This is our last part in a series that focuses on IPAM. We will discuss about moving IPAM to SQL server, backup the IPAM database, auditing etc.
This is very straightforward. By default if you have got Windows Internal Database (WID) there are 2 files you need to backup. Those files are IPAM.mdf and IPAM_log.ldf and they are store in C:\Windows\System32\ipam\Database
These days we are backing up the whole servers and not only individual files but in case you would like to backup those now you know where you can find them.
If something goes wrong just restore those files and the database will be restored. We will move that database to SQL server so it is good to backup these files before you migrate.
MIGRATING TO SQL
When you are installing the IPAM you have the option to choose if you are going to use WID or a SQL instance. Normally when you deploying IPAM you are going to choose the most simplest option which is a built in windows internal database. IPAM database is very small and there is no need to move it to sql server unless you want to provide high availability or you have an enterprise environment. You can convert and use a SQL if you would like to but there are things you need to thing about before you convert it.
Limitation is the same as when you configuring rds connection broker HA. Once you move database to sql server there is no way to move it back from sql to windows internal database, it is a one way operation so it is important to have a backup on WID before you move it to sql.
- SQL Server must be Enterprise Edition
- Create Active Directory Security Group and add your IPAM servers to it.
- Configure permissions on the SQL server
Let’s get started.
Create new security group in AD and add IPAM servers in it. In my case IPAM Server. Reboot IPAM servers.
Let’s configure the SQL Server. Check if TCP/IP is enabled under Client Protocols. SQL Server 2016 install enables this by default, but check it just to be sure, especially if you use an existing SQL Server.
Click on Protocols for IPAM (That is the name of the instance I am using for IPAM) and be sure that the TCP/IP is enabled.
Be sure that port is not being blocked by Windows Firewall. I added new rule SQL IPAM with port 1500 to the exception list to allow all inbound traffic. You may use 1433 or any other port. I am using port 1433 for RDS.
When that is done, open SQL Management Studio –> expand Security and right click on Logins –> New Login
Click on Search, Change Object Types to Group, change Locations to Entire Directory and Add IPAM server group. Once Done, click OK
On Login – New Wizard, Click Server Roles and mark dbcreator. Click OK
We have granted the IPAM server group the right to create databases.
Move to IPAM server and open Powershell as admin and type in Get-Ipamdatabase
This command will show us that we are currently using WID.
Let’s move this database to SQL server.
Move-IpamDatabase -databaseserver sqlsrv01.mehic.se -databasename IPAMDB -DatabasePort 1500 -DatabaseAuthType Windows
When you hit enter you will get this warning message so press Y to accept it.
and that’s it.
Run Get-Ipamdatabase command and this time it will show database server
Go back to SQL and hit refresh and you will see your new database
In terms of troubleshooting IPAM there is a couple of things that you should keep in mind. The first thing is if it is not working check the 2 windows services. Ensure that they are running
- Windows Process Activation Service
- Windows Internal Database
Second thing is if you are looking at server inventroy and a lot of servers are blocked:
- First check the GPO Security Settings
- Second, verify that group policy is applying to servers
- Third, verify that you have permissions to manage and deploy GPO
Cannot find DNS server
- Verify that DNS server is on network interface connected to IPAM server network. If they are on separate network and there is no tcp/ip connectivity you will not be able to discover it
- Verify that NS records exist for DNS server
Cannot find DHCP server
- Verify that DHCP server role not present on IPAM server. (Most common reason)
- Verify that DHCP server has at least one IPv4 scope configured
- Verify that IPAM server has connectivity to DHCP server
- Verify that DHCP INFORM messages sent by IPAM are not being filtered on the network
Cannot manually add a server to IPAM
- Verify DNS resolution for IP address of server
- Verify that server name is present in the Active Directory Global Catalog (all servers that are managed by IPAM must be domain members)
This is really a cool feature where you can use IPAM to see who was logged in to a particular IP address at the particular point in time. If you have got everything enabled, basically what will happen is that IPAM will search and see who was logged on in a paticular point in time or if you notice something suspicious you can use IPAM to see who was behind that client ip address.
There is a couple of requirements that you have to configure before you can use it.
- Account Login Event Auditing needs to be enabled on all domain controllers. It is not enabled by default so you have to turn it on.
- IPAM needs to be configured to manage all domain controllers – reason for this is that any domain controller in your environment can process logon for particular user and if you only monitor one DC (if you have for example 2 DCs) you will not be able to tie a particular user name to a particular IP address, so keep this one in mind. One more thing is that IPAM can’t track local logons.
- Reverse lookup zones configured – this will allow you to verify that the IP address maps back to a host name.
- DHCP logging enabled – This is turned on by default
Out of the box IPAM does track IPAM configuration events. This means if someone or a computer makes a change to the IPAM configuration, all of that is logged. You can see that if you click on EVENT CATALOG node.
IPAM automatically tracks DHCP configuration events as well. If you are going to a purge on database it will go and remove all of this data so it is important to back this up so if someone gets in and delete everything to hide his activities, you will have the option to pull the old records back.
IP ADDRESS TRACKING
This is really useful because it allows you to track who is using an IP address or to pull all of the data related to an IP address, Client ID (MAC address), Host Name or User Name.
Important thing to know about this is when you are performing search you must specify a date when searching and another field depending on how you are going to search. If you for example go in and try to track a host name and just enter host name without date IPAM will not do nothing.
You can use powershell as well to query and the command is Get-IPAMAddressAuditEvent and you can select UserName, IPAddress, HostName, ClientID, StartData and EndData
It will return max 10 000 rows.
IPAM and Multi-Forest Envoronment
This is something new in Windows Server 2016. You was not able to manage DHCP and DNS servers in different forest with previous versions of Windows Server.
New feature allows us to manage DHCP and DNS servers with a single IPAM instance accross multiple AD Forests.
Two-Way trust relationship
- Domain to Domain
- Forest to Forest
- Can use selective authentication
GPO provisioning account requires credentials that have the ability to create and deploy GPOs in the trusting forest – so the account needs to be in admin group in each target domain.
I don’t have 2 forests at the moment so I am not able to demonstrate this but these are the steps you need to follow to configure it:
- Configure two-way forest trust
- Add the gpo provision account to admin group in each domain you would like to administer
- Go to IPAM server and click on manage –> tasks –> IPAM settings and click on Configure Server Discovery. Click on Get Forests and close the window. Wait for task to complete and re-open the window and select/add new forest.
- Server will pop up in Server Inventory as Unspecified and Blocked.
- Run Invoke-IpamGpoProvisioning command and restart servers
- Configure the server (Part 1 is showing how to provision the server – scroll down until you came to the link Nr. 5. There you can find steps needed to configure it)
You are KING man. Thank you so much for IPAM articles. I am writing MCSA next week and your site have everything I need. These 4 IPAM posts explained everything about IPAM and provided more info an Exam Ref 70-743 Upgrading Your Skills to MCSA: Windows Server 2016 book.
Keep up with good work.
LikeLiked by 1 person
Thanks Nedim for sharing the knowledge
LikeLiked by 1 person
Thank you so much, it’s help me a lot to operate new systems in my company.
LikeLiked by 1 person
In my company environment over 2.000 person and 3000 IP with a lot of subnet and branch office, they keep transfer project everyday, so as i know with IPAM i need to manually control all of them. Does we have a solution for IPAM auto update IP address from DHCP, when people change project DHCP service will auto provide IP and auto update on IPAM server. I mean we can pull information from DHCP server automatically.
Hello, great article. I’m trying to manage e multi-forest deployment but I’m facing some issue deploying the gpo across the domains.
When you say “Add the gpo provision account to admin group in each domain you would like to administer” what do you mean exactly?
What is the “gpo provisioning account”? What admin group of the trusting domain should be member of (Enterprise administrators is a global group and can’t be used for foreign forests).
Actually I could add foreign DCs but their status is still blocked.
Add domain admin account to domain admin group in each domain you would like to administer.