IP Address Management (IPAM)

IPAM is a means of planning, tracking, and managing the Internet Protocol address space, where an address space defines a range of discrete addresses used in a network.

IPAM integrates DOMAIN NAME SYSTEM (DNS) and DYNAMIC HOST CONFIURATION PROTOCOL(DHCP) so that each is aware of changes in the other (for instance DNS knowing of the IP address taken by a client via DHCP, and updating itself accordingly). Additional functionality, such as controlling reservations in DHCP as well as other data aggregation and reporting capability, is also common.

IPAM tools are increasingly important as new IPv6 networks are deployed with larger address pools, different subnetting techniques, and more complex 128-bit hexadecimal numbers which are not as easily human-readable as IPv4 addresses. IPv6 networking, mobile computing, and multihoming require more dynamic address management. With IPAM, administrators can ensure that the inventory of assignable IP addresses remains current and sufficient.

IP Address Management (IPAM) in Windows Server 2012 and Windows Server 2012 R2 is an integrated suite of tools to enable end-to-end planning, deploying, managing and monitoring of your IP address infrastructure, with a rich user experience. IPAM automatically discovers IP address infrastructure servers on your network and enables you to manage them from a central interface.

IPAM includes components for:

  1. Address Space Management
  2. Virtual Address Space Management
  3. Multi-Server Management and Monitoring
  4. Network Audit
  5. Role-based access controlVirtual IP address space management is enabled through integration of IPAM with system center virtual machine manager and is available in Windows Server 2012 R2 and later operating systems. This feature is not available with IPAM in Windows Server 2012.

Role-based access control is available in Windows Server 2012 using local user groups on the IPAM server. This feature was significantly enhanced in Windows Server 2012 R2 to include detailed built-in and custom role-based access groups.


Network administrators use IPAM  to update various details about their networks:

  • How much free IP address space exists.
  • What subnets are in use, how large they are, and who uses them.
  • Permanent versus temporary status for each IP address.
  • Default routers that the various network devices use.
  • The host name associated with each IP address.
  • The specific hardware associated with each IP address.


  1. Add the IPAM Role to Window Server 2012 R2
  2. Open Server Manager and add the IPAM server
  3. Open the IPAM node
  4. Using the Quick Start select Provision the IPAM Server


5.Read the information at the start of the Wizard and click Next

6.On the Configure Database screen select to either use the WID or SQL Server, I chose WID and click Nextcipheronic27.On the Select Provisiong Method screen select Group Policy Based and enter a prefix for the IPAM GPOs, I used IPAM, click Next.cipheronic3

8.Read the summary and hit Apply

9.When the wizard has completed read the summary and click Close

10.Back at the IPAM Quick Start select the Configure Server Discovery link

11.Select the domain that we want to add to the discovery scope from the drop down box and click Add, check the types of roles to discover, I checked them all, then click OK.cipheronic412.On the IPAM Quick Start select step 4 Start Server Discovery and wait for the discovery to finish

13.On the IPAM Quick Start select step 5 Select or add servers to manage and verify IPAM access

14.At this point my server said Set Manageability Status with a warning sign. So Right Click the server and select Edit Server.


15.Set it’s status to Managed and check the correct Server Types have been picked up then click OK.

cipheronic616.Next sever showed up as blocked, there are a couple of reasons for this. First we need to make sure the server has the GPOs applied so connect to the server in question.cipheronic717.First check that the GPOs exist, open the Group Policy Management console and visually identifying them – they should have a IPAM_ prefix if you did that earlier

18.If they don’t exist then provision them with this PowerShell, changing the appropriate parameters for your environment.

Invoke-IpamGpoProvisioning -Domain contoso.com -GpoPrefixName IPAM -IpamServerFqdn ipam.contoso.com -DomainController orange-dc.contoso.com

19.Again verify that the GPOs exist

20.Now need to change the security filtering on the IPAM GPOs to include our server so add the servers

cipheronic821.We then need to apply the GPO to our servers using gpupdate / force

22.To be sure the policies have applied we can run gpresult /r and should see the IPAM GPOs listed

cipheronic923.Next we need to allow our IPAM server to view the event logs on our servers so add the IPAM server to the Event Log Readers AD group. I used ADAC but you could use PowerShell like this:

Set-ADGroup -Add:@{'Member'="CN=IPAM,CN=Computers,DC=Contoso,DC=com"} -Identity:"CN=Event Log Readers,CN=Builtin,DC=Contoso,DC=com" -Server:"Orange-DC.Contoso.com"

24.Return to Server Manager to the IPAM node, select the Server Inventory Node, right click the server in question and select Refresh Server Access Status then refresh Server Manager. The status should turn to IPAM Unblocked.