IPAM - Unblock access to a DC? RRS feed

  • Question

  • I am trying to test out the IPAM feature in the 2012 beta. Here is my setup:

    3 DCs total, 2 are running MS DNS server

    2 DHCP servers

    Total of 5 different servers, all Server 2008 SP2.

    I can get IPAM talking to my DHCP servers and they show up as "IPAM Access Unblocked" and can pull data from them just fine.

    My two DCs with DNS can retrieve data, but still show as "Unblock IPAM Access". My third DC also shows "Unblock IPAM Access."

    I am not using GPOs to configure things and have added the proper accounts to the required groups, but my DCs still behave as if there is no access to them. The instructions say to add the IPAM computer account to the "Event Log Viewer" local group on the DCs, but since they're DCs there are no local groups. I instead added the account to the domain group of the same name. If I check the group membership on the DC from the command line I can see the IPAM computer account is listed.

    Is there something that I'm missing on my DCs?

    Thanks in advance.

    Tuesday, July 17, 2012 8:26 PM

All replies

  • Hi DerrickSpringer,

    Thanks for posting here.

    > but my DCs still behave as if there is no access to them.

    Do you mean IPAM server is still unable to get the address information form test servers event they are shown as unblock in console  ?

    But according to the TLG, it should be “Event Log Readers” but not “viewer”:


    I’d suggest to configure clients with group policy if that is possible .


    Tiger Li

    Tiger Li

    TechNet Community Support

    Wednesday, July 18, 2012 8:33 AM
  • Hi Derrick,

    The process to manually (not GPO based) unblock a DNS/DC server is:

    1. Enable DNS RPC access by enabling the following inbound Firewall rules:

     a) DNS Service (RPC)

     b) DNS Service (RPC Endpoint Mapper) 

    2. Enable remote management access by enabling the following inbound Firewall rules:

     a) Remote Service Management (RPC)

     b) Remote Service Management (RPC-EPMAP)

    3. Enable Remote Event Log Management RPC access by enabling the following inbound Firewall rules:

      a) Remote Event Log Management (RPC)

      b) Remote Event Log Management (RPC-EPMAP)

    4. Add the IPAM machine acct to the Event Log Readers domain security group. See the example below. This view is from Active Directory Users and Computers \ contoso.com \ Builtin \ Event Log Readers:

    Also, there should be a Details tab at the bottom that summarizes whether or not the correct firewall ports and the Event Log Access status are unblocked. Does this say that one or both are blocked?



    Wednesday, July 18, 2012 7:25 PM
  • Greg,

    The DNS access is unblocked, that was no problem. On my two DC/DNS servers I get "DNS RPC Access Status:" as "Unblocked" and I am able to pull the DNS information just fine.

    On the same servers as well as my DC-only server I still get "Event Log Access Status:" as "Blocked (DC, DNS)" and "Blocked (DC)", depending on the server.

    The computer account of the server is already a member of the domain builtin group "Event Log Readers". I have verified this by running << net localgroup "Event Log Readers" >> from the command line of my DC. It shows the computer account of the 2012/IPAM server listed as the only member of the group.

    Additionally we have the firewalls turned off on the DCs, so I'm guessing that the rules shouldn't matter?

    Friday, July 20, 2012 12:00 AM
  • Hi Derrick,

    I'm attempting to reproduce the problem. Can you tell me what user account you are logged in with on the IPAM server? Is it <domain>\Administrator?



    Friday, July 20, 2012 6:59 PM
  • Hi Greg,

    No, we do not use the builtin admin for the domain for anything. I am using an account that is a member of domain admins and enterprise admins. We're a single domain in a single forest, a very straight-forward setup.

    This is the same account that I have used in the past to install everything (join systems to the domain, install Exchange, do schema extensions, etc.) so I have never run into any situation yet that the logged-in account doesn't have enough access.



    Friday, July 20, 2012 11:44 PM
  • Hi Derrick,

    I forgot a setting. Have you granted the computer acct for the IPAM server read access in the ACL maintained by the following registry key on the DNS server? This is mentioned in the in-box help file.

    MACHINE\System\CurrentControlSet\Services\Eventlog\DNS Server\CustomSD

    You have to edit this string and add the SID for the IPAM server. Sorry this is a bit onerous. To get the SID on a DC running Server 2012 you would issue "get-ADComputer <your IPAM server name>" but this doesn't work on a member server (the IPAM server) unless AD WS (Web services) is also installed on the DC. So, to find the SID of the IPAM server just open regedit and search for the value "sidstring." Make sure you limit he search to only values:

    When you have the string, add it to the end of the registry key I mentioned above on your DNS server by entering a new parenthesis with A;;0x1;;; prefaced to the IPAM server's SID. An example is below:

    I hope this helps,


    Tuesday, July 24, 2012 1:17 AM
  • Hi Derrick,

    for our experience we installed on all down-level Server (w2k8R2)  the WMF 3 - RC and the .net4 , It is very important that the remote management works, with the windows management framework 3 RC (for WS2012 RC) we solve the communication problem.

    on the other side , do you have create the IPAM GPOs ? if not, any discovery will not run correctly.


    • Proposed as answer by Marc Berger Tuesday, October 9, 2012 7:55 AM
    • Unproposed as answer by Marc Berger Tuesday, October 9, 2012 8:00 AM
    Saturday, September 15, 2012 7:44 PM
  • Hi,

    just testing IPAM, indeed, i got Blocked Status, just check the IPAM server must be member of "Event Log Readers" and especially : LOG OFF/LOG ON your DNS, DHCP, because gpupdate is doesn't enought to get working.

    working fine after that for me :)


    Tuesday, October 9, 2012 7:59 AM
  • I had this issue - Event Log Access Status: Blocked (DC, DNS).

    Editing the problem server in the IPAM Server Inventory panel to untick DNS - OK - then reticked DNS fixed it. Don't ask me why!

    Friday, November 2, 2012 1:33 PM
  • Tuesday, January 22, 2013 8:24 PM
  • I had this issue - Event Log Access Status: Blocked (DC, DNS).

    Editing the problem server in the IPAM Server Inventory panel to untick DNS - OK - then reticked DNS fixed it. Don't ask me why!

    Me too :-O unbelivable... re-did all the capture data and all is well... :-O gosh... thanks for that.
    Thursday, June 27, 2013 10:28 AM
  • I had a similar issue. The member server changed from "Unblock IPAM Access" to "IPAM Access Unblocked" However the DC didn't. I noticed that the member server was given access to the "<Prefix>_DNS, <Prefix>_DHCP etc. Group Policy and the DC wasn't listed in the security filtering of the GPO and hence it wasn't applying on the DC. Added the DC's Computer account and ran a GPupdate/force and "Refresh Server Access" on the IPAM console for the DC and the red turned green with the Access Unblocked Message.

    You might also want to check if the servers to be managed by the IPAM server are part of the <Prefix>UG group in the users container in AD.

    <Prefix> is the prefix you would have given when you configured the IPAM GP.

    I hope this helps.


    • Edited by Jejin Joseph Wednesday, August 21, 2013 12:06 PM
    • Proposed as answer by Jejin Joseph Wednesday, August 21, 2013 12:07 PM
    Wednesday, August 21, 2013 11:20 AM
  • THANK YOU, TimBoothby! Worked like a charm.

    • Edited by MichaelGorm Friday, February 21, 2014 1:08 PM
    Friday, February 21, 2014 1:07 PM
  • this what works for me:

    1. did the registry thingie
    2. unticked and reticked the DNS check box

    now my DNS/DHCP servers are unblocked. but the manageability status is still unmanaged or showing unspecified. does it take time?

    i didn't do the GPO method because i want manual control.

    Sunday, July 23, 2017 12:57 PM
  • manageablility is actually an option selection on the Ipam server. right click the server, hit edit and select unspecified, unmanaged or managed.
    Friday, September 15, 2017 10:05 PM