Sunday, January 27, 2013 6:31 PM
I have deployed IPAM in a test environment and for the life of me cannot get it to function at all.
My setup is like this: 8x server 2012 virtual machines. Single forest, single domain, single site. The servers involved in the IPAM setup are, DC1 and DC2 which are also DNS and DHCP servers. Then there is IPAM1 which is the IPAM server, as well as MS1 management server that has the IPAM client feature installed. I have domain isolation require inbound request outbound, but there is also an exclusion rule for the IP address range that contains the servers so they don't have to authenticate (I have found that doing otherwise breaks many and more things). I have verified these connection rules are propagated to all servers correctly. And everything else works except for IPAM.
I used the GPO provisioning method following the guide here:
I did everything in the IPAM install section of that guide, in the order specified. I created the GPO's using the powershell command from the IPAM1 server. I waited a few minutes and ran gpupdate /force. I rebooted both DC1 and DC2. I get the status of "Unblock IPAM Access". And DHCP RCP Access Blocked, DHCP Audit Share Access Status Blocked, DNS RPC Access Status Unblocked, Event Log Access Status: Blocked (DNS). The same status for both DC1 and DC2.
I have verified that the GPO's exist and are named correctly. DC1 and DC2 are listed on all 3 GPO's in the security filtering section. I logged on to both DC1 and DC2 and verified that the firewall rules from the GPO's had been created. I verified that both DC1 and DC2 were members of the IPAMUG group, and that IPAMUG group was a member of the domain Event Log Readers group. I verified that the IPAM Server inbound rule existed on the IPAM1 server. It doesn't matter if I use the IPAM client from IPAM1 or MS1 servers.
When I run a Group Policy Results query, it shows that the GPO's are applying to DC1 and DC2 to create the firewall rules, but it also shows and AD / Sysvol version mismatch on all the IPAM GPO's. I've checked and they are sync'd correctly so I don't know why it is showing this? It doesn't seem to affect it as the policy is still being applied to both servers.
I read some other guides that used a simpler powershell command, simply the Invoke-IPAMGpoProvisioning without any switches. I completely removed IPAM and set it up again using the simpler powershell command. After this I verified all the same GPOs, firewall settings and group memberships. Everything looks correct. I have run gpupdate many times on both DC1 and DC2. I have rebooted them. I've done everything short of manually creating everything, but I can see all the firewall rules and group memberships so I think the GPO provisioning method is better because it is more automated, I'd rather stick with GPO method.
What am I doing wrong? What have I missed?
Thursday, January 31, 2013 5:49 AMModerator
Thank you for the post.
I’d like to confirm if you have installed IPAM feature on a DHCP server. And this is not recommended.
Nick Gu - MSFT
Friday, February 01, 2013 11:17 AM
I created a Wiki topic to help with this. See http://social.technet.microsoft.com/wiki/contents/articles/15494.ipam-unblock-a-managed-domain-controllerdns-server.aspx.
Your problem is most likely that you need to run the IPAM ServerDiscovery task and then refresh the console.
Nick is also right that it isn't recommended to install IPAM on a DHCP server as this causes problems discovering other DHCP servers. You also need to add permission for Network Service instead of IPAMUG to enable DHCP Users and Event Log Readers permission.
- Marked As Answer by bilbo-baggins Friday, February 01, 2013 5:10 PM
Friday, February 01, 2013 5:10 PM
The DNS/DHCP are the servers I am monitoring. IPAM1 is dedicated ipam server.
I followed Greg's link and it is working now. Thanks!!