Embed Size (px)
Citation preview
70-412: Configuring Advanced Windows
Server 2012 Services
Course 01 - Network Services
Slide 1
DHCP |DNS | IPAM
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 2
Allocates IP address and configuration to clients
When IP properties change, only need to change it in a single locationo DNS servers
o Gateway
o Additional properties
Tracks all clients and the IP address allocation
DHCP client:o Any device that can request
and obtain IP address configuration from DHCP server
• PCs
• Laptops
• Printers
• Mobile devices
• Switches
• Network boot clients
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 3
DHCP Server Service
o DHCP client service on clients
o Auto startup on Windows boot
o Responsible for IP address allocation
DHCP Database
o Contains all configuration data
o Information regarding IP addresses leased
o Default location: %System Root%\System32\DHCP
DHCP Console
o Main administration tool
o Can be installed in Windows 8 clients with RSAT
DHCP Authorization
o Must be authorized by Enterprise Administrator in domain
o DHCP service will shut down if not authorized
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 4
Scope: Range of IP addresses and related information
o Must have:
• Name
• Description
• Range of addresses
• Subnet mask
o Optional configuration:
• IP addresses to be excluded
• Duration of lease
• DHCP options
Options:
o Default gateway
o DNS servers
o Domain suffix
o WINS/NBNS
o Option levels:
• Global
• Scope
• Class ID
• Reservation
You can configure multiple scopes, but the server must be connected directly to the subnet or to a DHCP Relay Agent.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 5
Configuration obtained through broadcast
Leases for an 8 day duration by defaulto Administrator can define different duration
50% of the lease duration - client will attempt renewal
Renewal also done at startup process
Client broadcasts request
Server offers IP configuration
Client accepts and acknowledges configuration
Server sends acknowledgement
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 6
Super Scopes
Multicast Scopes
DHCP v6
DHCP High Availabilityo Failover
o Split Scopes
o DHCP Name Protection
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 7
DHCP option 081 allows the server to own DNS recordso Creation
o Deletion
Configured on DNS tab• Properties node (DNS tab) on
Protocol node
• Per scope
A Record Discarded
PTR Deleted
Upon Lease Expiration
Only if Client Requests
• Host (A)
• PTR (PTR)
Default is only PTR
• Client does A
DHCP Server Updates DNS Address
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 8
Super Scopes:o Collection of scopes
• Grouped together for administrative reason
• Subnets must be able to be combined into one logical subnet
• Need two or more scopes already created
• Super scope wizard allows you to create
• Good when moving clients to new subnet transparently
Benefitso Allows you to “expand” scope if it runs out of addresses
Multinettingo Adding a second scope
o Clients on a different subnet
o Routers would need to be configured
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 9
MADCAP Scope (alternate name)o Multicast Address Dynamic Client Allocation Protocol
o Applications must support MADCAP API
Collection of class D addresseso 224.0.0.0 to 239.255.255.255
Used when applications need to communicate with more than one client simultaneously
Multiple hosts that listen for traffic for the same IP address
Applications reserve multicast IP addresso Data and content delivery
WDS is a good example of
Multicast Scopes
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 10
Configurations supportedo Stateless
• Router assigns IPv6 automatically• DHCP only applies configurations
o Stateful• DHCP server assigns IP address and other configuration data
Scope propertieso Name/Descriptiono Preference
• Informs DHCPv6 clients which server to use (DHCPv6)
o Valid/Preferred Lifetimes• Length of lease address
o Prefix• Analogous to IPv4 address range• Defines Network ID
o DHCP Options• Gateway, etc.
o Exclusions• Single or blocks of addresses that will not be offered
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 11
African Network Information Centre (AfriNIC) for Africa
Asia-Pacific Network Information Centre (APNIC) for Asia, Australia, New Zealand, and neighboring countries
American Registry for Internet Numbers (ARIN) for Canada, many Caribbean and North Atlantic islands, and the United States
Latin America and Caribbean Network Information Centre (LACNIC) for Latin America and parts of the Caribbean region
Réseaux IP Européens Network Coordination Centre (RIPE NCC) for Europe, Russia, the Middle East, and Central Asia
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 12
Protects names registered by DHCP in DNSo Ensures they are not
overwritteno Includes names that are
statically assigned• UNIX based systems
Name squattingo Conflicts when one client
registers name with DNS that is already registered
o Resource record used: DHCP Configuration ID (DHCPID)• Tracks names originally
requested
• Machine has existing name for an IP address
DHCP receives request by machine
• Stored in DNS
• Verifies machine requesting is original machine
• If it is not original, record is not updated
DHCP server refers to DHCPID records
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 13
Delegating administration
DNS logging
DNS securityo DNSSEC
o DNS socket pool
o Cache locking
Recursion
Netmask ordering
Global names zone
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 14
Delegationo Domain Admins: Full permissions on all DNS servers home domain
o Enterprise Admins: Full permissions on all DNS servers any domain
o Global DNS Admins – Group in each domain
• All permissions
• Domain local group
• No members by default
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 15
Default location of log fileo %windir%\system32\DNS
Events loggedo Starting and stopping DNS service
o Background loading and zone signing
o DNS configuration changes
o Warnings and error events
Verbose loggingo Direction of packets
o Contents of packets
o Transport protocol used
o Type of request
o Filtering based on IP address
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 16
DNSSEC
DNS Socket Pool
DNS Cache
Locking
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 17
DNS attack examples:o Spoofing
o Cache-tampering
Digitally sign all DNS records in a zone, so client computers can validate responses.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 18
Trust anchorso Zones that store public keys associated with Digital Signatures
o Must be configured on all DNS servers participating in DNSSEC
o Authoritative entry represented by public key
o Represented by DNSKEY or DS resource record
Resolverso Use trust anchors to retrieve public keys and build trust chains
NRTPo Contains rules that control the requesting client behavior for queries and
responses
o Prompts client computer to check for validation of the response for particular DNS domain suffix
o Typically deployed by Group Policy
o If no NRPT client computer accepts responses without validating
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 19
Install Windows Server 2012 and assign the DNS role to the server. Typically, a domain controller
also acts as the DNS server. However, this is not a requirement.
Sign the DNS zone by using the DNSSEC Configuration Wizard, which is located in the DNS
console.
Configure trust anchor distribution points.
Configure the NRPT on the client computers.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 20
Configurable settingso KSK options (Key Signing Keys)
• Default value 2048 bits
• Maximum value 4096 bits
• Default algorithm RSAHA256
• Signatures valid for 7 days
• DNS Server 2012 creates an extra emergency rollover key automatically
o ZSK options (Zone Signing key)
• Default value 90 days
• Key strength 1024
o Trust anchor distribution points
o Signing and polling parameters
Everyone zone has multiple DNS keys that are broken down to ZSK and KSK.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 21
Key Master Role is introduced for file-backed multi-master zoneso Prior support was only for AD Integrated Zones
Enhanced to enable Isolation of the Key Management Process from Primary DNS servers that are not key masters of the Zoneo Only the key master can initiate the entire process:
• Key Generation
• Key Storage
• Key Rollover
• Key Retirement
• Key Deletion
DNSSEC key separation is accomplished by enabling generation and storage of keys on a cryptographic next-generation (CNG) compliant offline storage module
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 22
DNSKEY
o Publishes public key for the zone
o Checks authority from responses
o Needs key replacements from key rollovers
DS Delegation Signer
o Delegation record that contains has of public key of child zone
o Signed by parents private key
o If child zone is signed by parent is signed, DS records from the child must be added to the parent so a chain of trust can be created
RRSIG
o Resource record signature for set of DNS records
o Checks for authority of response
NSEC (Next Secure)
o When DNS response has no data to provide to the client
o This record authenticates that the host does not exist
NSEC3
o This record is a hashed version of NSEC record
o Prevents alphabet attacks by the enumerating the zone
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 23
Configure zone parameters
Sign the zone with parameters of existing zone
Use recommended settings
Zones can be unsigned by using DNSSEC management interface to remove zone signatures.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 24
Controls when DNS information can be overwritten
Time DNS caches information is based on TTL value
Prevents local cache being written over and redirecting traffic
Configured as a percentage valueo Value of 50 ensures DNS does not overwrite cached entry for ½ the
duration of TTL
o Default cache locking value is 100
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 25
Allows for DNS port randomization for DNS queries
Upon service starting, source port is chosen from socket pool
Default value of socket pool is 2,500o Values can range from 0-10,000
o Larger the value the greater the protection
o Exclusion list can be configured
Dnscmd /Config /SocketPoolSize <value>
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 26
Stale Records (records left behind)o Host taken off network without cleaning up their recordso Takes up space in databaseo Incorrect query responses
Typical Behavioro Client refreshes DNS record every 24 hours or upon startup
Enable Aging and Scavengingo Advanced properties of DNS servero Choose for which zoneso Disabled by default
Parameterso Refresh Interval: Date and Time record should be refreshed by the client
• Default 7 days
o No-refresh Interval: Time that a record is not eligible for refresh by client• Default 7 days
Records manually added
have a time stamp of 0, and are not affected by this process.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 27
Primary Zoneso Located in %SystemRoot%\System32\DNS
o zonename.dns file Mayfieldcorner.dns
o Backup manually
AD Integratedo Command prompt Run as administrator
• RUN: dnscmd /ZoneExport <zone name> <zone file name>• Zone name: DNS zone name: mayfieldcornerllc.com
• File Name: Backup file name
• Zone data exported to %SystemRoot%\System32\DNS
o PowerShell:• Export-DNSServerZone -Name mayfieldcornerllc.com -Filename
MayfieldCornerBackup
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 28
Forw
ard
ing Forward DNS
requests that cant be resolved locally to other DNS servers
Co
nd
itio
nal
Fo
rwar
der
s Queries forwarded for specific DNS suffixes to specific DNS servers
Stu
b Z
on
es Replicated copy of resource records that identity authoritative DNS servers for DNS domains
• SOA record
• IP of master server
Net
mas
kO
rder
ing Provides host
addresses in close proximity based on IP address (site) in DNS queries
Recursion: When a local DNS server needs to make a query to another DNS server to find an authoritative answer. The answer is then returned to the original client that
requests it.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 29
New zone wizard
Can be stored in AD DS
Replication choices:o Domain only
o Forest wide
Master serverso Servers with initial copy of zone information
o Usually server with primary zone for delegated domain name
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 30
Used for single label names
Names are unique forest wide
Allows for the decommission of WINS
Zones are manual
Zones do not support dynamic name registration
When host names are resolved, DNS domain name is appended
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 31
IP Administration IPAM Features
Planning & Allocation Tools for planning process and Change ManagementIPv4IPv6
Managing Single point of managementoptimizes DHCP and DNS
Tracking IP address utilization
Auditing Compliance requirementsHIPPA | Forensics | Change Management
IPAM provides framework for managing the IP address space in a network.Discover | Audit | Monitor | Management
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 32
Server 2012 R2 Enhanced features
New Operations for Scope and Servers for the following objectso DHCP Failover
o DHCP Policies
o DHCP SuperScopes
o DHCP Filters
o DHCP Reservations
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 33
Role:o Collection of IPAM operations
o Can be associated with user or groups in Windows (assign policy)
o Eight (8) built in roles provided for convieniance
o Can create custom roles
Access Scopes:o Determines what objects user has access to.
o Use to define administrative domains in IPAM
o Default access scope: Global (for access to all objects)
Access Policieso Combines Role and Access scope for permissions
Role Based Access Control allows roles, access scopes and access policies to be customized
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 34
Name Description
DNS record administrator Manages DNS resource records
IP address record administrator
Manages IP addresses but not IP address spaces, ranges, blocks, or subnets.
IPAM administrator Manages all settings and objects in IPAM
IPAM ASM administrator Completely manages IP addresses
IPAM DHCP administrator Completely manages DHCP servers
IPAM DHCP reservations administrator
Manages DHCP reservations
IPAM DHCP scope administrator
Manages DHCP scopes
IPAM MSM administrator Completely manages DHCP and DNS servers
By default, all objects in IPAM are included in the global access scope. All additional scopes that are configured are subsets of the global access scope
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 35
IPv4 & IPv6 planning IP inventory management
o Corporate Networko Microsoft-Powered Cloud
Networkso Virtual Networks
DHCP o Record creationo Scope properties
• Name | ID | Prefix | Length | Status
o Scope utilization monitoringo Utilization statistics
IP utilization statistics DNS
o Record creationo Service monitoringo Zone monitoring
• Forward | Reverse Lookup Zones
RBAC Server groups
o Organize DHCP| DNS into logical groups• Business unit• Geographical• Based on criteria
Full Integration with System Center 2012 VMM
IPAM does not check for IP address consistency with routers and
switches.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 36
Introduced with Windows Server 2012 R2
Provides End to End Address space automation for Microsoft-Powered Clouds
To View Virtual Address Space click the New: VIRTUALIZED ADDRESS SPACE node in the upper navigation pane of IPAM Console
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 37
Cannot have AD DS role installed
Must be domain membero Must sign on and use domain account
o Domain account must be member of IPAM local security group
Dedicated server No other roles
IP address tracking and auditing feature:o Auditing must be enabled for account logon events
o Domain controller
o NPS servers
IPv6 Enabled to manage IPv6
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 38
Windows Server 2012
• Dual core processor 2.0 GHz or higher
• 4 GB + RAM
• 80 GB free disk space
• Installation wizard automatically installs all features needed
• IPAM client automatically installed with Server 2012 and IPAM server
• When uninstalled – all dependencies, groups and scheduled tasks are deleted
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 39
Dual core processor 2.0 GHz or higher
4 GB + RAM
80 GB free disk space
SP 2 installed (Windows Server 2008)
WMF core (KB968930) (Windows Server 2008 SP2)
.NET Framework 4.0 full installation
WMF 3 Windows remote management
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 40
Support 150 DHCP servers | 6,000 scopes
Support 500 DNS servers | 150 DNS zones
3 years forensics data storedo IP address leases
o MAC addresses
o Login information
IPv4 supporto Utilization trends
o Reclamation support
Remote administration via RSAT
IPAM does not support management of non-Microsoft
networks.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 41
Windows internal databaseo Windows Server 2012 – initial release
o No database purge policy
o Administrator must purge manually
Microsoft SQL Servero SQL Support is ONLY with Windows Server 2012 R2
• Can be collated on IPAM Server
• Can be located on Remote Computer
o SQL Features:
• Scalability
• Disaster Recovery
• Reporting Scenarios
You can migrate existing data into IPAM in CSV format.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 42
Group Description
IPAM Users View all information:• IPAM server inventory• IP address space• IPAM server management• IPAM | DHCP operational events• CANNOT view IP address tracking information
IPAM MSM Administrators All privileges of IPAM users groupPerform monitoring and management tasks
IPAM ASM Administrators All privileges of IPAM users groupView IP address space tasks
IPAM IP Audit Administrators
All privileges of IPAM users groupView IP address tracking information
IPAM Administrators View all IPAM informationPerform all IPAM tasks
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 43
Operational Auditing and
IP Address Tracking
• Track Configuration Issues
• View Configuration Changes
• Address Lease Tracking
• Logon information
• NPS
• Domain Controllers
Multi-Server Management
and Monitoring
• Multiple DHCP Servers
• Edit Properties/Scopes
• Track Utilization
• Multiple DNS Servers
• Health and Status
IPAM Address Space
Management
• IP Address Space:
• View
• Monitor
• Manage
• Utilization
• Overlapping scopes
IPAM Discover
• Discover AD DS Servers that have:
• Windows Server 2008 & newer
• DNS
• DHCP
• AD DS
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 44
• One IPAM in the forestCentralized
• One IPAM server per siteDistributed
• One Central server for forest
• One IPAM server per siteHybrid
IPAM can only manage one AD forest.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 45
IPAM servero Data collection from servers
o Manages Windows internal database
IPAM cliento Client computer interface
o Uses PowerShell
• DHCP configuration tasks
• DNS monitoring
• Remote management
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 46
Servers need to be provisioned to allow remote manamgnetafter initial install is completeo Group Policy
o Manually – Per server
• Network Shares
• Security Groups
• Firewall Rules
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 47
Security Groups
• Create Group: IPAMUG•Add IPAM Servers in domain
•Domain Controllers and NPS:
•Add as member of BUILTIN\Event Log Readers
•DHCP Servers:
•Add as member of BUILTIN\Event Log Readers
•Add as member of BUILTIN\DHCP Users
•DNS Servers:
•Add as member of BUILTIN\Event Log Readers Group
• Add IPAMUG group as DNS Administrator
Network Shares
• DHCP Servers:•Share %Systemroot%\System32\DHCP folder as DHCPAUDIT
•Grant IPAMUG read permissions
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 48
Firewall Rules
• Domain Controllers and NPS:
• Inbound firewall rules to allow:
• Remote Event Log Management
• DHCP Servers:
• Inbound Firewall rules to allow:
• DHCP Server Management
• Remote Service Management
• File and Printer Sharing
• Remote Event Log Management
• DNS Servers:
• Inbound Firewall Rules to allow:
• DNS Service
• Remote Service Management
• Remote Event Log Management
Event Log Monitoring on DNS Servers
• Modify the HKLM\SYSTEM\CurrentControlSet\Services\EventLog\DNS Server registry key
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 49
Powershell: Invoke-IpamGpoProvisioning
Running command will create 3 GPO’s to configure settings:o IPAM_DC_NPS.
• GPO applied to all managed AD DS servers and NPS servers
o IPAM_DHCP
• GPO applied to all managed DHCP servers
• GPO includes scripts that configure the network share for DHCP monitoring
o IPAM_DNS
• GPO applied to all managed DNS servers
• GPO includes scripts to:
• Configure the event log for DNS monitoring
• Configure the IPAMUG group as a DNS administrator.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 50
IP Address Blocks
• Subnets
• Ranges
• Addresses
IP Address Ranges IP Addresses
IP Address Inventory
IP Address Range Groups
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 51
DNS & DHCPo Arranged by their Network Card
• /16 subnets for IPv4• /48 subnets for IPv6
o You can choose to view either DHCP or DNS server properties
DHCP Scope utilization monitoringo Utilization statistics collected periodically and automatically from servero Track Scope properties
• Name• Prefix Length • Status
DNS Zone Monitoringo Enabled for forward and reverse zoneso Status is based on events collectedo Zones are summarized
Server Groupso Choose logical groups to organize into based on criteria
• Business unit• geography
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 52
The IPAM database can be migrated seamlessly when you upgrade from Windows Server 2012 to Windows Server 2012 R2
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 53
Add-IpamAddress
Add-IpamAddressSpace
Add-IpamBlock
Add-IpamCustomField
Add-IpamCustomFieldAssociation
Add-IpamCustomValue
Add-IpamDiscoveryDomain
Add-IpamRange
Add-IpamServerInventory
Add-IpamSubnet
Disable-IpamCapability
Enable-IpamCapability
Export-IpamAddress
Export-IpamRange
Export-IpamSubnet
Find-IpamFreeAddress
Get-IpamAddress
Get-IpamAddressSpace
Get-IpamAddressUtilizationThreshold
Get-IpamBlock
Get-IpamCapability
Get-IpamConfiguration
Get-IpamConfigurationEvent
Get-IpamCustomField
Get-IpamCustomFieldAssociation
Get-IpamDatabase
Get-IpamDhcpConfigurationEvent
Get-IpamDiscoveryDomain
Get-IpamIpAddressAuditEvent
Get-IpamRange
Get-IpamServerInventory
Get-IpamSubnet
Import-IpamAddress
Import-IpamRange
Import-IpamSubnet
Invoke-IpamGpoProvisioning
Invoke-IpamServerProvisioning
Move-IpamDatabase
Remove-IpamAddress
Remove-IpamAddressSpace
Remove-IpamBlock
Remove-IpamConfigurationEvent
Remove-IpamCustomField
Remove-IpamCustomFieldAssociation
Remove-IpamCustomValue
Remove-
IpamDhcpConfigurationEvent
Remove-IpamDiscoveryDomain
Remove-IpamIpAddressAuditEvent
Remove-IpamRange
Remove-IpamServerInventory
Remove-IpamSubnet
Rename-IpamCustomField
Rename-IpamCustomValue
Set-IpamAddress
Set-IpamAddressSpace
Set-IpamAddressUtilizationThreshold
Set-IpamBlock
Set-IpamConfiguration
Set-IpamCustomFieldAssociation
Set-IpamDatabase
Set-IpamDiscoveryDomain
Set-IpamRange
Set-IpamServerInventory
Set-IpamSubnet
Update-IpamServer
Windows Server R2 added 55 new Cmdlts
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 54
Address space is container o IP Blocks
o Subnets
o IP Ranges
o IP Addresses
IP ADDRESS SPACE pane contains all objectso Discovered
o Created
Can add or import
Default values are automatically filled in for required fields
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 55
Supply Network ID and Prefix Lengtho Start and End are automatically added for you
Non-Private IP Address rangeo Specify Regional Internet Registry (RIR) where registered
o Brief Description and owner (Optional)
PowerShell Method:o Add-IpamBlock –NetworkID <network prefix, in CIDR notation> -Rir
<string>
• RIR Values must be one of the following: AFRNIC, APNIC, ARIN, LACNIC, RIPE
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 56
Required:o Friendly Nameo Network IDo Prefix Length
Optional Settingso One or more Vlanso Subnet Virtualized?o Custom Fields:
• AD Site• VMM IP Pool Name
o Description and Owner Name
PowerShell Method:o Add-IpamSubnet –NetworkID <network prefix, in CIDR notation> -Rir
<string>• RIR Values must be one of the following: AFRNIC, APNIC, ARIN, LACNIC, RIPE
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 57
Required:o Network IDo Prefix Lengtho Will use default values if not supplied:
• Managed by Service• Service Instance• Assignment Type
If IP address does not already exisit – allow it to automatically createo One or more Vlanso Subnet Virtualized?o Custom Fields:
• AD Site• VMM IP Pool Name
o Description and Owner Name
PowerShell Method:o Add-IpamRange –NetworkID <network prefix, in CIDR notation> -
CreateSubnetIfNotFound
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 58
Can associate with DHCP Reservationso If using PowerShell, the reservation is NOT automatically created
Can discover duplicate addressed using Managed by Service and Service Instance properties of IP Address
IPAM Maps an address to range containing address Properties that use default values unless specified:
o Managed by Serviceo Service Instanceo Device Typeo Address Stateo Assignment Type
Many custom fields available if needed PowerShell Method:
o Add-IpamAddress –IpAddress <x.x.x.x>
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 59
Import information using a text file
Required Fields for IP Address Importo IP Address
o Managed by Service
o Service Instance
o Device Type
o IP Address State
o Assignment Type
Required fields for IP Address Block Importo Network
o Start IP Address
o End IP Address
o RIR
• Field Names and Data can be enclosed in quotes
• Field Names and Data can contain spaces
• Field Names and Data are not case sensitive
• Data must be valid for field that it is being imported into
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 60
IP Addresses into IPAM Database managing DHCP Server“IP Address”,”Managed by Service”,”Service Instance”,”Device Type”,”IPAddress State”,”Assignment Type”
192.168.1.25,ms dhcp,dhcp.sandraclassroom.com,host,in-use,static
192.168.1.26,ms dhcp,dhcp.sandraclassroom.com,host,in-use,static
192.168.1.27,ms dhcp,dhcp.sandraclassroom.com,host,in-use,static
IP Address block assigned by ARIN Regional Authority“Network”,“Start IP address”,“End IP address”,RIR
173.90.100.0,173.90.100.1,173.90.100.126,ARIN
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Review Questions:
1. Which of the following allows you to access the settings jewel to shut down
Windows Server 2012?
A. Navigating mouse to the lower right corner
B. Navigating the mouse to the lower left corner
C. Pressing Ctrl+Esc
D. Pressing Ctrl+I
E. All of the above
F. Both A and D
2. DHCP server provides which service?
A. Name resolution to clients
B. IP address resolution to clients
C. Service location information
D. IP address allocation
3. Which of the following can be a DHCP client?
A. PC
B. Laptop
C. Printer
D. All of the above
4. Which of the following properties can be managed by DHCP?
A. DNS server
B. Gateway
C. NBNS server
D. All of the above
5. Where is the DHCP database located?
A. %SystemRoot%\System32\DHCP
B. %OS%\DHCP
C. C:\DHCP
D. %\System32%\DHCP
6. Who must authorize the DHCP server before it can be active on the network?
A. Enterprise administrator
B. Domain administrator
C. Local DHCP server administrator
D. All of the above
7. Which of the following are option levels for DHCP options?
A. Reservation
B. Personal
C. Global
D. Class ID
E. All of the above
F. A, C, and D
8. True or False: You can only configure one scope per DHCP server.
A. True
B. False
9. True or False: DHCP server updates only the PTR record.
A. True
B. False
10. True or False: Multinetting is adding a second scope to address clients on a
different subnet.
A. True
B. False
11. True or False: Key Master Role is only available in DNS for DNSSEC for AD
integrated zones.
A. True
B. False
Answer Key:
1. F You can use the keyboard shortcut of Ctrl+I, or you can navigate the mouse to the lower right corner.
2. D DHCP server provides IP address allocation to clients.
3. D A DHCP client can be a PC, laptop, printer, mobile device, switch, or network boot client.
4. D You can manage DNS servers, gateways, and a number of other configurable properties for TCP/IP.
5. A The DHCP database is located at %SystemRoot%\System32\DHCP.
6. A The Enterprise administrator is the only account that can authorize a DHCP server.
7. F Option levels are Global, Scope, Class ID, and Reservation.
8. B False. You can configure multiple scopes, but the server must be connected directly to a subnet or DHCP Relay Agent.
9. B False. You can configure a client to request DNS server updates for both host and PTR records.
10. A True. Multinetting is adding a second scope for clients on a different subnet. Routers need to be configured for this to work.
11. B False. Windows Server 2012 R2 has many improvements with DNSSEC. One of them is to make the Key Master Role available for file-backed multi-master zones. Prior support was only for AD integrated zones.
