Walkthrough: Demonstrate IPAM in Windows Server 2012 R2
Applies To: Windows Server 2012 R2
IPAM in Windows Server® 2012 R2 provides a single console to plan, design and administer network services and IP address spaces, both physical and virtual. In this lab, you will learn more about how you can use IPAM in your organization to manage physical and virtual address space, delegate permissions in a multi-user environment, perform advanced DHCP configuration tasks, and leverage Windows PowerShell cmdlets for IPAM to automate routine operations.
Prerequisites
This lab has the following prerequisites:
Computer |
Roles |
Operating system |
Notes |
---|---|---|---|
DC1 |
Domain controller, Active Directory-integrated DNS server, and secondary DHCP server. |
Windows Server 2012 R2 |
The minimum required operating system to demonstrate DHCP failover is Windows Server 2012. You cannot install IPAM on a domain controller. |
IPAM1 |
IPAM server and IPAM client. |
Windows Server 2012 R2 |
IPAM1 must be running Windows Server 2012 R2 to demonstrate features in this lab. |
DHCP1 |
Primary DHCP server. |
Windows Server 2012 R2 |
The minimum required operating system to demonstrate DHCP failover is Windows Server 2012. Do not install IPAM on the same server with DHCP. This computer is required to demonstrate DHCP failover but optional for other lab objectives. |
Lab setup
The following table summarizes procedures used to configure this lab. Perform the procedures to configure DC1 first, DHCP1 second, and IPAM1 third. If you are not using DHCP1 to demonstrate DHCP failover operations then skip these procedures.
Computer |
Procedures |
---|---|
DC1 |
|
DHCP1 |
|
IPAM1 |
|
For detailed procedures to install and configure IPAM, see the Deploy IPAM. Detailed steps for installing and configuring DHCP, DNS, and IPAM are also provided in Walkthrough: Demonstrate IPAM in Windows Server 2012.
Note
Procedures used for installation of IPAM and provisioning of managed servers procedures are identical in Windows Server 2012 R2 and Windows Server 2012 when IPAM is used with Windows Internal Database (WID). In Windows Server 2012 R2, you can also use SQL Server 2012 to manage the IPAM database. This option is not demonstrated in this lab.
Objectives
Objective 1: Demonstrate role based access control and delegated administration
Concepts
Role based access control is new in IPAM in Windows Server 2012 R2. Role based access control is comprised of roles, access scopes, and access policies:
Roles: A role is a collection of IPAM operations. You can associate a role with a user or group in Windows using an access policy. Several built-in roles are provided, but you can also create customized roles to meet your business requirements.
Access scopes: An access scope determines the objects that a user has access to. You can use access scopes to define administrative domains in IPAM. For example, you might create access scopes based on geographical location. By default, IPAM includes an access scope of Global. All other access scopes are subsets of the Global access scope. Users or groups that are assigned to the Global access scope have access to all objects in IPAM that are permitted by their assigned role.
Access policies: An access policy combines a role with an access scope to assign permission to a user or group. For example, you might define an access policy for user1 with a role of IP Block Admin and an access scope of Global\Asia. Therefore, user1 will have permission to edit and delete IP address blocks that are associated to the Asia access scope. This user will not have permission to edit or delete any other IP address blocks in IPAM.
Procedures
Create new user role named DHCP Scope Editor with only Edit DHCP Scope permission
Create a new access scope named Test Lab under the Global access scope
Create a new DHCP Scope named Lab DHCP Scope
Click DNS and DHCP Servers, right-click DHCP1, and then click Create DHCP Scope.
Type Lab DHCP Scope next to Scope name.
Type 40.40.1.0 and 40.40.1.100 next to Start IP address and End IP address, respectively.
Leave the subnet mask unchanged, and click OK.
Create a second DHCP Scope named Contoso DHCP Scope
Click DNS and DHCP Servers, right-click DHCP1, and then click Create DHCP Scope.
Type Contoso DHCP Scope next to Scope name.
Type 50.50.1.0 and 50.50.1.100 next to Start IP address and End IP address, respectively.
Leave the subnet mask unchanged, and click OK.
Create new user role named DHCP Scope Editor with only Edit DHCP Scope permission
Click ACCESS CONTROL, right-click Roles, and then click Add User Role.
Type DHCP Scope Editor next to Name.
Expand DHCP scope operations to view the list of all available operations.
Select only the Edit DHCP scope operation, and then click OK.
Create a new access scope named Test Lab under the Global access scope
Right-click Access Scopes and then click Add Access Scope.
Click New, type Test Lab next to Name, click Add, and then click OK.
Set the Test Lab access scope on the Lab DHCP Scope
Click DHCP Scopes, right-click the Lab DHCP Scope, and then click Set Access Scope.
Clear the Inherit access scope from parent checkbox.
Click the Test Lab access scope under Global, and then click OK.
Verify that \Global\Test Lab is displayed under Access Scope.
Create an access policy for the user contoso\user1 and assign the DHCP Scope Editor role and Test Lab access scope
Click ACCESS CONTROL, right-click Access Policies, and then click Add Access Policy.
Click Add, type contoso\user1, and then click OK.
Tip
If you didn’t create a user1 account in contoso.com, create it before proceeding.
Under Access Settings, click New.
Under Select role, choose DHCP Scope Editor.
Under Select the access scope for the role, click Test Lab, click Add Setting, and then click OK.
Sign in as contoso\user1 and verify that this user is only able to perform the operations assigned by the DHCP Scope Editor role and only on the DHCP Scope: Test Lab DHCP Scope
Sign out on the IPAM server, and then sign in with the user1 account you created earlier.
Launch Server Manager and click IPAM.
Click DHCP Scopes, right-click the Lab DHCP Scope, and then click Deactivate DHCP Scope.
Review the error message displayed.
Right-click the Contoso DHCP Scope and click Edit DHCP Scope.
Change the End IP address to 50.50.1.101 and then click OK.
Review the error message displayed, and then click Cancel.
Edit the Lab DHCP Scope and change the End IP address to 40.40.1.101.
Verify that the operation is successful.
Sign out and then sign in again as contoso\administrator.
Objective 2: Manage DHCP policy based assignment with IPAM
Concepts
DHCP Policy Based Assignment (PBA) is a powerful feature for IPV4 networks that was first introduced in Windows Server 2012 for the DHCP server role. PBA enables control over the network and the devices accessing it. DHCP policies can be used to identify and group together devices based on attributes like MAC Address, Vendor Class and User Class. You can then control the leases and DHCP options that are assigned to these devices. For example, you can use DHCP policies to match the MAC address of clients and thus ensure that all virtual machines accessing your network are assigned addresses from a specific IP address range, or are assigned specific DHCP options.
DHCP policies can be configured at server level or the scope (subnet) level. Previously, policies were accessible only for individual DHCP servers by using the DHCP management console or with Windows PowerShell. Using IPAM in Windows Server 2012 R2, you can create and manage policies centrally across multiple DHCP servers. You can create a policy for multiple servers or scopes in a single operation. You can also copy policies from one server or scope to another.
The following procedures demonstrate how IPAM enables you to centrally manage DHCP policies in an efficient manner.
Procedures
Configure new DHCP policies and import existing DHCP policies
Click DNS and DHCP Servers.
Right-click DHCP1 and then click Configure DHCP Policy.
Next to Name, type Printer Policy.
Under Policy Conditions, click New.
Under New Condition, next to Criteria, choose Fully Qualified Domain Name.
Next to Value, type PRN, select the Use wildcard checkbox, choose Append from the drop-down list, click Add, click Add Condition, and then click OK.
In the DNS and DHCP Servers view, choose DHCP next to Server Type and then choose Policies next to View.
In the Details View, click the Conditions tab to view details about the policy.
Choose Server Properties next to View, right-click DC1, and then click Import DHCP Policy.
Choose dhcp1.contoso.com next to Select server, choose the Printer Policy to import, and then click OK.
Choose Policies next to View and verify that Printer Policy is present on both DC1 and DHCP1.
Manage existing DHCP policies in IPAM
Create another policy on DHCP1 called Workgroup Policy using the Fully Qualified Domain Name criteria and the Is Single Label operator.
Using the Policies view, right-click Workgroup Policy and then click Edit DHCP Policy.
Under DNS Dynamic Updates, next to Enable DNS dynamic updates, choose Yes.
Next to Enable name protection, choose No.
Next to Dynamically update DNS records, choose Always.
Next to Discard DNS records when lease is deleted, choose Yes.
Next to Dynamically update DNS records for DHCP clients that do not request updates, choose Yes.
Next to Disable dynamic updates for DNS PTR records, choose No.
Next to Register DHCP clients using a different DNS suffix, choose Yes.
Type contoso.com next to Use the following DNS suffix, and then click OK.
Right-click Workgroup Policy and then click Move Up Processing Order.
Objective 3: Automate IP address lifecycle management
Concepts
New Windows PowerShell cmdlets for IPAM make it easier to automate IP address lifecycle management. A rich set of cmdlets are available that enable you to perform all management functions for your IP addresses, ranges and blocks. You can leverage these cmdlets to write scripts and integrate IPAM with various physical and virtual devices or servers. This saves time, eliminates manual intervention, and reduces operating cost.
Procedures
Create an IP address range in IPAM
Type the following command at a Windows PowerShell prompt and press ENTER:
PS C:\>Add-IpamRange –NetworkId 192.168.0.0/24 –StartIPAddress 192.168.0.1 –EndIPAddress 192.168.0.254 -CreateSubnetIfNotFound
This command creates an IP address range for servers in the test lab. Also use the next command to add individual IP addresses for the three computers used in this lab.
Type the following command at a Windows PowerShell prompt and press ENTER:
PS C:\>Add-IpamAddress –IpAddress 192.168.0.1 PS C:\>Add-IpamAddress –IpAddress 192.168.0.2 PS C:\>Add-IpamAddress –IpAddress 192.168.0.3
View IP address ranges in IPAM
Type the following command at a Windows PowerShell prompt and press ENTER:
PS C:\>Get-IpamRange –AddressFamily IPv4 –AddressCategory Private
Verify that the IP address range that was recently added is displayed. Also try specifying an AddressCategory of Public to view the two public IP address ranges used for DHCP scopes.
To view more detailed information, type the following commands at a Windows PowerShell prompt and press ENTER:
PS C:\>$a= Get-IpamRange –AddressFamily IPv4 –AddressCategory Private PS C:\>$a[0]|fl *
Track utilization of IP ranges
Type the following command at a Windows PowerShell prompt and press ENTER:
PS C:\>Get-IpamRange –AddressFamily IPv4 –AddressCategory Private|where-object {$_.PercentageUtilized –gt 80}
This command will display IP address ranges where the utilization is over 80%.
Type the following commands at a Windows PowerShell prompt and press ENTER:
PS C:\> Get-IpamRange –AddressFamily IPv4 –AddressCategory Private|where-object {$_.PercentageUtilized –gt 80}|Export-Csv –Path “C:\Users\Administrator\Desktop\OverUtilizedRanges.csv” –NoTypeInformation -Force PS C:\>notepad “C:\Users\Administrator\Desktop\OverUtilizedRanges.csv”
This will open a notepad file containing all the over-utilized public IPv4 address ranges (currently blank).
Type the following command at a Windows PowerShell prompt and press ENTER:
PS C:\> Get-IpamRange –AddressFamily IPv4 –AddressCategory Private|where-object {$_.Overlapping –eq “True”}
The previous command will display any overlapping IP address ranges, if they exist.
Find a free IP address and assign it to a new printer
Type the following command at a Windows PowerShell prompt and press ENTER:
PS C:\>$range = Get-IpamRange –StartIPAddress 192.168.0.1 -EndIPAddress 192.168.0.254 PS C:\>Find-IpamFreeAddress –InputObject $range -TestReachability
Confirm that the first available IP address is 192.168.0.4.
Type the following command at a Windows PowerShell prompt and press ENTER:
PS C:>$range = Get-IpamRange –StartIPAddress 192.168.0.1 -EndIPAddress 192.168.0.254 PS C:\>$freeip = Find-IpamFreeAddress –InputObject $range –TestReachability PS C:\>$ip = Add-IpamAddress –IpAddress $freeIp.Address –ManagedByService $range.ManagedByService –ServiceInstance $range.ServiceInstance –DeviceType Printer –AssignmentType Dynamic –MacAddress ”AA-BB-CC-DD-EE-FF” –ReservationServer $range.DhcpServerName –ReservationName “B3_F1_Printer_HP” –ReservationType Both –ReservationDescription “Reservation for printer on first floor of building 3” -PassThru PS C:\>$ip|fl *
Verify that the 192.168.0.4 IP address is assigned to a printer.
In this case, the IP address range does not correspond to a DHCP scope it is not possible to add this reservation to a DHCP scope. If this scope were present on DC1 or DHCP2, you can use the Add-DhcpServerv4Reservation cmdlet to add this IP address. See the following example:
PS C:>Add-DhcpServerv4Reservation –ComputerName $ip.ReservationServer –IPAddress $ip.IPAddress –ClientId $ip.MacAddress –ScopeId $ip.ReservationScopeDetails –Name $ip.ReservationName –Description $ip.ReservationDescription -PassThru
Use the following command to delete the reservation:
PS C:\> Remove-DhcpServerv4Reservation –ComputerName $ip.ReservationServer –IPAddress $ip.IPAddress -PassThru
Deprovision the added printer and reclaim the IP address
To delete the IP address from IPAM, type the following command at a Windows PowerShell prompt and press ENTER:
PS C:\>Remove-IpamAddress –InputObject $ip -Force
Objective 4: Administer DHCP failover with IPAM
Concepts
IPAM enables you to view, monitor, and manage DHCP failover relationships in the managed network. DHCP failover is a new feature introduced with Windows Server 2012. For more information about DHCP failover, see Step-by-Step: Configure DHCP for Failover.
Procedures
Create a failover relationship
Click DHCP Scopes and choose Scope Properties next to Current view.
Select both the Contoso DHCP Scope and the Lab DHCP Scope (using CTRL or SHIFT), right-click these scopes and then click Configure DHCP Failover.
Next to Partner server, choose DC1.contoso.com.
Next to Relationship name, type DHCP1-DC1.
Next to Relationship name, type DHCP1-DC1.
Next to Secret, type a shared secret, for example: secret.
The Load Balance mode is chosen by default with 50% of leases being issued by each DHCP server. Click OK to accept these parameters.
Verify that two new scopes have been created with DC1.contoso.com displayed in the Server Name column.
View the details of a failover relationship
Click DNS and DHCP Servers, choose DHCP next to Server Type, and choose Failover Relationships next to View.
In the Details View, review information on the Relationship Properties tab and the DHCP Scopes tab.
Edit a failover relationship
Right-click the DHCP1-DC1 failover relationship and click Edit DHCP Failover Relationship.
Under Mode, choose Hot Standby, and then click Apply.
Verify that Success is displayed under Status, and then click OK.
Verify that Hot Standby is displayed in the Mode column for this failover relationship.
Replicate Scopes
Right-click the DHCP1-DC1 failover relationship and then click Replicate DHCP Failover Relationship.
In the Replicate Failover Relationship dialog box, choose dhcp1.contoso.com as the originating server for replication, and then click OK. This action replicates all scopes in the failover relationship.
Since no changes have been made to DHCP scopes on DC1 or DHCP1, the information displayed under Replicate progress will indicate that scopes are identical. Click Close.
Choose Server Properties next to View.
Right-click DHCP1 and then click Replicate DHCP Server. This action replicates all scopes in all DHCP failover relationships on the server. Click OK to continue with the replication process.
Review the information under Replicate progress, and then click Close.
Choose Scope Properties next to View.
Right click a single scope and then click Replicate DHCP Scope. You can also choose multiple scopes to replicate but all scopes must belong to the same DHCP server.
Click OK to confirm the replication and then click Close.
Demonstrate auto-sync
Right-click the column header in Scope Properties view and select the Failover Config Sync Status header.
Choose Server Properties next to View.
Choose Server Properties next to View.
Right-click DHCP1 and then click Launch MMC.
Click dhcp1.contoso.com once, then right-click dhcp1.contoso.com, point to All Tasks, and then click Stop.
In IPAM, right-click DHCP1, and click Retrieve Server Data.
When the IPAM ServerAvailability task has completed running, refresh the console view and verify that DHCP1 displays Stopped in the Server Availability column.
Choose Scope Properties next to View, right-click the Lab DHCP Scope on DC1 and then click Edit DHCP Scope.
Change the Lease duration for DHCP clients from 8 days to 7 days and then click OK. Since the scope is part of a DHCP failover relationship and the partner server is down, an error is displayed.
View the Failover Config Sync Status column and verify that Out of sync is displayed for the Lab DHCP Scope on DC1.
Start the DHCP Server service on DHCP1 and Retrieve Server Data again.
Refresh the IPAM console view and verify that DHCP1 displays Running again under Server Availability.
Choose Scope Properties view, right-click the Lab DHCP Scope on DC1, and then click Replicate DHCP Scope.
Under Replicate progress, verify that the new option values were replicated successfully, and then click Close. You also have the option of editing the scope on the partner server manually and then clearing the config sync error.
Remove scopes from a failover relationship
Click DHCP Scopes, right-click the column header, point to Group by, and then click Server Name. This is a useful way of displaying scopes on a per-server basis.
Right-click the Lab DHCP Scope on DHCP1 and then click Remove DHCP Failover Configuration. Click OK to confirm the removal. This will keep the scope on DHCP1 and remove it from the failover partner (DC1).
Tip
Under Progress of Failover configuration removal, verify that all processes are successful, and then click Close.
Verify that no Failover Relationship Name is displayed for the Lab DHCP Scope on DHCP1 and the scope no longer exists on DC1.
Delete a failover relationship
Click DNS and DHCP Servers and switch to Failover Relationships view.
Right-click the DHCP1-DC1 failover relationship and then click Delete.
Next to Select server, choose the server that will keep the scopes that are still associated to this failover relationship. By default, the primary DHCP server is selected (DHCP1).
Click OK and verify that the remaining scope was deleted from DC1.
Click Close and verify that the failover relationship was deleted.
Objective 5: Manage DHCP MAC address filters with IPAM
Concepts
Media access control (MAC) address based filtering or link layer-based filtering for DHCP enables you to control network access based on MAC addresses, providing a low-level security method. You can create MAC address based filters to specify which MAC addresses are allowed on the network and which are denied access.
A DHCP server maintains Allow and Deny lists of MAC addresses. If you add MAC addresses to the allow list and enable the list, only these MAC addresses will be granted an IP address by the DHCP server. If you add MAC addresses to deny list and enable the list, these MAC addresses will be denied service by the DHCP server. You can enable both allow and deny lists, in which case the deny list takes precedence. This means that the DHCP server provides DHCP services only to clients whose MAC addresses are in the allow list, provided that no corresponding matches are in the deny list.
You can use wildcards to allow or deny network access based on vendor MAC prefixes. Link layer filtering is currently available for IPv4 address only.
This section demonstrates how IPAM allows you to centrally manage MAC address filters.
Procedures
Add DHCP MAC address filters
Click DNS and DHCP Servers, choose DHCP next to Server Type and choose Server Properties next to View.
Verify that the Server Properties tab in Details View shows that both the Allow and Deny MAC Address Filters are currently Disabled.
Select one or both DHCP servers, right-click and then click Edit DHCP Server Properties.
Click MAC Address Filters and notice that you can enable or disable MAC address filter lists here. Click OK.
Right-click DHCP1 and then click Add DHCP MAC Address Filter.
Next to Filter Type choose Deny.
Next to MAC Address type AA-BB-CC-*.
Click Add MAC Address Filter and then click OK.
Choose Filters next to View and verify that a Deny filter was added to dhcp1.contoso.com for the MAC Address of AA-BB-CC-*-*-*.
Manage DHCP MAC address filters in IPAM
Right-click the MAC address filter created in the previous procedure and then click Move to Allow.
Verify that the Filter Type changes to Allow.
Right-click the filter and then click Delete.
Objective 6: Manage DHCP superscopes with IPAM
Concepts
Consider the scenario where the available IP addresses in currently active scopes are nearly depleted, but more computers are expected to be added to the network. In this scenario, you can use superscopes to allow a DHCP server to provide leases to clients from more than one scope on a single physical network. DHCP scopes in the same superscope can share IP addresses and gives leases to clients on each other’s subnet.
Superscopes can also help you resolve deployment issues such as migrating clients to a new scope (for example, when renumbering the network). Superscopes are available for IPv4 address only.
This section demonstrates how IPAM enables you to create and manage DHCP superscopes.
Procedures
Adding scopes to a superscopes
Click DNS and DHCP Servers, and choose DHCP next to Server Type and Scope Properties next to View.
On the Scope Properties tab in Details View, the names of superscopes are displayed next to Superscope Name. This is also displayed in the Superscope Name column. Verify that currently this field is blank for all scopes.
Right-click the Lab DHCP Scope and then click Add to DHCP Superscope.
Next to Superscope name, type Lab Superscope and then click OK.
Verify that Lab Superscope is displayed next to Superscope Name.
Right-click the Contoso DHCP Scope and then click Add to DHCP Superscope.
Choose Use existing superscope, select Lab Superscope, and then click OK.
To remove a scope, Right-click the scope and then click Remove from DHCP Superscope If all scopes are removed from a superscope, it is automatically deleted.
Manage DHCP superscopes
Next to View, choose Superscope Properties.
Review information in the Details View using the Superscope Properties tab and the DHCP Scopes tab.
Right-click a superscope to perform several management actions.