IPAM (IP address management)

IPAM is new in Win2012, has monitoring, auditing, and reporting functions to help you manage key server components in an IP network.

IPAM handles forest-wide discovery and managment of MS DHCP, DNS, NPS, and DC servers, and monitors DHCP scopes and DNS zones throughout the network.

IPAM infrastructure

IPAM infrastructure consists of IPAM servers and manged server. You can also install the IPAM management console on another server, called IPAM client.

IPAM server: It discovers servers you want to manage; collects and stores data from IPAM-managed servers in the IPAM database.

Managed server: It is a windows server running one or more thoese MS services: DHCP, DNS, AD or NPS.

Topology options:

1. Centralized: In a centralized topology, a single IPAM server is deployed for the entire enterprise. The IPAM server should be located within a reliable and high-performance connection to the netwok.

2. Distributed: IPAM servers are deployed at every site in the network. Each server is assigned a group of managed servers in the same site. There is no communication between IPAM server.

3. Hybrid: A single IPAM server collects info from all managed servers in the enterprise. At the same time,  IPAM servers are also deployed at key branch locations.

Deploy IPAM solution

Steps to deploy IPAM:

1. Determine the requirements for an IPAM deployement.

2. Installing the Server feature

3. IPAM server provisioning

4. Performing server discovery

5. Provisioning IPAM GPOs

6. Selecting Servers and services to manage

7. Collecting data from manged servers

1. Determine the requirements for an IPAM deployement.


Ipam servers:

→Windows 2012 or later

→ must be a domain member.

→ Can not be a DC

→If IPAM is installed on a DHCP server, DHCP server discovery is disabled, which defeats one of the primary purpose of using IPAM. So its recommended to install IPAM on a dedicated server.

IPAM client

This is an optional part, if you want to manage IPAM from a remote computer, install RSAT (remote Server Aministration Tools) on windows 8/8.1 or later version.

IPAM managed Server

→ In the Same forest as the IPAM server

→ Windows 2008 or later.

2. Install IPAM server feature


install-windowsFeature IPAM -IncludeManagementTools

Install Client feature on a server to manage another IPAM server:

Install-windowsFeature IPAM-client-Feature

3. IPAM server Provisioning

In IPAM server task window, click provision the IPAM server. then the wizard starts, Some points need to know:

Database, default is windows Internal database. If you want to migrate IPAM database to MS SQL server, use move-ipamdatabase powershell cmdlet.

Then the method to provision:

Group Policy provisioning: use group policy to create security groups, setting firewall settings, and creating shares for each IPAM-managed Server. Must enter the GPO name prefix, which is used to name the GPOs that are created:

If enter IPAMdom1 , then following GPOs are created:

→ IPAMdom1_DC_NPS : This GPO sets the firewall rules and the other policies needed for the IPAM server to collect data from DC and NPS server.

→ IPAMdom1_DHCP : Set firewall fules and collect data and manage DHCP servers, create a DHCPaudit share on the server, need server reboot.

→ IPAMdom1_DNS : Set firewall fules and collect data and manage DNS servers

Manual provisioning

4. Performing server discovery

In the Configure Server Discovery dialog box, select the domains in the forest the IPAM server should search for servers to manage.

Then click “start server discovery”

Verifying IPAM server group memebership

Before IPAM server can manage DHCP, server account must be added to the DHCP administrators group in AD. Normally it is done automatically, but good to verify.

5. Provisioning IPAM GPOs

Use command provision the GPOS:

invoke-IpamGpoProvisioning -domain yourdomainname -gpoprefixname GPO_prefix -delegatedGpoUser ipamuser

1. Replace yourdomainname with your actual domain name

2. Replace GPO_prefix with the one you specified in step3

3. ipamuser is the one who are delegated to edit IPAM GPOs later. this is optional.

6. Selecting Servers and services to manage

After the discovery step, the IPAM access status is Blocked.

Then right click the server you want to mange, choose Edit Server, choose Manageability status to Managed, this essentially add the server account to the security filter of the GPOs. Then issue command gpupdate /force on each managed server, give each server a reboot, cause there are some startup scripts needed to run . Then refresh the status, it should be unblocked now.

You can also choose the services you want to manage.

7. Collecting data from manged servers

In the IPAM Server Tasks window, click “Retrieve data from managed servers” or right click a server and click “retrieve All server data”. You can check the Data and time of the last data collection and schedule for the next data collection.



IP address Space

IP address block: The larges unit used to refer to the IP address space. Each IP address block is categorized as a public or private block by IANA. SUch as /16 .

IP address range : continuous addresses in an IP address block.

IP address range group: several IP address range logically grouped by some criteria.

unmapped address space: IP address range that has not bee assigned to an IP address.


Step by step to install and troubleshooting IPAM

Step1. Make sure your server is domain joined, you logged on with domain admin. In the server role, add IPAM feature, choose Windows internal database if you don’t want to use a dedicated database server. Choose a GPO prefix name:  frankfu_IPAM in my example.

Step2. IPAM server provisioning.

Create GPO by powershell command:  invoke-ipamGpoProvisioning

invoke-ipamGpoProvisioning -domain xxxx -DomainController xxxx -GpoPrefixName frankfu_IPAM -IpamServerFqdn xxxx

GPO prefix name: frankfu_IPAM

The prefix can be found by command if you forget: Get-IpamConfiguration

  • Check if the three GPOs have been created, which may take a few moment, wait for 15 minutes to half an hour. If yes, go to the Scope tab, under Security Filtering, make sure authenticated users, or domain computers have read permission.
  • Go to Group Policy Management, find the frankfu_IPAM_DC_NPS, frankfu_IPAM_DHCP, frankfu_IPAM_DNS, click the delegation, click Add button. Type IPAMUG, choose Edit settings, delete, modify security under permission.

Step3. Configure server discovery.

In the Server manager, in left pane go to IPAM > Overview, in the right pane, click quick Start, then click Configure Server discovery, click Get forests, if your domain does not show under select the forest, click the configure server discovery window, reopen it again, select the forest, then select domain to discover, click Add button. Click OK.

Step4. Start server discovery

This is scheduled by task scheduler ( which can be found under Task Scheduler Library > Microsoft > Windows > IPAM ), but you can click the Start server discovery button to find the servers in domain right now. Wait until it finishes.

Step5. Select or add Servers to manage and verify IPAM access.

Manually add servers, click TASKS drop down menu, click Add server...Type the server name, click verify and the IP address will pop up.

After Discovery step, the IPAM access status is Blocked.

Then right click the server you want to mange, choose Edit Server, choose Manageability status to Managed,

Then issue command gpupdate /force on each managed server, give each server a reboot, cause there are some startup scripts needed to run to add IPAMug into a couple of groups, modify the firewall rulls, and create DHCPaudit share, etc. After reboot refresh the status, it should be unblocked now.

By now, the automatic provisioning should be setup, which requires the DHCP, DNS server to be reboot to execute some startup scripts. For those environment you can not reboot the server, and want to make the IPAM work straight way, continue with Step6 through Step 8, which can be used for troubleshoot in case of your automatic provisioning does not work.

Step 6. If your DHCP are also on the DC, then you can edit the group membership in the Active directory Users and computers. If they are on the separate servers, then you can add them into the local user groups.

For first scenario, In AD users and computers MMC:

Double check IPAMug group needs to be member of :

  • DHCP administrators
  • DnsAdmins
  • Event Log Readers
  • DHCP users
  • Domain\administrators

For second scenario, you can either add the users manually to the groups. or use a GPO setting called Restricted Groups.

In Group Policy management MMC, edit the frankfu_IPAM_DC_NPS, frankfu_IPAM_DHCP, frankfu_IPAM_DNS one at a time. In the Group Policy Management Editor, Go to Computer configuration > Policies > Windows Settings > Security Settings > Restricted Groups . right click the Restricted Groups, and select Add Group. Enter the name Event Log Readers, which is the local group name, click OK, after Member of this group:, click Add... , type IPAMUG, click OK.

Repeat this for other groups, such as administrators, DHCP users.

  • Step 7 (optional). Resolve the blocked access issue for DHCP server management

In Predefined Rules, under Rules, select the checkboxes next to the following rules:

  • DHCP Server (RPCSS-In)

  • DHCP Server (RPC-In)

  • DHCP Server – Remote Service Management using SCM (RPC-in)
  • File and Printer Sharing (NB-Session-In)
  • File and Printer Sharing (SMB-In)

  • Remote Event Log Management (RPC)
  • Remote Event Log Management (RPC-EPMAP)

  • Remote Service Management (RPC)
  • Remote Service Management (RPC-EPMAP)

Step 8. Create a DHCP audit share :

  1. In the Computer Management navigation tree, click Shared Folders and then click Shares.

  2. Right-click Shares and then click New Share.
  3. In the Create A Shared Folder Wizard, click Next.
  4. Next to Folder Path, type the absolute path to the DHCP audit file location and then click Next. By default this is the %windir%\system32\dhcp directory, for example C:\windows\system32\dhcp.
  5. Next to Share name, type dhcpaudit and then click Next.
  6. Under Set the kind of permissions you want for the shared folder, choose Customize permissions and then click Custom.
  7. In the Customize Permissions dialog box, click Everyone, click Remove, and then click Add.
  8. Under Enter the object names to select, type IPAMUG and then click OK.
  9. Verify that IPAMUG is displayed under Group or user names, and that Read is allowed under Permissions for IPAMUG, click OK, and then click Finish twice.

Possible issue:

1, Resolve the blocked access issue for DNS, DC:

Add the IPAMUG to the domain\Administrators group.


Manually configure DHCP for IPAM.


Aministering IPAM