Hands-on: IPAM

The first thing to note about IPAM is that you can't put it on a domain controller.  It can oversee multiple domains within a single forest.  IPAM is a feature, not a role.  After installing it on IPAM1.seattle.contoso.local, I installed the client on a domain controller and tried to manage it, but got the delightful error shown in this screenshot.  This was because I was signed in with an enterprise admin account from a parent domain - whoami /groups to the rescue.  Signing in with a domain admin account eliminated the error.  Otherwise, I think that adding my account to the WinRMRemoteWMIUsers group on the IPAM server would've worked too.

Moving back to the IPAM server itself, I set the provisioning method to GPO (instead of manual) and noted that you have to run Invoke-IPAMGPOProvisioning in each domain that you want to manage.

After provisioning, you tell it what domains you want to manage (you still have to use Powershell to create the GPOs in each domain).  I don't know what effect this step actually has.  Next, you get to "Step 4" which is to manually kick off the ServerDiscovery task in Task Scheduler.  Interestingly, you can't view the details of what this task actually does.

Next up, ran the Invoke-IPAMGPOProvisioning commandlet.  This creates three GPOs in the specified domain, letting the IPAM server read event logs, get through the Windows firewall, and create scheduled tasks on the servers that you choose to manage through the IPAM console.

When you go back to the IPAM console and tell it that a discovered server should be managed, that server is added to the newly created GPOs that are attached at the domain level.

Next, you right-click a discovered server and select "Retrieve all server data".  This immediately fires up several tasks in the Task Scheduler:
- Audit: collects events from domain controllers, NPS, and DHCP servers.
- Address Expiry: tracks IP address expiry state and logs notifications.
- ServiceMonitoring: collects DNS zone status events from DNS servers.
- AddressUtilization: collects IP address space usage data from DHCP servers.
- ServerConfiguration: collects configuration info from DHCP and DNS servers.

I found the explanation of these groups in a Microsoft Word document, but it's also listed in the "Description" field of the task.

There's also the ServerAvailability task which "collects status information from DHCP and DNS servers" and the ServerDiscovery task which "automatically discovers domain controllers, DHCP servers and DNS servers in the domains you select".

This is all that I'm going to do with IPAM for now.