How to Set Up IPAM on Windows Server 2012 R2
IP Address Management (IPAM) is a built-in framework in Windows Server 2012 R2 for centrally managing and monitoring IP address space, DNS, and DHCP infrastructure across the enterprise network. IPAM provides a unified console for tracking IP address allocation, auditing IP address usage, managing DNS and DHCP servers from a single pane of glass, and generating IP address utilization reports. This guide covers deploying the IPAM server role, provisioning it in Active Directory, discovering network infrastructure servers, and configuring IP address blocks and ranges for management.
Prerequisites
IPAM must be installed on a domain-joined Windows Server 2012 R2 server. The IPAM server should NOT be a DNS or DHCP server itself — it manages those services on other servers. The Windows Internal Database (WID) is used by default for the IPAM database, or you can use SQL Server. IPAM uses Group Policy for provisioning — Domain Admin rights are required to create the IPAM GPOs. The IPAM server’s computer account must be authorized in AD to manage DNS and DHCP servers. IPAM uses WinRM for communication with managed servers, so firewall rules must allow this traffic. For a production deployment, plan for at least 4 GB RAM and sufficient disk space for IP address event logging.
Installing the IPAM Server Feature
# Install IPAM server feature with management tools
Install-WindowsFeature IPAM -IncludeManagementTools
# Verify installation
Get-WindowsFeature IPAM | Select-Object Name, InstallState, DisplayNameIPAM management is primarily done through the IPAM console in Server Manager. Open Server Manager and navigate to IPAM.
Provisioning IPAM with Group Policy
IPAM requires GPOs to configure managed DNS and DHCP servers. The provisioning wizard creates these GPOs automatically:
# Provision IPAM using Group Policy (recommended method)
# Replace "IPAM" with your desired GPO prefix name
# This creates GPOs: IPAM_DHCP, IPAM_DNS, IPAM_DC_NPS
Invoke-IpamGpoProvisioning `
-Domain "contoso.com" `
-GpoPrefixName "IPAM" `
-IpamServerFqdn "IPAM01.contoso.com" `
-DelegatedGpoUser "contosoipam-admin" `
-ForceThe provisioning creates three GPOs that configure Windows Firewall rules and WinRM settings on managed servers:
# Verify the GPOs were created
Get-GPO -All | Where-Object {$_.DisplayName -like "IPAM*"} |
Select-Object DisplayName, Id | Format-Table
# Link the GPOs to the appropriate OUs
# IPAM_DHCP: Link to OU containing DHCP servers
New-GPLink -Name "IPAM_DHCP" -Target "OU=DHCPServers,DC=contoso,DC=com"
# IPAM_DNS: Link to OU containing DNS servers
New-GPLink -Name "IPAM_DNS" -Target "OU=DNSServers,DC=contoso,DC=com"
# IPAM_DC_NPS: Link to Domain Controllers OU (for DC and NPS management)
New-GPLink -Name "IPAM_DC_NPS" -Target "OU=Domain Controllers,DC=contoso,DC=com"
# Force GPO update on managed servers
Invoke-Command -ComputerName DHCP01, DNS01, DC01 -ScriptBlock { gpupdate /force }Discovering Managed Servers
IPAM uses server discovery to find DNS, DHCP, NPS, and Domain Controller servers in the domain:
# Trigger server discovery for the entire forest
Start-IpamServerDiscovery -Force
# View discovery status
Get-IpamServerInventory | Select-Object Name, ServerType, ManageabilityStatus |
Format-Table -AutoSize
# Add a specific server manually if auto-discovery misses it
Add-IpamServerInventory `
-ServerName "DHCP02.contoso.com" `
-ServerType DHCPAfter discovery, servers show a Manageability Status. Set discovered servers to “Managed” to begin monitoring them:
# Set all discovered DHCP servers to Managed state
Get-IpamServerInventory -ServerType DHCP |
Where-Object {$_.ManageabilityStatus -eq "Unspecified"} |
Set-IpamServerInventory -ManageabilityStatus Managed
# Set DNS servers to Managed
Get-IpamServerInventory -ServerType DNS |
Where-Object {$_.ManageabilityStatus -eq "Unspecified"} |
Set-IpamServerInventory -ManageabilityStatus Managed
# Verify managed servers
Get-IpamServerInventory | Select-Object Name, ServerType, ManageabilityStatus |
Where-Object {$_.ManageabilityStatus -eq "Managed"} | Format-TableConfiguring IP Address Space
Define the IP address blocks and ranges for IPAM to track. Start by creating the top-level IP address blocks:
# Add IP address blocks (top-level network ranges)
Add-IpamBlock `
-NetworkId "10.0.0.0/8" `
-Owner "Network Team" `
-Description "Corporate Internal IPv4 Space"
Add-IpamBlock `
-NetworkId "192.168.0.0/16" `
-Owner "Network Team" `
-Description "Site Networks"
# Add subnets (IP ranges within blocks)
Add-IpamSubnet `
-NetworkId "10.10.1.0/24" `
-Name "HQ-Servers" `
-Description "Headquarters Server Network" `
-Owner "IT Operations" `
-VlanId 10 `
-Owner "Server Team"
Add-IpamSubnet `
-NetworkId "10.10.2.0/24" `
-Name "HQ-Workstations" `
-Description "Headquarters Workstation Network" `
-VlanId 20Configuring IP Address Ranges
IP address ranges within subnets represent the managed pools — either DHCP ranges or statically assigned blocks:
# Add an IP range for DHCP scope
Add-IpamRange `
-NetworkId "10.10.1.0/24" `
-StartIPAddress "10.10.1.100" `
-EndIPAddress "10.10.1.200" `
-Description "DHCP scope for HQ Servers" `
-AssignmentType Dynamic `
-ManagedByService DHCP `
-ServiceInstance "DHCP01.contoso.com"
# Add an IP range for static assignments
Add-IpamRange `
-NetworkId "10.10.1.0/24" `
-StartIPAddress "10.10.1.1" `
-EndIPAddress "10.10.1.99" `
-Description "Static IP assignments for core servers" `
-AssignmentType Static
# View all configured ranges
Get-IpamRange | Select-Object NetworkId, StartIPAddress, EndIPAddress,
AssignmentType, PercentageUtilized | Format-TableImporting DHCP Scopes into IPAM
Synchronize existing DHCP scopes from managed DHCP servers into IPAM:
# Trigger synchronization from DHCP servers
Invoke-IpamGpoProvisioning -Domain contoso.com -GpoPrefixName IPAM `
-IpamServerFqdn IPAM01.contoso.com -Force
# Sync DHCP data from a specific server
Update-IpamServer -ServerName "DHCP01.contoso.com"
# Import DHCP data into IPAM address space
Import-IpamAddress -ManagedByService DHCP `
-ServiceInstance "DHCP01.contoso.com" `
-AddressFamily IPv4
# View imported DHCP leases
Get-IpamAddress | Where-Object {$_.AssignmentType -eq "Dynamic"} |
Select-Object IPAddress, MacAddress, DeviceName, LeaseExpiry |
Format-Table -AutoSizeManaging DNS Zones from IPAM
IPAM can manage DNS zones on managed DNS servers:
# Retrieve DNS zones from managed DNS servers
Get-IpamDnsZone | Select-Object Name, ZoneType, IsReverse, DnsServer |
Format-Table -AutoSize
# Add a DNS resource record via IPAM
Add-IpamDnsResourceRecord `
-ZoneName "contoso.com" `
-RecordType A `
-RecordName "newserver" `
-IPv4Address "10.10.1.50" `
-DnsServer "DNS01.contoso.com"Generating IP Utilization Reports
# View IP address space utilization
Get-IpamSubnet | Select-Object NetworkId, Name, PercentageUtilized,
TotalAddresses, UsedAddresses | Format-Table -AutoSize
# Find IP ranges with high utilization (>80%)
Get-IpamRange | Where-Object {$_.PercentageUtilized -gt 80} |
Select-Object NetworkId, StartIPAddress, EndIPAddress, PercentageUtilized |
Sort-Object PercentageUtilized -Descending | Format-Table
# Export IP address inventory to CSV
Get-IpamAddress | Export-Csv "C:IPAMReport-$(Get-Date -Format 'yyyy-MM-dd').csv" -NoTypeInformationVerification
# Check overall IPAM health
Get-IpamServerInventory | Select-Object Name, ServerType, ManageabilityStatus,
AccessStatus | Format-Table -AutoSize
# Check IPAM event catalog for configuration events
Get-IpamConfigurationEvent | Select-Object TimeCreated, EventId, Message |
Sort-Object TimeCreated -Descending | Select-Object -First 20 | Format-List
# Test IPAM database
Test-IpamDatabaseSummary
IPAM on Windows Server 2012 R2 provides centralized visibility and management for the IP address space, DNS, and DHCP infrastructure. The deployment process involves: installing the IPAM feature on a dedicated server, provisioning via Group Policy to configure managed servers, running server discovery, configuring IP address blocks and subnets, and synchronizing DHCP scope data. IPAM’s reporting capabilities identify exhausted subnets before they cause connectivity problems, while its address tracking provides an audit trail of IP allocations that is invaluable for security incident investigation. Ensure the IPAM server is backed up regularly, as it becomes a critical management dependency for the network.
