 stateless address auto configuration on an unmanaged machine to track the user.

Installing and configuring IPAM

To install the IPAM feature in Windows Server 2012 and Windows Server 2012 R2, you can use the Add Roles And Features Wizard or the following Windows PowerShell command:

Install-WindowsFeature IPAM -IncludeManagementTools

There are some important limitations you need to know about where to install IPAM. First, you can’t install IPAM on a domain controller. Second, you should not install an IPAM server on a network infrastructure server, such as one running DNS or DHCP. If you install IPAM on a DHCP server, discovery of DHCP servers will be disabled.

Image Exam Tip

Remember these deployment limitations for the exam because they could easily form the basis of a question. For example, if your IPAM server cannot discover DHCP servers, make sure it is not installed on a DHCP server.

IPAM must be installed on a domain member computer running Windows Server 2012 or later. The IPAM server is intended as a single purpose server. Once IPAM is installed, you configure and manage the feature through the IPAM client in Server Manager, as shown in Figure 13-1, or by using Windows PowerShell cmdlets from the IpamServer module. (There is no other graphical IPAM console.)


FIGURE 13-1 IPAM in Server Manager

Image Exam Tip

You can install just the IPAM client tool without installing the server component. To accomplish this task by using the Add Roles And Features Wizard, select IPAM in the wizard, choose to install the prerequisite features of IPAM, clear the selection of IPAM you have just selected, and then complete the wizard. The IPAM client doesn’t appear by default in Server Manager, however. To make the IPAM client appear, you need to add the remote IPAM server to Server Manager by using the “Add Other Servers To Manage” option (visible in Figure 13-1).

When you click IPAM in the navigation pane of Server Manager, the navigation pane narrows, and the details pane reveals the IPAM Overview page, shown in Figure 13-2.


FIGURE 13-2 The IPAM Overview page preconfiguration

The Overview page presents the following six links that help guide you through configuration:

1. Connect To IPAM Server

2. Provision The IPAM Server

3. Configure Server Discovery

4. Start Server Discovery

5. Select Or Add Servers To Manage And Verify IPAM Access

6. Retrieve Data From Managed Servers

We’ll use these same steps to cover the configuration process in the next sections.

1. Connect To IPAM Server

You use this step only if you need to connect to a remote IPAM server. By default, Server Manager is connected to the local IPAM server.

2. Provision The IPAM Server

Clicking this step on the Overview page starts the Provision IPAM Wizard. Provisioning the IPAM server is the term used to prepare the IPAM server by performing steps such as creating the IPAM database, creating IPAM security groups, and configuring access to IPAM tasks and folders.

Windows Server 2012 R2 introduces a new page in this wizard, which is the Configure Database page that is shown in Figure 13-3. In the first release of Windows Server 2012, the IPAM database was always a Windows Internal Database (WID). In Windows Server 2012 R2, you can now choose between a WID database and a Microsoft SQL Server database. The Microsoft SQL Server database you connect to, if you choose that option, can be installed on the local machine or on a remote computer.


FIGURE 13-3 Choosing the IPAM database type

The main advantages of choosing a Microsoft SQL Server database are increased scalability, improved disaster recovery capabilities, and enhanced reporting. Remember these advantages for the 70-417 exam.

Image Exam Tip

The Deploy and Manage IPAM objective for 70-417 was updated for Windows Server 2012 R2 in January 2014 to include just one additional task: Configure IPAM database storage. This task requires you to know the setting shown in Figure 13-3. You should also know the Get-IpamDatabase cmdlet, which provides information about how the IPAM database is currently stored, and the Move-IpamDatabase cmdlet, which lets you migrate the IPAM database to a SQL Server database, either from a WID database or from another SQL Server database.

You also use the Provision IPAM Wizard to determine how you want to configure the infrastructure servers that IPAM will manage. The two choices are to configure the infrastructure servers manually or to do so through Group Policy, as shown in Figure 13-4. If you choose to use Group Policy, you specify a prefix for the three Group Policy Objects (GPOs) that will later be created automatically when you use the Invoke-IpamGpoProvisioning cmdlet.


FIGURE 13-4 Choosing Group Policy configuration with a GPO name prefix

You wouldn’t select Manual here unless there was some sort of unusual factor that made the Group Policy Based option impossible or ineffective. Despite this limited real-world applicability of the Manual option, configuring IPAM manually is one of the tasks officially mentioned in the Deploy and Manage IPAM objective. (The process of manual configuration is discussed in the section “5. Select Or Add Servers To Manage” later in this chapter.)

Image Exam Tip

In the first release of Windows Server 2012, you couldn’t change the provisioning method after you completed the Provision IPAM Wizard. If you needed to change the provisioning method, your only option was to uninstall and reinstall IPAM.

In Windows Server 2012 R2, the situation has improved. You can use the following Windows PowerShell command after completing the Provision IPAM Wizard to change the provisioning method in one direction only—from manual to GPO-based (automatic).

Set-IpamConfiguration -ProvisioningMethod Automatic

Even in Windows Server 2012 R2, however, you can’t switch from GPO-based (automatic) to manual after you run the Provision IPAM Wizard. If you do need to change the provisioning method from GPO-based to manual, you still have to uninstall IPAM, reinstall IPAM, and finally run the Provision IPAM Wizard again with the proper selection.

Remember these points along with the complete Windows PowerShell command shown above.

3. Configure Server Discovery

Clicking this link on the Overview page opens the Configure Discovery Settings dialog box, shown in Figure 13-5. You use this step to specify which types of infrastructure servers you want to discover. By default, all three possible infrastructure types are selected: Domain Controller, DHCP Server, and DNS Server.


FIGURE 13-5 Selecting infrastructure server types to discover

4. Start Server Discovery

This link begins the process of discovering infrastructure servers in your environment. To determine when the process is complete, click the notification flag in Server Manager, and then click Task Details. The process is complete when the IPAM ServerDiscovery task displays a status of Complete, as shown in Figure 13-6.


FIGURE 13-6 Server discovery complete

5. Select Or Add Servers To Manage

Clicking this link on the Overview page displays the SERVER INVENTORY page in the IPAM context of Server Manager. This page shows the servers that have been discovered by the server discovery task in the previous step. At first, the discovered servers display a Manageability Status of Unspecified and an IPAM Access Status of Blocked, as shown in Figure 13-7. This status simply means you still need to configure the servers for IPAM management. To perform this step, you need to run a Windows PowerShell command and then designate the desired servers as managed. (You need to perform this step if you have chosen the Group Policy Based option on the Select Provisioning Method page shown in Figure 13-4. If you have chosen the Manual option, the entire IPAM configuration process is different. For instructions on manual configuration, see the sidebar “Manual configuration of managed servers” later in this chapter.)


FIGURE 13-7 Discovered servers that need to be configured for IPAM management

To configure the servers through the Group Policy Based provisioning method, you need to create IPAM GPOs. You can do this by running following Windows PowerShell command:

Invoke-IpamGpoProvisioning [-Domain] <String> [-GpoPrefixName] <String> [-IpamServerFqdn
<String> ]

The GPO prefix name should be the same one that you specified in the Provision IPAM Wizard. For example, if you specified a prefix of IPAMGPO in the Provision IPAM Wizard, you could enter the following command at an elevated Windows PowerShell prompt:

Invoke-IpamGpoProvisioning –Domain –GpoPrefixName IPAMGPO –IpamServerFqdn

This command creates the three GPOs shown in Figure 13-8.


FIGURE 13-8 GPOs created for IPAM

Image Exam Tip

If you forget the GPO prefix that you specified when you ran the Provision IPAM Wizard, use the Get-IpamConfiguration cmdlet. This cmdlet will display the GPO prefix along with other basic information about the IPAM configuration, such as the version number, the port used, and the provisioning method.

These three new GPOs apply only to servers that you designate as managed, but no servers are designated as managed by default. (Remember this last point for the exam because it could easily serve as the basis for a test question.) To change the manageability status of servers, right-click each server you want to manage on the SERVER INVENTORY page in the IPAM context in Server Manager, and then click Edit Server. In the Add Or Edit Server dialog box that opens, in the Manageability Status drop-down list, select Managed (as shown in Figure 13-9), and then click OK.


FIGURE 13-9 Setting a server’s manageability status to Managed


The IPAM provisioning process creates a domain security group named IPAMUG. This group is used to grant permissions to managed servers.

Finally, you need to force an update of Group Policy on all the servers you have designated as managed. You can do this, of course, either by running Gpupdate /force on each of these servers, by restarting them, or by invoking Gpupdate centrally in the methods described in Chapter 9, “Configure and manage Group Policy.”

Next, click the refresh icon in Server Manager in the menu bar next to the notification flag. (Alternatively, you can right-click your servers on the SERVER INVENTORY page and select the Refresh Server Access Status option. You can see this option on the shortcut menu in Figure 13-11.) After you refresh the server status, the Manageability Status of the servers will appear as Managed, and the IPAM Access Status will appear as Unblocked on the SERVER INVENTORY page, as shown in Figure 13-10. Note that the manageability status can require a relatively long time to be updated in the interface. If it isn’t updated within a few minutes, you might need to wait an hour or more before refreshing reveals the status change.


FIGURE 13-10 Servers that are configured to be managed by IPAM

Manual configuration of managed servers

Configuring IPAM manually from start to finish without the use of Group Policy involves a far more elaborate and cumbersome process than is normally required of you to learn for Microsoft certification exams.

However, there are aspects of manual configuration that are easily summarized and could plausibly appear on the exam, shown in Table 13-1. The most likely elements to appear in an exam question are the firewall ports created on each server and the security groups the IPAM server needs to join.



TABLE 13-1 Manual configuration steps for managed infrastructure servers in IPAM

If you want to learn the full step-by-step procedure for configuring IPAM manually, consult the document entitled “Understand and Troubleshoot IP Address Management (IPAM) in Windows Server “8” Beta,” available at (The steps for manual configuration appear in the first appendix of the document.)

Image Exam Tip

The IPAM server needs to be able to read the event logs on the DHCP, DNS, DC and NPS servers. For this reason, it needs to be added to the local Event Log Readers security group on all of these servers.

6. Retrieve Data From Managed Servers

The final step in configuring IPAM is to load data from your managed servers into the IPAM database. To do so, on the Overview page, click Retrieve Data From Managed Servers. Then click the notification flag and wait for all tasks to complete.

Alternatively, you can select and right-click the managed servers on the SERVER INVENTORY page and then select Retrieve All Server Data from the shortcut menu, as shown in Figure 13-11.


FIGURE 13-11 Retrieving data from managed servers

Managing address space

The most basic function of IPAM is to let you view, monitor, and manage the IP address space in your organization. With IPAM, you can search and sort IP blocks, ranges, and individual addresses based on built-in fields or user-defined custom fields. You can also track IP address utilization within scopes or display utilization trends.

Adding your IP address space to the IPAM database