How to Set Up Windows Server 2016 IPAM

IP Address Management (IPAM) is a built-in feature in Windows Server 2016 that provides a centralized framework for discovering, monitoring, auditing, and managing the IP address space in your network. IPAM integrates with DHCP servers to manage scopes and leases, integrates with DNS servers to manage zones and records, and tracks IP address utilization over time. For organizations managing multiple subnets, DHCP servers, and DNS zones, IPAM dramatically reduces the administrative overhead and eliminates the need for manual spreadsheet-based IP tracking.

IPAM Architecture Overview

IPAM uses a central IPAM server that communicates with managed DHCP and DNS servers through WMI and RPC. Managed servers must have their Windows Firewall configured to allow IPAM communication, and the IPAM server’s computer account must be added to specific local groups on each managed server. IPAM stores its data in a Windows Internal Database (WID) by default, or optionally in SQL Server for larger deployments.

Prerequisites

The IPAM server must be domain-joined. It should not run DHCP or DNS services itself (IPAM is a management plane, not a service plane). All DHCP and DNS servers you want to manage must be running Windows Server 2008 R2 or later. Verify the domain environment and existing DHCP servers:

Get-ADDomainController -Filter * | Select Name, IPv4Address, OperatingSystem
Get-DhcpServerInDC | Select IPAddress, DnsName

Step 1: Install the IPAM Feature

Install the IPAM Server feature and the IPAM Client management tools:

Install-WindowsFeature IPAM -IncludeManagementTools
Install-WindowsFeature RSAT-IPAM-Client

Verify the installation:

Get-WindowsFeature IPAM | Select Name, InstallState
Get-Service IPAM -ErrorAction SilentlyContinue

Step 2: Provision IPAM Using Group Policy

IPAM can provision access to managed servers either manually or via Group Policy (recommended). The Group Policy method automatically configures firewall rules and group memberships on all managed servers in the domain:

Invoke-IpamGpoProvisioning -Domain "corp.local" -GpoPrefixName "IPAM" -IpamServerFqdn "ipam01.corp.local" -DelegatedGpoUser "corpipamadmin" -Force

This creates three GPOs in your domain: IPAM_DHCP, IPAM_DNS, and IPAM_DC_NPS. Verify they were created:

Get-GPO -All | Where-Object { $_.DisplayName -like "IPAM*" } | Select DisplayName, CreationTime, GpoStatus

Force Group Policy update on managed servers:

Invoke-GPUpdate -RandomDelayInMinutes 0
# Or remotely:
$servers = @("dhcp01", "dhcp02", "dns01")
$servers | ForEach-Object { Invoke-GPUpdate -Computer $_ -RandomDelayInMinutes 0 -Force }

Step 3: Discover Servers for Management

After GPO propagation, configure IPAM to discover managed servers in your domain. Run server discovery to find all DHCP and DNS servers:

Start-IpamServerDiscovery -Domain @("corp.local") -Force

Wait for discovery to complete and then retrieve the discovered servers:

Get-IpamDiscoveredServer | Select Name, IPAddress, ServerType, ManageabilityStatus | Format-Table -AutoSize

Step 4: Set Server Management Status

Review discovered servers and set them as managed or unmanaged as appropriate:

# Set DHCP servers as managed
Get-IpamDiscoveredServer | Where-Object { $_.ServerType -contains "DHCP" } | ForEach-Object {
    Set-IpamServerDiscovery -ManagedByService "DHCP" -ServiceInstance $_.Name -Force
}

# Set DNS servers as managed  
Get-IpamDiscoveredServer | Where-Object { $_.ServerType -contains "DNS" } | ForEach-Object {
    Set-IpamServerDiscovery -ManagedByService "DNS" -ServiceInstance $_.Name -Force
}

Step 5: Configure IP Address Blocks and Subnets

Define your IP address space in IPAM using address blocks and subnets. An address block is a large range (e.g., a /8 or /16) from which you carve out subnets:

# Add a top-level IP address block
Add-IpamBlock -NetworkId "10.0.0.0/8" -Description "Private Address Space" -Owner "Network Team"

# Add subnets within the block
Add-IpamSubnet -NetworkId "10.1.0.0/24" -Name "HQ-LAN" -Description "Headquarters LAN" -Vlan 10 -AddressFamily IPv4 -Owner "Network Team"
Add-IpamSubnet -NetworkId "10.2.0.0/24" -Name "Branch-LAN" -Description "Branch Office LAN" -Vlan 20 -AddressFamily IPv4

# List all subnets
Get-IpamSubnet | Select NetworkId, Name, Description, PercentageUtilized | Format-Table

Step 6: Synchronize DHCP Scopes and DNS Zones

Synchronize IPAM with your DHCP servers to import existing scopes and lease data:

# Retrieve and display DHCP scopes from managed servers
Get-IpamDhcpScope | Select ScopeId, Name, StartRange, EndRange, PercentageUtilized, State | Format-Table -AutoSize

# Synchronize DNS zones
Get-IpamDnsZone | Select ZoneName, ZoneType, DnsServerFqdn, IsAutoCreated | Format-Table

# Trigger an IPAM data collection update
Update-IpamServer

Step 7: Monitor and Manage IP Address Utilization

Use IPAM to view IP utilization and identify address conflicts or overlapping ranges:

# Get IP address utilization report
Get-IpamUtilizationStatistic | Select NetworkId, PercentageUtilized, TotalIPAddresses, UsedIPAddresses | Format-Table

# Find IP addresses in a subnet
Get-IpamAddress -NetworkId "10.1.0.0/24" | Select IPAddress, DeviceName, Description, AssignmentType | Format-Table

# Add a static IP address record to IPAM
Add-IpamAddress -IPAddress "10.1.0.50" -DeviceName "WebServer01" -DeviceType Server -IPAddressState Active -AssignmentType Static -Description "Production Web Server"

Step 8: Configure IPAM Audit Logging

IPAM records operational events including DHCP lease events and DNS dynamic update events. Query audit logs:

# Query IP address change history
Get-IpamAddressAuditEvent -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) | Select EventSource, IPAddress, DeviceName, UserName, EventDescription | Format-Table

# Generate IPAM utilization report
Export-IpamAddress -AddressFamily IPv4 -Path "C:ReportsIPAM_Report_$(Get-Date -Format yyyyMMdd).csv"

IPAM in Windows Server 2016 transforms IP address management from a manual, error-prone process into a centralized, auditable system. By integrating DHCP scope management, DNS zone management, and IP address tracking into a single console, IPAM saves significant administrative time and reduces the risk of IP conflicts and misconfigurations in growing networks.