Home » IPAM » IPAM

Day 1:

How many users in your company: ###K

How many endpoints you have: XXXK

How many IP address you use:??????

Do you know how many subnets are in used in your enterprise: sure I can share you the list quickly

One week later:

I have received most of the excel files, few not as the guy maintaining no longer with the organization, but I will be able to give you the details in few days

3 weeks later:

Here is the list of subnet used.

You sure all your subnets are reflecting in your active directory sites and subnets, SCCM boundaries, Lync region, location and subnets for call admission control(CAC) and location based routing (LBR) etc.: Yes

  • What is this netlogn log of active directory is reporting missing subnets.
  • Clients logging into far away domain controller instead of local one.
  • Users in site A not able to make and receive PSTN calls in Lync
  • Machines in site B are part of as well as getting patch updates from site C SCCM server.

IP address management(IPAM) is crucial for any enterprise. Not just security, many systems like AD, SCCM, Lync/SFBS etc. depends on the correct IP subnet definition to work as expected. At the same time, effective information of subnets and number of clients inside them helps in proper planning of location specific infra like AD, SCCM, AV server etc. IPAM as a role was first introduced in windows server 2012 and later with 2012 R2 got major improvements, notability the support for external SQL database for large deployment. Once deployed It helps to collects information form sources like DHCP, DNS, AD and NPS systems, stores them into SQL and applying logic and correlation present in a way that gives meaningful information about enterprise network landscape. In addition

  • It allows to mention static IP address and segments like IPs assigned in sever segment or used by IP phones in voice VLAN as well as address space for virtual machines.
  • Provides the ability to import and export data in CSV format, comes very handy in importing data from network devices like switch as well as exporting data to consume in things like AD sites and Subnet, Lync subnet creation etc.
  • PowerShell Automation

Details on IPAM is well documented in TechNet and for this post my focus will be on the deployment and how to get started on IPAM

Backend for IPAM:

SQL enterprise edition is the requirement for IPAM backend database unless it’s a small setup that can do fine with windows internal database. A storage spaces volumes of 200GB HDD and 20GB SSD from storage spaces with tier is able to provide 96% IOPS from SSD, for an IPAM deployment of around 3K subnets and 50K IP address.

Fronted:

With remote SQL server, an 8GB VM is doing fine. Network is bit heavy and hence virtual function from SR-IOV enabled switch with teaming inside the VM is helping.

Getting started:

IPAM management console provides step by step quick start tasks to get started with IPAM. Group policy is the most convenient and recommend way to get IPAM start collecting information from production server. However, at the beginning one may want to test with few servers first. Add the domain for IPAM to discover the server in IPAM or using Add-IpamDiscoveryDomain cmdlets. For unblocking the DHCP server to allow IPAM server to query DHCP audit logs, subnets and IP allocation here is the script

$IPAMservercomputer = "domain\ipamsrver$"
$IPAMServerIP="1.2.3.4"
$DHCPserverlist="DHCPsrver2","DHCPsrver2"
foreach ($DHCPSrv in $DHCPserverlist)
$dhcp_sess = New-PSSession -ComputerName $DHCPSrv -ErrorVariable connectdhcp

if ( $connectdhcp ) {
Write-Host "not able to connect to DHCP server" $DHCPSrv -ForegroundColor Red
}
Else {
Invoke-Command -Session $dhcp_sess -ScriptBlock {
Add-DhcpServerSecurityGroup
New-NetFirewallRule -PolicyStore PersistentStore -DisplayName "IPAM Srv access" -Direction Inbound -Action Allow -RemoteAddress $IPAMServerIP
New-SmbShare -Name dhcpaudit -Path C:\Windows\System32\dhcp -ReadAccess $IPAMservercomputer
net localgroup "Event Log Readers" /add $IPAMservercomputer
net localgroup "DHCP Users" /add $IPAMservercomputer
Restart-Service DHCPServer }
Add-IpamServerInventory -ServerType DHCP -ManageabilityStatus Managed -Name $DHCPSrv
Remove-PSSession $dhcp_sess

}

Making into production:

After initial testing with few servers, IPAM console can be used to create at root level GPO. 3 GPO with the prefix given would be created, DC_NPS, DNS and DNS. Individual server to be added into them for the group policy to flow to them and IPAM access to them get unblocked. A script here to add identified domain controllers into this GP

$DC_NPS_GP="myIPAM_DC_NPS"
$DNS_GP="myIPAM_DNS"
$dc_list="mydc1","mydc2"

foreach ($DC in $dc_list) {
Set-GPPermission -Name $DC_NPS_GP -DomainName pkpnotes.com -PermissionLevel GpoApply -TargetName $DC -TargetType Computer
Set-GPPermission -Name $DNS_GP -DomainName pkpnotes.com -PermissionLevel GpoApply -TargetName $DC -TargetType Computer
Add-IpamServerInventory -ServerType DC,DNS -ManageabilityStatus Managed -Name $DC
}

Once the inventory and data collection, IPAM is ready with information about the network. Use of the inventory collected from IPAM has many usage, apart from the native capability to manage DHCP servers including scope and reservation management as well as providing auditing capabilities to both IP address allocation and DHCP server configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*