DHCP name protection is an additional configuration option that you should consider when working DHCP within your environment. Name protection protects a DHCP leased machine’s name from being overwritten by another machine with the same name during DNS dynamic updates so that you can configure a Windows 2022 DHCP server to verify and update the DNS records of a client machine during the lease renewal process. If the DHCP server detects that a machine’s DNS A and PTR records already exist in the environment when a DHCP update occurs, then that DHCP update will fail on that client machine, making sure not to overwrite the existing server name. There are just a few simple steps needed in order to configure DHCP name protection. Exercise 6.12 will walk you through these steps.
EXERCISE 6.12
Enabling DHCP Name Protection
- Open the DHCP Management Console.
- Right- click IPv4 and select Properties.
- The Server Properties dialog box appears. Click the DNS tab.
- Verify that Enable DNS Dynamic Updates According To The Settings Below is selected, and verify that the radio button labeled Dynamically Update DNS A And PTR Records Only If Requested By The DHCP Clients is selected.
- Verify that Discard A And PTR Records When Lease Is Deleted is selected. If it’s not, then select it.
- Click Configure under Name Protection, and select Enable Name Protection.
- Click OK twice to complete this exercise.
Understanding IPAM
One of the great features of Windows Server 2022 is the IP Address Management (IPAM) utility. IPAM is a built- in utility that allows you to discover, monitor, audit, and manage the TCP/IP schema used on your network. IPAM provides you with the ability to observe and administer the servers that are running the Dynamic Host Configuration Protocol (DHCP) and the Domain Name System (DNS). IPAM includes some of the following advantages:
Automatic IP Address Infrastructure Discovery IPAM has the ability to discover automatically the domain’s DHCP servers, DNS servers, and domain controllers. IPAM can do the discovery for any of the domains you specify. You also have the ability to enable or disable management of these servers using the IPAM utility.
Management of DHCP and DNS Services IPAM gives you the capability to monitor and manage Microsoft DHCP and DNS servers across an entire network using the IPAM console. IPAM allows you to configure things as easy as adding a resource record to DNS or as complex as configuring DHCP policies and failover servers.
Custom IP Address Management You now have the ability to customize the display of IP addresses and tracking and utilization data. IPAM allows the IP address space to be organized into IP address blocks, IP address ranges, and individual IP addresses. To help you organize the IP address space further, built- in or user- defined fields are also assigned to the IP addresses.
Multiple Active Directory Forest Support You can manage Multiple Active Directory Forests using IPAM as long as there is a two- way trust between the two forests. There may be times when an organization needs to have multiple forests in their structure or when a company purchases another company. Once both forests are connected by a trust, you can manage both companies IP services through one application.
Purge Utilization Data You now have the ability to reduce the size of the IPAM database. This is done by purging the IP address utilization data older than the date that you specify.
Auditing and Tracking of IP Address IPAM allows you to track and audit IP addresses through the use of the IPAM console. IPAM allows IP addresses to be tracked using DHCP lease events and user logon events. These events are collected from the Network Policy Server (NPS) servers, domain controllers, and DHCP servers. You can track IP data by following the IP address, client ID, hostname, or username.
PowerShell Support Windows Server 2022 now allows you to manage access scopes on IPAM objects using PowerShell commands.
As an administrator, you should understand a few things before installing the IPAM feature. There are three main methods to deploy an IPAM server:
Distributed This method allows an IPAM server deployment at every site in an enterprise network.
Centralized This method allows only one IPAM server in an enterprise network.
Hybrid This method uses a central IPAM server deployment along with dedicated IPAM servers at each site in the enterprise network.
Installing IPAM
Now that I have started explaining what IPAM can do for your organization, the next step is to install IPAM. When you are thinking of installing IPAM, there are a few considerations that you must think about. So, let’s start with looking at the hardware and software requirements needed for IPAM.
IPAM Hardware and Software Requirements
So, let’s start with the main requirement. IPAM must be loaded onto a Windows Server. Since this is a Windows Server 2022 book, I would recommend that you use Windows Server 2022. But you can load IPAM onto a Windows Server 2008 or higher system.
You can also load an IPAM client (this allows you to remotely operate IPAM) onto any
Windows 7 or higher system. Before the IPAM client can be used, you must first install the Remote Server Administration Tools (RSAT). You need to make sure that you install the proper version of RSAT based on the version of Windows that you have installed.
Your network needs to be a domain. Workgroup networks are not supported by IPAM. So the server that you decide to install IPAM onto needs to be part of a domain, but it can’t be a domain controller. Domain controllers are servers that are part of a domain and have a copy of the Active Directory database. When you install IPAM, you have to load it on a member server.
IPAM will work on both an IPv4 and IPv6 network. The member server that you install IPAM onto must be able to see and connect to the other servers on your network. If the IPAM server is not able to access the other servers (like Microsoft DNS and Microsoft DHCP), the IPAM server will not be able to help monitor and maintain these servers.
One of the advantages of IPAM is that the IPAM server will automatically discover other servers on your network. Server discovery requires the IPAM server to be able to access at least one domain controller and an authoritative DNS server.
Microsoft’s best practices are to place the IPAM server onto its own server. You should not put the IPAM server on a server with other network services like DNS or DHCP. For example, DHCP server discovery will be automatically disabled if you install IPAM and DHCP onto the same server.
This makes IPAM a good candidate for virtual machines or containers. By using a virtual machine or container for the IPAM installation, you don’t give up all of the hardware resources of a powerful server for just one feature. Some other IPAM specifications and features are as follows:
■ Server discovery for IPAM is limited to a single Active Directory forest.
■ IPAM can manage DNS and DHCP servers belonging to a different AD forest as long as a two- way trust relationship is set up between your forest and the other forest. The servers in the other forest will need to be manually entered into IPAM.
■ IPAM only works with Microsoft servers (domain controllers, DHCP, DNS, and NPS) using Windows Server 2008 and above.
■ IPAM only supports Microsoft- based systems. IPAM does not support non- Microsoft network devices.
■ IPAM only supports Windows Internal Databases (WID) or SQL Server. Other database engines are not supported.
■ Windows Server 2022 IPAM now supports /31, /32, and /128 subnets.
■ Windows Server 2022 IPAM now supports DNS resource records, conditional forwarders, and DNS zone management for both primary zones and primary zones with Active Directory integrated.
■ You can now purge IP address utilization data, thus reducing the size of the IPAM database.
So let’s go ahead and install the IPAM feature. Exercise 6.13 will show you how. You will install and configure the IPAM feature using Server Manager. Remember, this exercise has to be done on a member server.
Leave a Reply