This is our last part in a series that focuses on IPAM. We will discuss about moving IPAM to SQL server, backup the IPAM database, auditing etc.

IPAM BACKUP

This is very straightforward. By default if you have got Windows Internal Database (WID) there are 2 files you need to backup. Those files are IPAM.mdf and IPAM_log.ldf and they are store in C:\Windows\System32\ipam\Database

These days we are backing up the whole servers and not only individual files but in case you would like to backup those now you know where you can find them.

If something goes wrong just restore those files and the database will be restored. We will move that database to SQL server so it is good to backup these files before you migrate.

screen.59.jpg

MIGRATING TO SQL

When you are installing the IPAM you have the option to choose if you are going to use WID or a SQL instance. Normally when you deploying IPAM you are going to choose the most simplest option which is a built in windows internal database. IPAM database is very small and there is no need to move it to sql server unless you want to provide high availability or you have an enterprise environment. You can convert and use a SQL if you would like to but there are things you need to thing about before you convert it.

Limitation is the same as when you configuring rds connection broker HA. Once you move database to sql server there is no way to move it back from sql to windows internal database, it is a one way operation so it is important to have a backup on WID before you move it to sql.

Prerequisite

  • SQL Server must be Enterprise Edition
  • Create Active Directory Security Group and add your IPAM servers to it.
  • Configure permissions on the SQL server

Let’s get started.

Create new security group in AD and add IPAM servers in it. In my case IPAM Server. Reboot IPAM servers.

screen.60.jpg

Let’s configure the SQL Server. Check if TCP/IP is enabled under Client Protocols. SQL Server 2016 install enables this by default, but check it just to be sure, especially if you use an existing SQL Server.

screen.61.jpg

Click on Protocols for IPAM (That is the name of the instance I am using for IPAM) and be sure that the TCP/IP is enabled.

screen.62.jpg

Be sure that port is not being blocked by Windows Firewall. I added new rule SQL IPAM with port 1500 to the exception list to allow all inbound traffic. You may use 1433 or any other port. I am using port 1433 for RDS.

screen.63.jpg

When that is done, open SQL Management Studio –> expand Security and right click on Logins –> New Login

screen.64.jpg

Click on Search, Change Object Types to Group, change Locations to Entire Directory and Add IPAM server group. Once Done, click OK

screen.65.jpg

On Login – New Wizard, Click Server Roles and mark dbcreator. Click OK

screen.66

We have granted the IPAM server group the right to create databases.

screen.67.jpg

Move to IPAM server and open Powershell as admin and type in Get-Ipamdatabase

This command will show us that we are currently using WID.

screen.68.jpg

Let’s move this database to SQL server.

Move-IpamDatabase -databaseserver sqlsrv01.mehic.se -databasename IPAMDB -DatabasePort 1500 -DatabaseAuthType Windows

When you hit enter you will get this warning message so press Y to accept it.

screen.70.jpg

and that’s it.

screen.71.jpg

Run Get-Ipamdatabase command and this time it will show database server

screen.73.jpg

Go back to SQL and hit refresh and you will see your new database

screen.72.jpg

 

TROUBLESHOOT IPAM

In terms of troubleshooting IPAM there is a couple of things that you should keep in mind. The first thing is if it is not working check the 2 windows services. Ensure that they are running

  • Windows Process Activation Service
  • Windows Internal Database

Second thing is if you are looking at server inventroy and a lot of servers are blocked:

  • First check the GPO Security Settings
  • Second, verify that group policy is applying to servers
  • Third, verify that you have permissions to manage and deploy GPO

Cannot find DNS server

  • Verify that DNS server is on network interface connected to IPAM server network. If they are on separate network and there is no tcp/ip connectivity you will not be able to discover it
  • Verify that NS records exist for DNS server

 

Cannot find DHCP server

  • Verify that DHCP server role not present on IPAM server. (Most common reason)
  • Verify that DHCP server has at least one IPv4 scope configured
  • Verify that IPAM server has connectivity to DHCP server
  • Verify that DHCP INFORM messages sent by IPAM are not being filtered on the network

 

Cannot manually add a server to IPAM

  • Verify DNS resolution for IP address of server
  • Verify that server name is present in the Active Directory Global Catalog (all servers that are managed by IPAM must be domain members)

 

AUDIT IPAM

This is really a cool feature where you can use IPAM to see who was logged in to a particular IP address at the particular point in time. If you have got everything enabled, basically what will happen is that IPAM will search and see who was logged on in a paticular point in time or if you notice something suspicious you can use IPAM to see who was behind that client ip address.

There is a couple of requirements that you have to configure before you can use it.

  • Account Login Event Auditing needs to be enabled on all domain controllers. It is not enabled by default so you have to turn it on.
  • IPAM needs to be configured to manage all domain controllers – reason for this is that any domain controller in your environment can process logon for particular user and if you only monitor one DC (if you have for example 2 DCs) you will not be able to tie a particular user name to a particular IP address, so keep this one in mind. One more thing is that IPAM can’t track local logons.
  • Reverse lookup zones configured – this will allow you to verify that the IP address maps back to a host name.
  • DHCP logging enabled – This is turned on by default

 

Out of the box IPAM does track IPAM configuration events. This means if someone or a computer makes a change to the IPAM configuration, all of that is logged. You can see that if you click on EVENT CATALOG node.

screen.75.jpg

IPAM automatically tracks DHCP configuration events as well. If you are going to a purge on database it will go and remove all of this data so it is important to back this up so if someone gets in and delete everything to hide his activities, you will have the option to pull the old records back.

screen.76.jpg

IP ADDRESS TRACKING

This is really useful because it allows you to track who is using an IP address or to pull all of the data related to an IP address, Client ID (MAC address), Host Name or User Name.

screen.78

Important thing to know about this is when you are performing search you must specify a date when searching and another field depending on how you are going to search. If you for example go in and try to track a host name and just enter host name without date IPAM will not do nothing.

screen.77.jpg

You can use powershell as well to query and the command is Get-IPAMAddressAuditEvent and you can select UserName, IPAddress, HostName, ClientID, StartData and EndData

It will return max 10 000 rows.

screen.79.jpg

 

IPAM and Multi-Forest Envoronment

This is something new in Windows Server 2016. You was not able to manage DHCP and DNS servers in different forest with previous versions of Windows Server.

New feature allows us to manage DHCP and DNS servers with a single IPAM instance accross multiple AD Forests.

 

Requirements

Two-Way trust relationship

  • Domain to Domain
  • Forest to Forest
  • Can use selective authentication

GPO provisioning account requires credentials that have the ability to create and deploy GPOs in the trusting forest – so the account needs to be in admin group in each target domain.

I don’t have 2 forests at the moment so I am not able to demonstrate this but these are the steps you need to follow to configure it:

  • Configure two-way forest trust
  • Add the gpo provision account to admin group in each domain you would like to administer
  • Go to IPAM server and click on manage –> tasks –> IPAM settings and click on Configure Server Discovery. Click on Get Forests and close the window. Wait for task to complete and re-open the window and select/add new forest.
  • Server will pop up in Server Inventory as Unspecified and Blocked.
  • Run Invoke-IpamGpoProvisioning command and restart servers
  • Configure the server (Part 1 is showing how to provision the server – scroll down until you came to the link Nr. 5. There you can find steps needed to configure it)

 

That’s it.

Cheers,

Nedim