IPAM on Windows Server 2016

THORNLEY, Karl (NHS SHEFFIELD CCG) 1 Reputation point
2020-07-29T11:46:47.107+00:00

I have two single domain forests with a two-way trust between them.

I have installed IPAM on a server in DomainA in ForestA. However, the Get Forests button is not discovering ForestB containing DomainB at all.

Moreover, I am also finding that it is not discovering DHCP servers and I am having to enter them manually. After entering they can be managed perfectly well.

The only thing I can think of that's causing this is that both Forests are running at the 2008R2 Functional Level. Can someone confirm that this could cause this behaviour, or is there something else I need to look at?

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,374 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,880 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,022 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sunny Qi 10,901 Reputation points Microsoft Vendor
    2020-07-30T05:48:15.67+00:00

    Hi,

    Welcome to our new Q&A platform.

    To get trusted forest on IPAM server, please make sure that the managed account must be a member of the Domain Admin group in the trusted forest.

    I found an article regarding of "Manage Resources in Multiple Active Directory Forests" for your reference.
    https://learn.microsoft.com/en-us/windows-server/networking/technologies/ipam/manage-resources-in-multiple-active-directory-forests

    Regarding the issue DHCP server cannot be discovered.

    1. Please make sure that DHCP server role is not installed on the IPAM server. If the DHCP server role is installed on the same server with IPAM, DHCP servers will not be discovered on the network.
    2. IPAM discovers DHCP servers that are authorized in the Active Directory domains you specify and that respond to a DHCPInform message.
      Please make sure that the DHCP server has been authorized in the AD and it can respond to a DHCPInform message.
    3. Please help to verify that at least one IPv4 scope is configured on a DHCP server, and that the IPAM server has a TCP/IP connection to the DHCP server.

    Here is an overview of IPAM guidance for your reference:
    Getting Started with IPAM

    Hope my answer will help you. Thanks!
    --please don't forget to Accept as answer if the reply is helpful--

    Best Regards,
    Sunny

    0 comments
  2. THORNLEY, Karl (NHS SHEFFIELD CCG) 1 Reputation point
    2020-09-17T11:35:46.333+00:00

    I had already looked that stuff up. Unfortunately it doesn't work. One of the problems is that the provisioning cmdlet creates a Global Group in the target domain, then proceeds to try to put the IPAM server in that group. This has to fail as a security principle from Domain A cannot be a member of a Global Group in Domain B. I eventually worked around it by creating the group manually, and removing it from the DNS Admins Builtin Group so that it could be changed into a Domain Local Group. I could then run the cmdlet as of course a security principle from Domain A can be a member of a Domain Local group in Domain B.

    It doesn't work as intended because it can't.

    0 comments