IP Address Management (IPAM) is an integrated suite of tools to enable IP address space management, multi-server management of DNS and DHCP and audit and compliance requirements for DNS, DHCP and IPAM. It was introduced in Server 2012 but more recently IPAM’s uptake has increased by administrators and organisations that are excited to have a free and integrated solution. Windows Server 2016 has further enhanced IPAM capabilities to better support multi-server management of Windows DNS. 

After being introduced in Windows Server in the 2012 release, IPAM has seen significant feature additions in Windows Server 2012 R2 – namely role based access control, Management of DHCP Failover and DHCP Policies, PowerShell cmdlets and integration with Virtual Machine Manager for private cloud environments.  IPAM in Windows Server 2016 has been further enhanced to support critical new capabilities like DNS management, support for multiple AD forests and many others. 

Below is a summary of IPAM capabilities

*Integration of IPAM with VMM for IP address space in SDN environments provides complete management, tracking, and planning for IP address space used in physical and virtual networks of an organization.   

Technical Summary of 2016 enhancements

DNS Management

The ability to manage DNS zones and resource records across multiple DNS servers is a critical requirement for enterprises. IPAM in Windows Server 2016 can now perform all the DNS management tasks for which the user earlier had to go to DNS Manager. The DNS management tasks which can now be performed in IPAM are:

  • Create, delete, modify DNS zones (forward lookup and reverse lookup zones)
  • Create, delete, modify DNS resource records (A, AAAA, CNAME, PTR, MX and all other record types support by Windows DNS server)
  • Create, delete, modify conditional forwarders
  • Set up zone transfer policy and initiate zone transfer

These operations are supported for both Active Directory integrated DNS as well as DNS servers which store the zones and records in a file. A DNS zone is typically hosted on more than one DNS servers for high availability reasons. When you perform an operation such as creating or modifying a DNS record in a zone, IPAM performs the operation on one of the DNS servers hosting the zone. The zone synchronization mechanism – AD replication in case of AD integrated zones and zone transfer in case of file based zones – ensures that the newly created or updated DNS record now exists on all the servers hosting the zone. IPAM provides a setting called “preferred server” for a zone. Any update operation on a specific zone will be performed by IPAM on the preferred server which then gets replicated to other DNS servers. 

Integration of DNS data with IP address inventory

IPAM maintains an inventory of IP addresses in the IPAM database. In the IPAM UI, this inventory can be viewed under the IP address space management pivot. This inventory had to be manually populated or imported using a CSV file. In Windows Server 2016, IPAM will read the DNS records from the DNS servers – including the PTR records. The PTR records are used by IPAM 2016 to populate the IP address inventory. This new capability ensures automated population of IP address inventory. Now, admins will no longer be required to manually update IP address inventory or import csv file as long as they have reverse lookup zones up-to-date with PTR records. 

Another important capability is an IP address inventory now has a tab for DNS records which lists all the DNS records related to that IP address – this includes A, AAAA, PTR, CNAME, MX, NS and so forth. This would be really useful where there is use of  CNAME, MX and other records types which have indirect relationship to the IP address. 

Role Based Access Control for DNS Management

Role Based access control was first introduced in IPAM in Windows Server 2012R2. With DNS management in IPAM, it was important to support delegation scenarios of DNS administration. So, an admin should be able to delegate administration of a specific zone for a remote location to the admin at that location but ensure that he/she does not have access to other DNS zones and servers. Similarly, a mail administrator should be able to only manage the MX records. With IPAM 2016, customers can achieve these delegation scenarios and give only as much access as the role of a person demands.

Managing DNS and DHCP servers in multiple Active Directory Forests

IPAM 2012R2 supported management of DNS and DHCP servers in a single Active Directory forest – this is the forest in which IPAM is deployed. However, many enterprise customers have more than one Active Directory forest in their environment and DNS and DHCP servers across these multiple AD forests, and hence wanted the Windows Server IPAM to support management of DNS and DHCP servers in multiple AD forests from a single IPAM console.WS 2016 IPAM says Amen! 

PowerShell for Role Based Access Control Tasks

Based on asks from enterprise customers for automation of RBAC tasks, IPAM 2016 has new PowerShell cmdlets added which enables admins to set access scope on the IPAM objects. Admins can set the access scopes on IP address objects (IP space, IP address blocks, IP address subnets. IP address ranges), DNS objects (DNS servers, DNS zones, DNS conditional forwarders, DNS resource records) and DHCP objects (DHCP servers, DHCP superscopes and DHCP scopes). This will enable admins to automate the assignment of access scopes to the IPAM objects using PowerShell scripts



DNS Management in IPAM

Multiple Active Directory Forest Support in IPAM

TechNet Documents:

What’s New in IPAM

DNS Management in IPAM

Manage IPAM Resources in Multiple AD Forests

IPAM PowerShell Cmdlets