Chapter 9. Windows Server 2016 IPAM Audit Changes and Events
This chapter covers the following subjects:
Auditing the changes performed on the DNS and DHCP servers: Windows Server 2016 IPAM can audit configuration changes performed on managed DNS and DHCP servers. It offers operational auditing and IP address tracking functionality. This chapter covers the key IPAM audit capabilities and features and explains the IPAM scheduled tasks and monitoring views, logical groups, and the use of custom fields in the IPAM configuration console and with PowerShell. You get information about IPAM and DHCP configuration event criteria, how to use IPAM criteria filtering, and how to purge IPAM Event Catalog data. You also get best practices for using the IPAM Event Catalog.
Auditing the IPAM address usage trail: This chapter looks at the use and configuration of the IPAM utilization feature, describes how to use and configure utilization thresholds with the IPAM configuration console and PowerShell, and examines how to use the utilization trends feature. It also delivers best practices for auditing and managing IPAM.
Auditing DHCP lease events and user logon events: Here you learn about the IPAM IP address tracking feature and how to use it to get audit information about DHCP lease and user login events through the IPAM configuration console.
This chapter covers auditing of IPAM-managed DNS and DHCP server configuration changes and auditing of DNS events and DHCP lease events. It examines the monitoring and managing of virtual IP address spaces in IPAM and explains both IPAM operational auditing and IP address tracking.
This chapter also looks at IPAM audit capabilities and features, IPAM scheduled tasks, monitoring views, logical groups, and the use of custom fields in the IPAM configuration console and PowerShell. It examines IPAM and DHCP configuration event criteria and demonstrates filtering to get individual information about DHCP and DNS data. It covers purging IPAM Event Catalog data and explains some best practices for using the IPAM Event Catalog.
In addition, this chapter covers the use and configuration of the IPAM utilization feature, shows how to use and configure utilization thresholds with the IPAM configuration console and PowerShell, and demonstrates how to use the utilization trends feature. It delivers best practices for auditing and managing IPAM.
You also learn about the IPAM IP address tracking feature and how you can use it to audit DHCP lease and user login events.
With key topic selections, memory tables, key term definitions, and exam preparation questions, you gain some powerful tools to increase your knowledge about Windows Server 2016 IPAM audit changes and events for both the Microsoft 70-741 exam and your daily work.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter or simply jump to the “Exam Preparation Tasks” section for review. If you are in doubt, read the entire chapter. Table 9-1 outlines the major headings in this chapter and the corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”
Caution
The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.
1. You want to refresh configuration information for your DNS servers, DNS server service status information, and DNS zone status events managed through a Windows Server 2016 IPAM server in the IPAM configuration console. Which scheduled tasks should you run? (Choose three.)
a. AddressExpiry
b. AddressUtilization
c. Audit
d. DnsServerConfiguration
e. ServerAvailability
f. ServerConfiguration
g. ServerDiscovery
h. ServiceMonitoring
2. You are the administrator of your company. You are responsible for your IPAM address usage trail audit functionality. NPS servers are not part of your network environment. Which IP address tracking events cannot be collected on your Windows Server 2016 IPAM server, and which search criteria cannot be used for IPAM IP address tracking?
Event:
a. New IP lease
b. Renew IP lease
c. Lease expiry
e. Security event 672
Search criteria:
a. IPAddress
b. IPScope
c. ClientID
d. MACAddress
e. Hostname
f. ClassID
g. Username
3. You are the administrator of your company. You want to track lease and user logon information from 5/20/2016 until 5/23/2016 from a DHCP client named Client1 on your Windows Server 2016 IPAM server. In Server Manager, you open the IPAM management tool. Which two selections must you choose to track this information?
a. Monitor and Manage
b. Event Catalog
c. IP Address Space
d. IPAM Configuration Events
e. DHCP Configuration Events
f. IP Address Tracking
Foundation Topics
Audit the Changes Performed on the DNS and DHCP Servers
Windows Server 2016 IPAM offers operational auditing and IP address tracking functionality.
You can use auditing tools to track configuration problems and relevant events. You can collect, manage, and view configuration change details from DHCP and DNS servers. IPAM facilitates the monitoring and tracking of DHCP service status and utilization of DHCP scopes.
IPAM enables tagging servers with built-in and user-defined custom field values to visualize these servers and group them into logical groups and subgroups.
IPAM can monitor DNS zone health on multiple DNS servers by displaying the aggregated zone status across DNS servers. IPAM can track the status of the service of the DNS and DHCP servers. Details that can be tracked include server name, username, and the date and time a configuration was made. You can collect IP address lease tracking from DHCP lease logs and sign-in events from network policy servers and domain controllers.
Windows Server 2016 IPAM offers the following auditing features:
Automated inventory of IP addresses based on DNS resource records
Capability to visualize all DNS resource records that pertain to an IP address
IP address lifecycle management for DNS and DHCP operations
New Windows Server 2016 feature: Multiple ADDS forest support (audit events across multiple forests)
IPAM stores three years of forensics data—including IP address leases, host Media Access Control (MAC) addresses, and user sign-in and sign-out information—for 100,000 users in the database.
IPAM provides IP address utilization trends only for IPv4, not for IPv6. IP address reclamation support also is provided only for IPv4. Note that IPAM does not check for IP address consistency with routers and switches.
Tip
For IPAM’s IP address tracking and auditing feature to work, you must enable logging of account sign-in events on domain controllers and NPSs.
IPAM Scheduled Tasks
Windows Server 2016 IPAM offers eight tasks with the specified periodicity. Table 9-2 shows the IPAM tasks that you can view in the Task Scheduler by navigating to Microsoft > Windows > IPAM (only the DnsServerConfiguration task is a new Windows Server 2016 task).
IPAM is not enabled by default and must be installed as a server feature. When the IPAM Server feature is installed, IP address audit functionality is automatically enabled. To disable IP address audit, start the Task Scheduler on the IPAM server, navigate to Microsoft > Windows > IPAM, and disable the Audit task.
IPAM Monitoring Views
IPAM enables automated, periodic service monitoring of DHCP and DNS servers across single or multiple forests. In the IPAM configuration console, monitoring and management of DHCP and DNS servers is organized into the views in Table 9-3.
With the PowerShell cmdlet Get-IpamCustomField, you can list all default custom fields. Figure 9-1 shows the default custom field list.
To audit the status and health of selected sets of Windows Server DNS and DHCP servers from a single IPAM interface, use the IPAM Monitor and Manage view (see Figure 9-2).
The IPAM Monitor and Manage view displays the basic health of servers and recent configuration events that occurred on these servers.
For DHCP servers, you can use the DNS and DHCP Servers view to track various server settings, server options, the number of scopes, and the number of active leases that are configured on a server. For DNS servers, you can use this view to track all zones that are configured on the server, along with details about the zone type. You can also use the view to see the total number of zones that are configured on the server and the overall zone health status derived from the zone status of individual forward lookup zones on the server.
You can start the DNS Manager console for any managed DNS server from a central console in the IPAM server, and you can retrieve server data from the selected set of servers.
The DNS Zones monitoring view displays all the forward lookup and reverse lookup zones on all the DNS servers that IPAM is currently managing.
For the forward lookup zones, IPAM also displays all the servers that are hosting the zone, the aggregate health of the zone across all of these servers, and the zone properties.
You can organize your managed servers into logical server groups.
Configuring Logical Groups and Custom Fields with the IPAM Console
IPAM enables you to create custom logical groups to improve the audit experience for IP address ranges. To create custom groups, perform the following steps:
Step 1. In the IPAM navigation pane, under IP Address Space, click IP Address Range Groups.
Step 2. On the Server Manager menu, click Manage and then click IPAM Settings.
Step 3. In the IPAM Settings dialog box, click Configure Custom Fields. Figure 9-3 shows the IPAM Settings window.
Step 4. In the Configure Custom Fields dialog box, under Add Custom Fields, scroll to the bottom of the list, type Building for the Custom Field Name, and then select Yes under Multi-Value.
Step 5. Press Enter or Tab to commit the new custom field name. A blank line opens that you can use for additional custom fields.
Step 6. Click Building and then, under Custom Field Value, type the following values: Headquarters, Operations, Sales, Datacenter. Press Enter after you type each one. Figure 9-4 shows how the Configure Custom Fields window should look.
Step 7. Repeat the previous step to add another custom field named Floor with the following two custom field values: First, Second. Click OK twice, and then click Close.
Step 8. You can apply the custom fields to an IP address range. Click IP Address Ranges, right-click the IP address range, and then click Edit IP Address Range. Figure 9-5 shows the custom fields Building and Floor applied to an IP address range.
Step 9. Edit the other IP address ranges and apply the custom fields. You can also select multiple IP address ranges and add custom fields to all the ranges in one step. Refresh the IP Address Ranges view, right-click the column header, and then select Building and Floor. Both fields are now displayed with each IP address range in the list, as Figure 9-6 shows.
Step 10. Select IP Address Range Groups and right-click IPv4. Select Add IP Address Range Group. Under Provide Name of the Address Range Group, type Building/Floor. Under Custom Fields, select Building and then select Floor so that items are grouped first by building and then by floor. Click OK, and then click the arrow next to IPv4. Verify that you can view IP address ranges by building and floor (see Figure 9-7).
IPAM also enables you to create custom logical groups to improve the audit experience for DNS or DHCP servers. To apply custom fields to one or multiple DHCP or DNS servers, go to Server Inventory (second setting below Overview in the IPAM configuration console in the Server Manager), select the servers, and use the Edit Server task to apply custom fields. Figure 9-8 shows how to apply the custom fields Building and Floor to managed servers.
Suppose that you have configured the SCVMM integration and you have created a logical network named BernNet1 on a SCVMM server with the three subnets 172.16.1.0/24, 172.16.2.0/24, and 172.16.3.0/24 (see Figures 9-9 and 9-10). Now you want to apply the custom configuration with the custom field Building and a value of Datacenter to that virtual IP address space. Configure the custom configuration as shown in Figure 9-11.
Configuring Custom Fields with IPAM in PowerShell
You also can configure custom fields with PowerShell. Table 9-4 describes the PowerShell cmdlets available to manage IPAM custom fields in Windows Server 2016 IPAM.
Viewing Changes Performed on IPAM-Managed Servers
In the Windows Server 2016 IPAM configuration console under the Event Catalog, you can view changes performed on managed servers. You can choose between IPAM Configuration Events and DHCP Configuration Events. No DNS Configuration Events list exists (see Figure 9-12).
You can filter the IPAM and DHCP Configuration Event list with different criteria. Table 9-5 shows all possible criteria for both lists.
Suppose that you want to view all events based on multi-server management tasks through IPAM. Select the criteria Task Category and add the search value Multi-Server Management. Figure 9-13 shows that example configuration.
You can purge Event Catalog data. In the IPAM configuration console (in the top-right corner) at Tasks, select Purge Event Catalog Data and select both the data type for which you want to purge catalog data and a time window (see Figure 9-14).
IPAM Configuration Events
The list in Figure 9-15 shows some examples of IPAM configuration events displayed in the Event Catalog.
Best Practices for Using the IPAM Event Catalog
The following list outlines the best practices for using the IPAM Event Catalog, which provides a centralized repository for auditing all configuration changes that occur on managed DHCP servers from a single IPAM management console. The IPAM configuration events console gathers all the configuration events. You can use these configuration event catalogs to view, query, and create reports about configuration changes, along with details that are specific to each record.
Account logon event auditing should be enabled on DCs and NPS servers. Without this preconfiguration, the IPAM server cannot display account logon events in the IPAM Event Catalog.
The security event log size should be large enough to allow the periodic audit task to complete data collection before it is rolled over.
For better performance and disk space management, IPAM Event Catalog data purge should be performed periodically to reduce the amount of data used for IPAM events.
The audit log file location for both DHCP IPv4 and IPv6 leases must be configured in a common order. The IPAM audit task selects the log files from one network share per server.
The DHCP audit log file should be large enough for one day, to ensure that no lease events are lost because of size overruns.
Be sure to select an optimal time period for a query. Typically, a query interval of 3 days to 15 days is optimal.
Audit the IPAM Address Usage Trail
Use the Windows Server 2016 IPAM address space management feature to view, monitor, and manage the IP address space on a network. The address space management feature supports IPv4 public and private addresses, in addition to IPv6 global and unicast addresses. IPAM maintains utilization data for IP address ranges, address blocks, and range groups. You can configure thresholds for the utilized percentage of the IP address space and then use those thresholds to determine under- or overutilization. You also can perform utilization trend building and reporting for IPv4 address ranges, blocks, and range groups.
In the IPAM Overview window, you can change the default utilization thresholds. The default settings are 20 percent for underutilization and 80 percent for overutilization. Figure 9-16 shows where to find these settings and change the values.
When you create or edit an IP address range, you can configure the Utilization Calculation settings. The default setting is Automatic, which means that the default utilization threshold values for under- and overutilization are used.
With the PowerShell cmdlet Set-IpamAddressUtilizationThreshold, you can set over- or underutilization thresholds so that IPAM can generate an alert when a block, subnet, or range utilization exceeds or drops below the threshold.
This command sets the address overutilization threshold to 70:
Set-IpamAddressUtilizationThreshold -OverUtilizationThreshold 70
-PassThru
This command sets the address underutilization threshold to 40:
Set-IpamAddressUtilizationThreshold -UnderUtilizationThreshold 40
-PassThru
In the Details view, you can create a graphical display for Utilization Trends for IP Address Ranges, IP Address Subnets, and IP Address Blocks (see Figure 9-17).
Best Practices for Monitoring, Auditing, and Managing
Every time a new device or a virtual machine is provisioned, or whenever a tablet leaves the wireless network, the IP address allocation landscape changes. The IPAM database needs to be kept up to date.
The following list outlines the best practices for using Windows Server 2016 IPAM monitoring, auditing, and managing capabilities to get a centralized track and maintain a near-real-time view of all the adds, moves, and changes occurring on the network.
When editing options across multiple DHCP scopes and servers, leverage advanced constructs in multiedit scenarios to add, overwrite, delete, or find-and-replace to cater to the exact scenario requirement.
Create and save queries to quickly identify services and zones that are not in a healthy state.
Use the duplicate scope functionality to create new scopes with similar settings. The typical scenarios in which this can be leveraged are migrating scopes from one server to another and configuring split scopes.
When you configure vendor and user classes across multiple DHCP servers, leverage advanced constructs in multiedit scenarios to add, overwrite, or delete to cater to the exact scenario requirement.
Use the overall forward lookup zone view to identify potential issues and to determine servers that might have a problem. Isolate whether the issue is due to a zone event or server availability state.
For settings that IPAM does not support, launch the DHCP or DNS MMC from within the IPAM console to complete the configuration scenario.
Monitor DHCP scope utilization percentage and utilization status to identify over- and underutilized scopes. Take the necessary actions to align scope utilization to an optimal state, keeping in mind utilization trend history.
Audit DHCP Lease Events and User Logon Events
IPAM can automatically collect IP address lease logs from DHCP servers and also user and machine authentication events from DCs and NPS servers. IPAM stores this data in its database.
IPAM provides an interface to query this data, intelligently correlates this data in the right context, and provides a view of the IP address activity on the network. For tracking IP address leases in the network, the IP address tracking feature in the Event Catalog is an efficient tool to audit DHCP lease events and user logon events.
You can search the events database pivoted on an IP address, client ID (MAC address), hostname, or username to retrieve the associated DHCP lease events. IPAM automatically correlates the DHCP lease events with user and machine authentication events, allowing you to quickly get a perspective on which user logged on from which machine at a particular time, or which IP address was allocated to which machine and user. This makes it a useful tool for forensic investigators.
Figure 9-18 shows an example of tracking by IP address.
Exam Preparation Tasks
Review All the Key Topics
Review the most important topics in the chapter, noted with the Key Topics icon in the outer margin of the page. Table 9-6 lists these key topics and the page numbers where each is found.
Table 9-6 Key Topics for Chapter 9
Complete the Tables and Lists from Memory
Print a copy of Appendix B, “Memory Tables” (on the book’s website), or at least the section for this chapter, and complete the tables and lists from memory. Appendix C, “Memory Tables Answer Key,” also on the website, includes completed tables and lists to check your work.
Definition of Key Terms
Define the following key terms from this chapter and check your answers in the glossary.
IP address tracking
custom fields
utilization trends
utilization thresholds
logical groups
IPAM scheduled tasks
End-of-Chapter Review Questions
1. Windows Server 2016 IPAM can use IPAM tasks that can be viewed in the Task Scheduler. Which of the following tasks is a new Windows Server 2016 task?
a. AddressExpiry
b. AddressUtilization
c. Audit
d. DnsServerConfiguration
e. ServerAvailability
f. ServerConfiguration
g. ServerDiscovery
h. ServiceMonitoring
2. You want to group and display your IP address spaces on your IPAM server based on physical building. Which PowerShell cmdlets should you use to prepare IPAM for this? (Choose two.)
a. Add-IpamCustomFieldAssociation
b. Set-IpamCustomFieldAssociation
c. Add-IpamCustomField
d. Add-IpamCustomValue
3. You want your IPAM server to generate an alert in the case of an overloaded IP address range. The overload must exceed 80 percent to generate an alert. What is the proper action in this scenario?
a. Change the overutilization threshold settings with Set-IpamRange
b. Change the overutilization threshold setting with Set-IpamAddressUtilizationThreshold
c. Leave the IPAM overutilization threshold default settings
d. Change the IPAM underutilization threshold settings