1 00:00:01,140 --> 00:00:02,110 In this demonstration, 2 00:00:02,110 --> 00:00:05,150 let's have a look at IP Address Management in Windows Server. 3 00:00:05,150 --> 00:00:06,400 I'm on a member server. 4 00:00:06,400 --> 00:00:09,760 Recall, we cannot install IPAM on a domain controller. 5 00:00:09,760 --> 00:00:13,520 And you're looking in the foreground here in my PowerShell console. 6 00:00:13,520 --> 00:00:16,660 I'm just verifying that I've installed the IP Address 7 00:00:16,660 --> 00:00:18,260 Management server and the Client. 8 00:00:18,260 --> 00:00:21,160 So you should know that the Client feature is available in 9 00:00:21,160 --> 00:00:23,010 the Remote Server Administration Tools, 10 00:00:23,010 --> 00:00:26,950 so you can definitely use the IPAM Client from your workstation. 11 00:00:26,950 --> 00:00:29,200 You don't have to be on the server itself. 12 00:00:29,200 --> 00:00:33,500 The configuration for IPAM is going to take place here in Server Manager. 13 00:00:33,500 --> 00:00:35,730 Let me start at the beginning here in the dashboard. 14 00:00:35,730 --> 00:00:40,500 We'll come down to IPAM, and then that'll bring us to the OVERVIEW page. 15 00:00:40,500 --> 00:00:42,410 Now I've already gone through the setup, 16 00:00:42,410 --> 00:00:47,080 and we don't need to know too many details on setting it up for the exam, 17 00:00:47,080 --> 00:00:50,350 but let me walk you through it from a high‑level viewpoint here. 18 00:00:50,350 --> 00:00:54,250 Step one is where we connect to an IPAM server. 19 00:00:54,250 --> 00:00:55,620 Of course, I have just the one. 20 00:00:55,620 --> 00:00:59,540 And I think I mentioned that unfortunately IP Address Management in 21 00:00:59,540 --> 00:01:02,620 Windows Server does not synchronize with other hosts. 22 00:01:02,620 --> 00:01:03,980 It's just a singleton instance. 23 00:01:03,980 --> 00:01:08,070 We then can provision the IPAM server either in an automated way 24 00:01:08,070 --> 00:01:10,460 using Group Policy or we can do it manually. 25 00:01:10,460 --> 00:01:12,860 If we look in the CONFIGURATION SUMMARY, 26 00:01:12,860 --> 00:01:15,160 I've selected the Group Policy provisioning. 27 00:01:15,160 --> 00:01:19,360 That makes things a lot easier as far as configuring firewall rules, 28 00:01:19,360 --> 00:01:21,540 discovery, properties, etc. 29 00:01:21,540 --> 00:01:26,150 And if I pop open my MMC console here, let me go into Group Policy Management, 30 00:01:26,150 --> 00:01:29,740 you actually can do the automatic provisioning with a 31 00:01:29,740 --> 00:01:31,950 PowerShell cmdlet that I'll mention in a moment. 32 00:01:31,950 --> 00:01:34,590 But notice here that you provide a prefix, 33 00:01:34,590 --> 00:01:37,960 and then you get three domain‑linked Group Policy Objects, 34 00:01:37,960 --> 00:01:42,170 NPS to detect network policy servers, RADIUS servers, 35 00:01:42,170 --> 00:01:44,140 DHCP, and DNS. 36 00:01:44,140 --> 00:01:47,630 And you want to make sure that you include the appropriate servers in 37 00:01:47,630 --> 00:01:50,740 the Security Filtering list for that as well because unfortunately 38 00:01:50,740 --> 00:01:53,180 there's quite a few gotchas in setting up IPAM. 39 00:01:53,180 --> 00:01:56,580 You'll want to check the Pluralsight library if you're looking for a deep dive. 40 00:01:56,580 --> 00:02:00,090 Remember, we're concerned with certification preparation here, 41 00:02:00,090 --> 00:02:03,200 so I'm going to be really surgical in my approach. 42 00:02:03,200 --> 00:02:06,390 All right, so anyway, the GPO, once you deploy those, 43 00:02:06,390 --> 00:02:08,940 let me bring up my PowerShell console one more time, 44 00:02:08,940 --> 00:02:12,930 I'll do a help Invoke‑IpamGpoProvisioning, 45 00:02:12,930 --> 00:02:14,860 and I'll just run the examples here. 46 00:02:14,860 --> 00:02:16,660 And let me select this right here. 47 00:02:16,660 --> 00:02:20,940 This is at base what I did, Invoke‑IpamGpoProvisioning. 48 00:02:20,940 --> 00:02:25,540 You pass in the name of your AD domain, you provide a prefix, and there you go. 49 00:02:25,540 --> 00:02:28,870 Again, it does quite a bit of work in the background to set up the environment, 50 00:02:28,870 --> 00:02:32,220 doing access control lists, creating groups, 51 00:02:32,220 --> 00:02:32,850 etc. 52 00:02:32,850 --> 00:02:33,310 etc. 53 00:02:33,310 --> 00:02:33,750 etc. 54 00:02:33,750 --> 00:02:35,740 Again, you can do it manually if you want to. 55 00:02:35,740 --> 00:02:38,420 After that, you configure server discovery. 56 00:02:38,420 --> 00:02:41,780 This is basically selecting in your Active Directory forest 57 00:02:41,780 --> 00:02:44,460 environment which domains you want to include and which 58 00:02:44,460 --> 00:02:46,170 roles you're looking to monitor. 59 00:02:46,170 --> 00:02:50,370 I'm doing domain controller, DHCP, and DNS in this case. 60 00:02:50,370 --> 00:02:55,750 We then start server discovery, and this is just one of several scheduled tasks. 61 00:02:55,750 --> 00:03:00,890 Down here in the CONFIGURATION SUMMARY we've got a number of scheduled tasks 62 00:03:00,890 --> 00:03:04,130 that will be on the IPAM server scheduled task library, 63 00:03:04,130 --> 00:03:09,780 and that is how the IPAM server is able to automate these various tasks 64 00:03:09,780 --> 00:03:12,610 that run on a schedule or you can configure ad hoc. 65 00:03:12,610 --> 00:03:16,520 It says here in the banner when the next data collection event will happen. 66 00:03:16,520 --> 00:03:17,370 We're almost done here. 67 00:03:17,370 --> 00:03:19,520 Select or add servers to manage. 68 00:03:19,520 --> 00:03:22,180 This is going to show your enumerated servers. 69 00:03:22,180 --> 00:03:23,370 There's server type. 70 00:03:23,370 --> 00:03:26,800 You can right‑click to force a data refresh. 71 00:03:26,800 --> 00:03:31,100 If you go to Edit, this allows you to adjust the server type manually. 72 00:03:31,100 --> 00:03:33,900 In my environment, I have one machine, localdc, 73 00:03:33,900 --> 00:03:36,560 that is a domain controller, DNS server, 74 00:03:36,560 --> 00:03:38,040 and DHCP server. 75 00:03:38,040 --> 00:03:40,400 Let me retrieve all server data on this one. 76 00:03:40,400 --> 00:03:44,000 I've got a machine in a warning state that I want to take a look at as well. 77 00:03:44,000 --> 00:03:49,620 And that's kind of problematic to get the IPAM access status to be unblocked. 78 00:03:49,620 --> 00:03:52,530 Fortunately, we don't have to worry about that for our exam, 79 00:03:52,530 --> 00:03:56,410 but you need that IPAM access status to be unblocked in order 80 00:03:56,410 --> 00:03:59,980 for IPAM to probe and report on that machine. 81 00:03:59,980 --> 00:04:02,420 Then we retrieve data from managed servers, 82 00:04:02,420 --> 00:04:07,020 and clicking that link kicks off another scheduled task that does a data pull. 83 00:04:07,020 --> 00:04:10,130 So we can see walking through the IPAM console here 84 00:04:10,130 --> 00:04:14,130 we've got our SERVER INVENTORY, we have our IP ADDRESS SPACE, 85 00:04:14,130 --> 00:04:18,190 starting with our IP Blocks, and you get a measure of utilization, 86 00:04:18,190 --> 00:04:20,450 and you can look at utilization trends. 87 00:04:20,450 --> 00:04:23,180 Mine is obviously very quiet, and it's quite new, 88 00:04:23,180 --> 00:04:25,140 so there's really not much to see. 89 00:04:25,140 --> 00:04:29,590 I have this 100 to 199 DHCP scope that I've set up. 90 00:04:29,590 --> 00:04:33,040 When you right‑click this IPv4 address block, 91 00:04:33,040 --> 00:04:35,610 we've got some pretty useful options here. 92 00:04:35,610 --> 00:04:39,640 We can edit the range, we can create a reverse lookup zone, 93 00:04:39,640 --> 00:04:42,880 import and update IP addresses, and what I like a lot, 94 00:04:42,880 --> 00:04:45,490 find and allocate an available IP address. 95 00:04:45,490 --> 00:04:48,850 How many times have you needed to do a reservation, 96 00:04:48,850 --> 00:04:52,570 a DHCP client reservation for say a network printer? 97 00:04:52,570 --> 00:04:54,230 And I don't know if you use ping, 98 00:04:54,230 --> 00:04:59,390 however you try to figure out whether that IP is available in your network. 99 00:04:59,390 --> 00:05:02,750 So this wizard, this Find and Allocate Available IP Address, 100 00:05:02,750 --> 00:05:06,540 it is using ping actually and DNS record lookups, 101 00:05:06,540 --> 00:05:09,030 but allows us to create a configuration, 102 00:05:09,030 --> 00:05:12,210 as you can see here, including expiry and so on, 103 00:05:12,210 --> 00:05:13,430 owner, serial numbers, 104 00:05:13,430 --> 00:05:17,780 so you can do a lot of tracking on those IP addresses on how 105 00:05:17,780 --> 00:05:21,690 they interact with your DNS and DHCP servers. 106 00:05:21,690 --> 00:05:23,750 We can look at our IP Address Inventory. 107 00:05:23,750 --> 00:05:25,440 Under MONITOR AND MANAGE, 108 00:05:25,440 --> 00:05:28,340 this is where you can get into some basic server management. 109 00:05:28,340 --> 00:05:33,440 So what I want you to see here is under DNS and DHCP Servers I've got the one, 110 00:05:33,440 --> 00:05:35,270 dc1, that's doing both. 111 00:05:35,270 --> 00:05:39,360 And we can look at the detailed view down below to look at policy and setup. 112 00:05:39,360 --> 00:05:41,000 We can filter the view up here. 113 00:05:41,000 --> 00:05:43,200 So this is useful if you have quite a few servers. 114 00:05:43,200 --> 00:05:46,530 You can say just show me DHCP, just show me DNS. 115 00:05:46,530 --> 00:05:51,510 When we right‑click, you can do some basic service configuration, 116 00:05:51,510 --> 00:05:55,620 as you can see here, creating a scope, editing the server properties. 117 00:05:55,620 --> 00:05:58,370 It's a different user interface from what you see in the 118 00:05:58,370 --> 00:06:00,780 Microsoft Management Console as a matter of fact, 119 00:06:00,780 --> 00:06:03,300 so you may like this interface more. 120 00:06:03,300 --> 00:06:04,110 But lastly, 121 00:06:04,110 --> 00:06:08,850 you'll find if you want to open the old school MMC for your DHCP or DNS, 122 00:06:08,850 --> 00:06:12,010 you can right‑click and go to Launch MMC, 123 00:06:12,010 --> 00:06:16,330 and that will kick up the good old‑school MMC console that 124 00:06:16,330 --> 00:06:18,360 you might already be accustomed to using. 125 00:06:18,360 --> 00:06:20,750 And that same thing goes with DNS. 126 00:06:20,750 --> 00:06:24,390 We can look at zones, we can add resource records, 127 00:06:24,390 --> 00:06:26,080 we can edit the zone, 128 00:06:26,080 --> 00:06:30,940 and then as a convenience we have a filter in the Windows Event Log that 129 00:06:30,940 --> 00:06:34,350 is showing us just IPAM‑related configuration events, 130 00:06:34,350 --> 00:06:35,240 which is useful. 131 00:06:35,240 --> 00:06:36,790 And then lastly, lastly, 132 00:06:36,790 --> 00:06:41,400 we've got besides our IPAM and DHCP configuration events, 133 00:06:41,400 --> 00:06:43,490 you can do IP address tracking. 134 00:06:43,490 --> 00:06:47,420 So if you're looking for the lifecycle of a particular IP address 135 00:06:47,420 --> 00:06:50,830 or by client ID or by hostname or by username, 136 00:06:50,830 --> 00:06:53,740 you can do some reporting right from within the console. 137 00:06:53,740 --> 00:06:55,690 So long story short, in summary, 138 00:06:55,690 --> 00:06:58,440 it's nice that we have this IP Address Management 139 00:06:58,440 --> 00:07:00,590 capability built into Windows Server. 140 00:07:00,590 --> 00:07:03,690 You can't beat the price. It's free with your license. 141 00:07:03,690 --> 00:07:04,640 On the other hand, 142 00:07:04,640 --> 00:07:08,700 some pain points include that we don't have a centralized command and control 143 00:07:08,700 --> 00:07:13,380 where we can share and synchronize IPAM databases on multiple servers, and I 144 00:07:13,380 --> 00:07:17,960 also find that getting data out of here in the console is fairly problematic, 145 00:07:17,960 --> 00:07:26,000 so you want to turn to PowerShell and administrative scripting to actually create CSVs and outputs of this data.