5

So, I'm in the process of setting up an IP Address Management server, using the built-in IPAM feature in Server 2012, and have run into a problem that I'm hoping someone else has successfully solved.

Following the technet guide here, I've installed and configured IPAM, and have provisioned it via GPO. After verifying that the PowerShell invoke-ipamgpoprovisioning command is successful, managing the desired servers in IPAM, running gpupdate /force on the servers and refreshing my view in IPAM, I'm still getting the less-than-useful recommended action of "Unblock IPAM Access" for all servers. (First done 3 hours ago, so it's not a give-it-time-to-propagate issue.)

Can't, for the life of me, seem to figure out what's causing this, find anything useful in the logs, or find much about this on Google or in the help files, so I was wondering if anyone here had any ideas about how to fix this, or even where to start looking.

I'd really like to get this working, because if not, I have to resume work on creating an Excel spreadsheet for IP address management.

uck FIPAM

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • 1
    I'm starring this because we are considering going this route over using Solarwinds one. Have you seen this comment elsewhere: "just check the IPAM server must be member of "Event Log Readers" and especially : LOG OFF/LOG ON your DNS, DHCP, because gpupdate is doesn't enought to get working." – TheCleaner Jan 10 '13 at 19:23
  • @TheCleaner IPAM Server is a member of that group, will check the other thing. – HopelessN00b Jan 10 '13 at 19:31

4 Answers4

4

Probably you already resolved this long ago, but answering for other people with the issue.

Solution taken from here: http://khellman.blogspot.com/2014/02/unblock-ipam-access-to-dc.html (and worked for me):

Editing the problem server in the IPAM Server Inventory panel to untick DNS - OK - then reticked DNS fixed it.

rufo
  • 393
  • 1
  • 3
  • 16
2

I experienced the same error yesterday. Basically, I resolved the issue by making some changes to my firewall settings on the server which I use to host my DHCP and DNS server.

Based on the screenshot, I see that DNS RPC Access Status is marked as blocked. What I did was to open the management console for Windows Firewall with Advanced Security and enabled the RPC (TCP, Incoming) and the RPC Endpoint Mapper firewall rule for the DNS Service group.

To resolve the Event Log Access Status issue, add your IPAM machine to the Administrators group in Active Directory.

Hope the above will resolve your issue. :)

Brennan Neoh
  • 239
  • 1
  • 2
  • 9
  • 1
    Does the Microsoft documentation state anywhere that adding the IPAM machine to the domain Administrators group is required? Seems like an more of a band-aid than a true requirement. – SamErde May 12 '14 at 15:02
  • 1
    @SturdyErde what MS did say in a TechNet post is, "Add the IPAM machine acct to the Event Log Readers domain security group." After trying this and everything else, including turning off local+domain firewall on IPAM box and DNS server boxes, I added IPAM box to domain admins just to try, and it worked. Surely not a true requirement but shows something else is needed. Now just need to find out what. https://social.technet.microsoft.com/Forums/en-US/c882c077-61bd-45f6-ab47-735bd728d3bc/ipam-unblock-access-to-a-dc?forum=winserver8gen – Reg Edit Dec 28 '18 at 14:45
0

I had a similar issue but with DHCP. I fixed the issue by restarting the DHCP service of the remote computer using MMC

Kieren Dixon
  • 326
  • 2
  • 3
0

I also experienced this issue in my home lab. 4 x DC/DNS/DHCP machines and a single file server running the IPAM service.
2 x domain controllers & IPAM server in the same Active Directory site: Unblock status after server discovery, setting the servers to managed and rebooting to refresh group policy settings.
2 x domain controllers in separate sites (one per site): Blocked status after performing the same above steps.
I found the DHCP Audit Share Access status and Event Log Access status were the blocked components in the Details View pane of the console.
I followed the manual configuration steps that cover configuration of the DHCP Audit Share Access (both servers had not configured the dhcpaudit share) and the Event Log Access (Windows Firewall settings) and after another reboot, one server reported back as Unblocked and the other was still blocked.
I then applied the suggested fix of unticking DNS on the second problematic server's management options. After clicking OK the server started reporting Unblocked. However when I enabled DNS again, the server was blocked again.
I then backed up the registry, manually configured DNS server event log monitoring, rebooted the server and refreshed the server status. Second server then reported back unblocked.
I'm not sure why the servers in other Active Directory sites did not configure correctly when initially installing and configuring the service. The MS documentation does state the IPAM server can be added to the built-in Administrators group is configuring for standalone domain member DNS servers. However Microsoft do not recommend this configuration.
I hope this helps anyone who may be having the same issues I had setting up this service.

https://technet.microsoft.com/en-au/library/jj878311.aspx#audit
https://technet.microsoft.com/en-au/library/jj878346.aspx#DACL

Dally
  • 1