This is the third part in a series that focuses on IPAM. This part will cover IPAM access control, we will take a look at DHCP / DNS administration with IPAM and much more.
Let’s get started.
Now you can’t really have any conversation about any kind of product, Microsoft or otherwise, without having some sort of discussion about access control, and IPAM is no different. We will start with understanding RBAC (Role-Based Access Control) vs Local Administrative Groups
IPAM has two methods for delegated administration. On one hand we have the Local Administrative Groups that are on the IPAM server itself.
Local Administrative Groups
This is what I would call an old school management approach where these groups have user rights of sorts attached to them by default, by the IPAM server, and to give someone a lower level of administrative access to IPAM is as easy as adding their domain user account to the appropriate groups. You will notice right away that this isn’t particularly flexible or scalable because there is no way for us to give special permissions like administering just one DNS zone or specific DNS Record.
Role Based Access Control (RBAC)
The core concept of RBAC is what you can do and where you can do it. With RBAC you can do certain stuff but you can only do it in a specific backyard. For example we can grant permissions to only create and delete DNS records in one specific DNS zone or to only create scopes or maybe to only create specific DNS records.
RBAC consists of three related components.
- ROLES –> are collections of privileges. They specify the tasks that can be performed, in another words what user will be able to do. For example: Manage specific DNS zone, record, DHCP scope etc.
- ACCESS SCOPES –> determine how far and wide a particular role can go in the server. Can they go just with DNS, just with NPS, just with DHCP? Can they only do auditing? It gives you more flexibility than when just we use the local administrative groups. So if the Role is the what, the Access Scope is the where. For example: dns servers, zones dhcp server etc.
- ACCESS POLICIES –> are the combination of roles and access scopes.
All Built-in roles have global access scope assign to them which means that there is a list of tasks that you can perform and you can perform it over any server, zone, scope that IPAM can manage. That is what GLOBAL means.
IPAM DHCP Reservation Administrator Role, IPAM DHCP Scope Administrator Role, DNS Record Administrator Role are self-explanatory so I am not going to focus on those.
- IPAM DHCP ADMINISTRATOR ROLE – These guys can completely manage any DHCP server, any scope, reservation etc. that IPAM can manage.
- IP ADDRESS RECORD ADMINISTRATOR ROLE – provides permissions to manage IP addresses including finding any unallocated IP addresses, creating and deleting other IP address instances.
- IPAM ASM ADMINISTRATOR ROLE – These are address specialists. Think for A, the address space management, ASM. These are individuals, perhaps help desk people, which have the ability to completely manage IP addresses, IP address blocks, ranges, spaces, subnets. So if you want to allow someone to do anything with IPAM IP address, this is the role to assign.
- IPAM MSM ADMINISTRATOR ROLE – The MSM Administrators, that’s Multi-server Management, these are very powerful sub-administrators, almost as powerful as the IPAM administrators, but MSMs are concerned with the servers themselves, not the IP address space and all of the reporting stuff, but just maintaining the care and feeding of your DHCP servers, your DNS servers, etc.
- IPAM ADMINISTRATOR ROLE – these individuals have full control over all of the IPAM features, as well as the servers that are contained in the IPAM discovery scope.
- IPAM DNS ADMINISTRATOR ROLE – These guys can completely manage any DNS server, any zone, record etc. that IPAM can manage.
Just to mention that IPAM Users Local Group is the lowest on the delegated administration list. It just have read-only access to IPAM in general.
If you click on one Role and if you scroll down you can see all of the rights that are associated with the specific role.
If none of these roles provide exactly what you’re looking for, you can create your own custom user roles that then go further into specifically determining exactly what actions that person should be able to do. Just to point that built in roles cannot be edited or deleted.
Now, let’s assume, for example, that we have a user, that is a very low-privileged user, and we don’t want that person to have full administrator access to IPAM, nor do we want him to have full administrator access to all of the DNS stuff that exists in our infrastructure. Well, when we want lock things down a little bit further, we can do so with creating User Role. That will be our first step.
To create your own role click on Tasks and select Add User Role
Give it a name, in my case DNS Records Admin. I don’t want to allow this role to have anything to do with DNS Zones, I just want to give the ability to manage records. Scroll down until you came to the DNS Resource Record Management Operations and select what you want that user to be able to manage. In my case A, AAAA and CNAME records. Once done, click OK
Here is the role. Step one is completed.
Our next step is to create our own custom Access Scope. The idea here is to give the user ability to only manage certain records for only one zone. To create new access scope you can either right-click on access scopes in List View or click on Tasks and select Add Access Scope
When we create an Access Scope, we start first by actually creating a name for the Access Scope. Click on New and give it a name and click on ADD and OK to close the window.
Our new Access Scope will pop-up in Access Scopes View
This HelsingborgDNS Access Scope right now doesn’t really do anything. We have to define where this will apply. To do that click on DNS Zones and right-click on your zone where you want to apply this and select Set Access Scope
I can choose to remove it from its parent Access Scope, and then define it here for the new HelsingborgDNS scope that we just created. So, what this means is that people in the Global scope can make use of it, and then now people in the HelsingborgDNS scope can use it as well.
That’s it. Now we need to go back to Access Control and then choose Access Policies, and here is where I kind of glue everything together. Right-Click on Access Policies and select Add Access Policy
It’s here where I can define what the user or group will be. Click on ADD and add User Alias. I have one user IPAM_SVC which I will add here
(Just to point here, be sure to add user into IPAM Users local group to avoid access denied error message when you try to administer it remotely from client machine)
When that is done click on New in Access Settings.
It is here where we glue this group to the setting that we created before. So that setting will be the Role, so in my case it will be the DNS Records Admin Role, and then scope down to just the HelsingborgDNS. That takes everything and links it altogether. Click ADD Setting and OK to close the wizard.
That’s it. We have configured RBAC for IPAM and user who have that particular access policy will be able to manage specific DNS record types in mehic.se zone.
OBS!!! Just to be sure that you understand when you configure permissions in IPAM, you are limiting access only through IPAM. It will not limit access to the dns server itself. You will need to block access to dns server so that the only way of managing it is through IPAM.
MANAGE DHCP WITH IPAM
As I said before, one of the great things about IPAM is that you can use it as a meta management solution for all of your DHCP servers. I will not go too much in detail, I just want to show you that you can configure everything from one pane of glass.
Click on DNS and DHCP Servers.
If I right click on the role here for example DC02 (DHCP), you’ll see there are a variety of additional configurations for DHCP, and a much smaller set of configurations for my DNS server, that allows me to just tell that DHCP server to accomplish certain things, like configuring server properties, creating a scope, user class, or a policy, or whatever.
If I’m experiencing a problem, I can come down to the bottom area, and do some troubleshooting by looking at the Event Catalog. These are, again, the specific events that have to do with DHCP, or DNS, so to give us a better idea of what actual activities are going on for the servers, and something that’s available that can be done here as well.
Let’s click now on DHCP Scopes and right-click on one scope. You will see Duplicate DHCP Scope. With this option we can duplicate scope and put in on another server and this is a great way of migrating dhcp scope. Imagine that you need to decommission the dhcp server and you need to move all the scopes of that server, IPAM is a really good tool to do it.
Let’s duplicate one of our scopes. Right-Click on the scope you would like to duplicate and select duplicate dhcp scope. I will choose Scope 4 which is on my DC02.
In the General Proporties, I will choose my second server DC01 and type in start and end IP address.
Scroll down and modify settings if needed and click ok.
Here it is. Now we have Scope for on second DHCP server.
Let’s configure DHCP failover. Right click on the scope and select Configure DHCP Failover
Select Partner Server for the scope, give the relationship a name and create a secret
Scroll down and choose the mode. In my case it will be Load Balance 50-50. Once done click OK
If you would like to configure Superscope you would need to mark 2 scopes and right-click on one of them and select Add to DHCP Superscope
It is important that you play with this so that you get familiar with different options you can configure through IPAM.
FIND AND ALLOCATE AVAILABLE IP ADDRESSES
To manage our IPAM collections, there is a variety of different tasks that are just context menu items that exist off of the individual ranges you’ve created. So let’s say, for example, that I need to go in and grab a new address for a machine that I’m putting into my server net. Well, in the old days, I’d have to take a look at spreadsheet, but now that I have my IPAM database, the process to request, and actually receive a new address, happens very simply by right clicking on the range, and choosing to find and allocate an available IP address.
Now you’ll notice what happens here. We are taking a look at the next available address 10.52.99.61. We can see that there’s no Ping Reply, in other words, that there’s nobody using this address, and there’s no DNS record so that IP address will be good.
If you see the ping reply or the DNS record, click on Find Next to check second address and this process gives us the ability to continue marching down the path to find the addresses that is available for you to use.
You might be saying to yourself, well wait a minute, why do I have to go through just clicking the Find Next button over and over again until I get the next available address? If you think about the range that we’ve created, the whole point behind this range is that the addresses in that range are probably best when they’re actually managed by IPAM, and so the idea here is that with all of those addresses already managed by IPAM, you’ll need to continuously click the Find Next button won’t happen that often because IPAM will simply find the next available address according to its view of the world, and see if that address is not otherwise consumed by some other machine. The fact that you need to do this twice, or maybe three times, indicates that you have got some machines that perhaps are not managed by IPAM, and maybe don’t belong in particular subnet.
With 10.52.99.61 I can continue by just adding in all the other information just like I did before, the MAC address, who it’s managed by, the name, the client ID, the DNS record synchronization, and all the other stuff that I would need in order to create an additional record here in my IPAM database.
Every so often you’ll find yourself just needing to reclaim some addresses. There actually is a reclamation ability in IPAM by right clicking on range and choosing to reclaim IP addresses.
This process allows us to go through and reclaim the IP addresses we’re no longer using, and even delete the resource records and any DHCP reservations that exist associated with those records as well.
MANAGE DNS WITH IPAM
In a previous versions of IPAM there was not much DNS functionality. The version that comes with Windows Server 2016 builds on that. In terms of limitations there is a very limited amount you can do in terms of configuring DNS Server properties. You are very much managing things at the node level and at the record level.
One of the first things you can do with IPAM which is realy useful is you can see properties of each DNS server in your organization. You can see how they are configured from a single pane of glass.
Remember that IPAM can manage DNS and DHCP servers only if they are members of a domain. If you have a DNS server in a perimiter network then you will not be able to manage it with IPAM.
Let’s see for example how we can create a new zone. Click on DNS and DHCP servers node, right-click on your DNS server and select Create DNS Zone
Create DNS Zone wizard will pop-up. In the Zone Category and Zone Type I will leave the defaults and under Zone name I will type in carrera.mehic.se. We have the Advanced Properties as well and I will leave the defaults there as well. It is very easy to configure this in IPAM. Once done, click ok
You will notice that Zone Status will show No Data and you will see Unknown as well. That means that zone is not updated yet.
Click on DNS and DHCP Servers, right-click on your DNS server and select Retreive Server Data.
Go back to DNS Zones and refresh the page and you will see that the zone is updated now.
Now we can go and configure the zone, add records, edit the zone etc. I will not go much in detail here. It is important to play with this and configure zones and records to get use to it.
That’s it. In our last part (Part 4) we will take a look at IPAM Auditing, IPAM Database Storage and Management, IPAM Backup, Migration to SQL server etc.