Microsoft Azure AZ-800 — Section 15: Manage IP addressing in on-premises and hybrid scenarios Part 3
118. Implement and manage IPAM
I now like to talk about a concept known as AI Pam IPM stands for Internet Protocol Address Management or IP address management, and this goes back to solve an old problem that we had in it for many years involving TCP IP and that is trying to keep track of all of our IP addressing across our company. If you think about, you know, maybe you got one location, one server, you got a handful of IP addresses you got to manage. No big deal when you start growing into multiple locations, multiple subnet, maybe in multiple, you know, geographic locations across the world. And maybe you’ve got, you know, loads of the HP servers out there. You’ve got all these DNS servers that you’re dealing with, managing names to IP and trying to keep track of which IP addresses are being used by what machines.
Some of the addresses may be dynamic, meaning they’re just issued out by the HCB.
Some of them could be done statically. A lot of us, I.T. people, we’d have like a spreadsheet or something, and we would just manually update that spreadsheet and go from there. And you know, that would get crazy, though, because you’d have multiple admins trying to keep track of the same spreadsheet and somebody would make a change without notifying the other admin. And it just became a mess, as you can imagine.
So, I, Pam is a feature that allows our Windows environment to be able to track all the IP addresses that are being used out there across the entire organization if we need to, and we can even make changes to DHP and DNS related servers utilizing IPM can also, integrate with Azure Services, virtual IPS and with what’s called System Center Virtual Machine Manager as well.
So, it’s a it’s a pretty neat feature and it definitely can make life a little bit easier.
So, we’re going to do we’re going to start out by installing IPM here on our N.Y.C. server one.
So, we’ll start by going to server manager. We’re going to go to manage ADM’s and features, and we’re going to click next until we get to the feature screen because IBM is a feature. All right. There it is. Right there. IP address management server. We’re going to select that, add the features. All right, and then we’re going to click next.
OK, we need a restart. We can tell it to restart. You are going to notice that it’s going to install Dot Net and a couple other things there that they’re get install, including what’s called a with data or are weird, which is a Windows internal database, which is going to keep track of all the data that it’s collecting.
Someone go and click install and all pulls a video wall installer.
OK, so once that’s done, you just close and you’ll see the IPM tool right over here on the left, so you don’t actually get a IPM tool on the tools menu here. It’s going to show up here in server manager.
So, we’re going to go over and click on that now and will officially be able to take a look at IPM.
So, we go into IPM on this overview screen right out of the gate, you’re going to notice that it gives you a set of tasks to get started with IPM. And of course, the first is to connect to the IBM server because that’s my server here, which is NYC server one. The next would be to provision IPM.
OK.
So as you can see, we’re already connected to the server. You can’t have multiple IPM servers, by the way, but I’ve only got one in this case.
So the next step would be to provision the server.
So, we’re going to go ahead and click on provision. All right. And then from there, it’s going to tell you that IPM is going to basically be contacting various servers. It can contact the DHP and collect IP information from the ACP. It’ll communicate with DNS. It doesn’t actually collect data from DNS as much as it allows you to actually make changes to DNS. And then it can also talk to a network policy server, OK, which is used for the remote access authentication side of things. It’s called a NPS is a type of what’s known as a radius server that windows can have a remote authentication Darwin user service. And then, of course, you can talk to domain controllers. All of these are going to help IP in collecting information to determine what IP addresses are being used out there in your environment. The other thing that’s going to happen is IPM can provision or configure your servers so that data can be collected and your IP and server has control over these servers. But to do that, it’s going to use a GPO to do that. It’s going to create a couple of group policy objects that are going to be deployed now. You can manually configure the servers do that as well. But Microsoft recommends that you definitely allow it to do it itself. Or else you got to go through these crazy articles on the internet from Microsoft about how to manually configure it so you can manually configure it. But it’s a lot of trouble. It’s better to use group policies to do that.
OK.
So, they are they are telling you that right here that these GPUs can be generated as if you choose the GPO based provisioning method you cannot change to make. Your method after, so you got to use CPOs from that, although you could do it manually if you want to push comes to shove. If you don’t want to do GPOs, you can get rid of it. But ultimately the GPOs do a good job of configuring the server so, they can be managed. All right, so, I’m going to click next. And then it says, OK, it’s creating a wind or windows internal database. This for storing all of the information if you would rather use a SQL server database because maybe you got SQL already, you could use SQL by configuring that here. But I’m going to do a Windows internal database. Click next.
OK, so this where I get to choose. Am I going to do manual or money use group policy? I’m going to use group policy and then it asks me, What do you want the group policy objects to the name to start with? Most people just put by Pam.
So the group policy objects to get creative are going to start with an iPad.
OK. And again, these GPOs are going to be used for provisioning your server so, they can be managed by Pam. And I collect data from my Pam, So, we’re going to click next. Says, OK, great, tells you what the words are going to do. It’s going to create these GPOs. One called I came for the HP, one for DNS and one for Mbps network policy server.
So, we’re going to go ahead and apply that. And I’m going to go in Paul’s video while it’s happening.
OK, so once that’s done, I can now hit clothes and I’ve officially got. My. I am ready to go and configured here, So, it’s provisioned, the next step is going to be to configure a server discover.
So Server Discover is where it’s going to go out and actually talk to your various servers de HCV, DNS, all that stuff and discover information.
So, I got to do is from there is go to select forest and says, I don’t have a forest, right? So, I’m going to click Get Forest, and that’s going to query. They’ll end up querying Active Directory and all that, and it will it will actually display that.
So, I will also say that pretty much everything that’s happening with IBM is actually running PowerShell in the background.
So there’s really a bunch of PowerShell commands and things like that that are making all this possible. And so now that I’ve done that, it’s running this little discovery now I should be able to go right here to configure discovery and there goes.
So, it is showing up.
So at that point, select my forest select domains. Discover I’ve only got one domain in my case, so, I’m just going to add that one domain. I want to tell it to go to the search, my domain controllers, the HP DNS and try to learn as much as you possibly can.
OK.
So as for group policy based provisioning, create the GPUs for each domain and list. Using PowerShell means we’ve actually already done that.
So, we’re not having to do it manually. And so, I’m just going to go ahead now and click, OK. And now we’ve we’ve got that.
So next, we’re just going to click on start discovery. Of course, just kind of a forewarning on this, this can take five, 10, 15, 20 minutes sometimes to run through.
So just be aware that this discovery takes a while before it actually begins working, and then eventually you’ll be able to discover your servers and collect data.
OK, so when you start server discovery, one thing that you’re then going to want to do is click on a select or add servers to manage and verify PM access. And when you do that, you may get a blocked message right here. And what needs to happen is you need to provision the group policy objects using a PowerShell command. The group policy objects need to basically be set up to where they have the correct permissions for your server. And so there is a PowerShell command that you have to run. I’ve actually already ran it because I wanted to make sure it went through successfully and unblock things. The command looks like this right here.
So you would actually go to PowerShell and you would run this command invoke. Dash, IPM GPO provisioning -domains, specify your domain name. All right, and then -GPO prefix name is IP. That’s the name we gave the GPOs when went through the wizard earlier. Then we have -IPM server for and that’s fully qualified domain name of your IP and server, which in my case is NYC -or Rwandese Zamalek Breakfast Skull.
OK, then it is -delegated GPO user and then exam lab practice slash administrators, so the name of the user who is given authority, you know, as you can see, I did run that. Here’s the command right here. All right. The command was ran and it asked me to confirm a couple of things on my screen got a little skewed here, but I just clicked. I just hit yes to all those messages and it’s setting those up.
Now that I’ve done that, I should be able to jump over to my domain controller. Go to server manager. Go to ols. Open up group policy management. And then I have my three GPOs.
OK, so, they are the three groups, the main thing you want to see when you click on these three videos underneath your domain is you want to see that the source is security filtering, you want to see the servers that are affected. In my case, that’s just in my CDK1 because IP and server is the IPM server, so you don’t have to be listed there, but any servers you’re managing to show up and security filtering. Another option is you could put create a group of computers that are going to be affected by PM domain controllers, the DNS nmps and any of that stuff. You could put them all in a group and then add the group to this list if you want it. But the PowerShell command is going to configure that and set the permissions for you and all that as well.
So the last thing we want to do. Is go back over to PowerShell. And we want to run GP update slash forest now it is to make sure to make sure orders will generally refresh their policies every five minutes, so, it isn’t really an emergency that you do that. But if you don’t want to wait even a few minutes, you can just run the update slash forest that’s going to forest the policies to happen now and then. At that point, you should be able to come back over here. And if you’re still seeing a blocked message, just go right here and you would are in their task and you would say, retrieve all data or you can right click and you can say refresh the server status if you want.
OK, and then after that, you’re going to right click right here. Edit Server. If you want to associate that with NPS, you can if you’re planning on having a network policy server set up on it, but then manageability status can be set to manage. It doesn’t matter if you’re on your own at certain specified or unmanaged right now, you’re going to have to manage. And then we’re going to hit OK, we should get a green checkmark. And at that point, we’ve officially got IBM to where it can manage that server.
Now I’m going to go over to overview and we’re going to click on retrieve data from manage servers. We’re going to go and click that and we’re going to start this little process and we’re going to give this some time to go ahead and run through. I’ll pull video while that’s happening.
OK? Data retrieval takes maybe about a minute when you’ve only got one server.
Now, obviously in a bigger environment where you got a lot of servers, you need to give it some time, all right, but just takes about a minute.
So now that that’s done, I can actually go through this list here and look at some of the different things I’ve got.
So, I’ve got the server inventory. We’ve seen this. This showing the machines that we’re currently managing. And then I have the IP address space. And this going to consist of three things. I have my IP address blocks and IP address inventory in range group.
So a IP address block is going to be a block of IP addresses, a starting IP address and an ending IP address range that’s essentially being used in the network. You got to understand that this just a little lab environment. I don’t have hundreds of devices that have gotten addresses or anything like that. In fact, if I come down here, I’ve got my the HP scopes and all that. I’ve got my HP server, DNS server and all that showing up. But I’m not actually leasing out a bunch of addresses to a bunch of clients.
So, in a real environment, obviously you’re going to get to see IP address blocks. You can see the IP address inventory. These are the actual devices that have gotten addresses from your IP and have registered DNS names. And in all of that, in my little lab environment, it’s have a couple of static addresses. But ultimately what you need to be aware of is just what this thing can do, the little features you got here. And if you are taking an exam, it’s just no one, you know, knowing what the capabilities are here.
So this would help me keep track of the devices.
Now you can manually add stuff as well if you don’t actually have things already configured. If you don’t have a bunch of devices, you can, you know what you’ll do is you can click on these little objects here and you can click task and then you can do things like add an IP address block. This a block of addresses that you’d like to recognize on your network if you want.
So Network I.D. starting address all that stuff you could. You could basically fell off a little template. You can manually manually do all that. And then from there you’d be able to see your inventory of addresses that are actually being handed out. You can even see if there’s like any kind of duplicates or anything like that there. You can even have what’s called range groups, which is just a group of basically blocks of addresses that you illustrate.
So again, maybe I’ve got a couple of buildings that I’ve got arrange group associated with one building and another associated with another. You can create these right here on tasks that you can you can specify which, of course, you do have to have addresses show up here in order to do that.
So then you have virtualized IP address space. This something that taps into System Center Virtual Machine Manager, which we don’t have here, but systems that are virtual machine manager, a whole other product that you can get. And this how you can. Also, if you wanted to pull stuff in and support things with Azure, you can do that as well. This really where I, Pam, I’ve always kind of I feel like it doesn’t do a great job is that they haven’t really fully got this supported with Azure yet. If you connect Azure on-premise and your HP servers handling addresses out to your Azure virtual machines, maybe you’ve connected Azure into your network with a VPN gateway or you’re using express route or something like that. You can. You can then have an IPM track it, but there’s no way just to simply just link it. You have to either a link everything you have to connect everything your own process network allowed the HP to hand addresses out to it all. Or you’d have to have systems in a virtual machine manager communicating with Azure and pulling in information that way.
So there’s no real easy way of working with this. And I will tell you that supposedly Microsoft is working on something else that’s going to eventually be a more souped up version or perform better than I am and actually integrate with with Azure from what I understand.
So that’s something to consider that this technology is probably going to change in the near future.
OK.
So from there, I can also go down to DSD HP servers. I can see the servers that are connected here. In my case, in AC DC one is my HP DNS. I can see my scopes if I want. I can see DNS zone information.
OK, you can. Even through here, you can even perform task. You can add DNS resource records and stuff like that. That’s the thing to understand about IP. MIPIM is about monitoring, but it’s also about managing.
So you know, you have the ability to edit things, edit and update things. I can go right here and it should be scopes and I can edit my HP scope that I’ve got here and make changes to it from IPM.
So this really helpful from the standpoint of just on-premises where I’ve got lots of DHCP servers across the environment, lots of DNS servers. This, you know, a way to kind of centrally, you know, keep track of everything that’s going on. You even have the ability if you’re using public addresses, you know, maybe your ISP’s associate with you, you have the ability to kind of keep track of that stuff here as well and update that information also, you know, so you’ve got a public address space, you’ve got a private address space. If you’re if your organization, of course, does have some sort of public address space that it’s working with involving your ISP and of course, IPv6 is included in that, even though that’s not really something they’re going to hit you with on the test. Ultimately, the game plan with with IPM, the key thing to remember here is just to have a central way to grab all your addresses and be able to monitor what’s going on. And then also some of the management tasks, such as being able to edit your scopes, edit your DNS, all of that.
Now there is one misconception I do want to mention there is one misconception like a thing that people think about IP them. They don’t want to go ahead and stamp out. And that is that a lot of people think that because it links to DNS, it’ll actually pull a records and pull DNS records in and gather intelligence from that. And that’s not true. It does not do that. The only the thing that it will do is though it doesn’t pull all the records in and let you look at all the records, it will associate DNS names with your addresses.
So, when you look at those, you can see that there’s been dense names associated with them. But the main thing I want to point out is it doesn’t like collect a records and see name records and Emacs record and our records and all these DNS records that we have and pull all of those into into the IP system. It doesn’t do that, OK. But it does allow me to see the stuff that’s going on. It allows me to look at all my DHCP scopes, which is invaluable. I can see the addresses that have been handed out and see what ranges I have on my network. And then I’ve got an inventory here. Let me see everything that’s in use.
So ultimately, though, IPM is a powerful system that can be used, it isn’t going to be a big part of the exam at all. Very little usually, but it can be a very powerful system in the real world and definitely something you should play around with, especially if you’re in a, you know, larger environment with lots and lots of addresses.
OK, and lastly, you know, once you do set up IPM and all that, you might want to give it a few more minutes and also do a refresh. And once you do a refresh, if you’ve set up DHC and all that, you should start noticing that the IP address blocks, IP address, inventory, all that stuff will start kind of getting populated. All right.
So, if I go over here to IP address blocks, you can see that my range here the 10 ten point one hundred through ten point one hundred eight zero zero through ten point one hundred 250 for 10 100 zero one through 10 100 zero 234 is all showing up under that now. Of course, you can manually add, you know, static information there by going out here, and I encourage you to try that out. If you want to try that out, you can add public ranges and all that stuff, but you have to register public ranges, which I’m not getting into right now. But from there I can see my IP address inventory if I’m issuing out addresses, IP address arrangements. Right now, it’s just the range groups are just going to evolve my scopes. But the other thing I can do again here is I can right click and I can edit the IP ranges as well through this, just like I can go down here and do it. I can do it up here, and it’ll tied to the correct scope on the correct DHP server, which is really, really nice, but again, definitely encourage you to kind of play around with this a little bit. And so a neat technology, and it’s definitely going to be beneficial in larger environments.