General Windows- Setting up Remote Server Administration Tools (RSAT) for remote management of Microsoft IPAM, DNS and AD

Overview

If you're configuring the SovLabs Microsoft IPAM, DNS or AD modules, you'll need to configure the connection point and connection method for the modules to use for managing the DNS, IPAM and AD records. 

Setting up communication between vRO and a Domain Controller for management of IPAM, DNS and AD can be done 2 ways:

1. Direct communication with the Domain Controllers via WinRM (this often comes with complicated security policies, so we don't recommend this)
2. Remote management of DNS, IPAM or AD via a Windows "jumpbox" with RSAT (Remote Server Administration Tools)
   Connectivity to the Windows jumpbox can be configured using the following connection types in the SovLabs Microsoft Endpoint:
   
   1. Windows SSH (recommended: requires Windows SSH server to be configured on the Windows jumpbox, along with the RSAT tools)
   2. VMWare tools (recommended slightly less highly than Windows SSH.  The VMware-tools connection type can be slower than the Win SSH type, but doesn't require extra configuration of SSH server.)
   3. WinRM (least recommended due to common UAC rules often found in enterprise environments)
      

We recommend the 2nd option for a a couple of reasons:

1. Most organizations have Domain Controller access fairly locked down and it may not be desirable to configure WinRM and powershell access directly on them.
2. GPOs/UAC can interfere with these permissions and cause issues with connectivity and authentication via WinRM that can be difficult to diagnose. We recommend the Win SSH and VMWare Tools connection option over the WinRM option for the same reason.  

If you decide to use the Windows Jumpbox with RSAT option to enable SovLabs Microsoft modules to manage IPAM, DNS and AD records, these are the step-by-step instructions for configuring RSAT tools on that Jumpbox.

Considerations

• A VMware VM to use for the jumpbox, with Windows Server 2012 or later.  Preferably it should be in the same network zone as your vRA/vRO appliances (no firewalls in between them).
• The VMware Tools connection requires a SovLabs-specific vCenter endpoint (you add this from the Catalog in vRA)
• You need the following information about your vCenter:
  • A service account that has administrative privileges on vCenter
  • Know your vCenter version (6.0, 6.5…)
  • is Platform Service Controller (PSC) external or internal to vCenter? If external, you'll need the FQDN of your PSC.
  • Consult with your vCenter admin if any of this information is unknown.

• A Windows service account that has all the appropriate permissions to manage AD, DNS and IPAM records

Procedure

Installing RSAT components for AD and DNS Management

1. On your server, in your server manager dash board, click on Manage → Add Roles and Features
   
2. Click on Next
   
   
   
3. Click on Next
   
   
   
4. Click on Next
   
   
   
5. Click on Next
   
   
   
6. Scroll down until you see Remote Server Administrator Tools
   
   
   
7. Click the little arrow next to this hen drop down next to Role Administration Tools
   
   
   
8. Depending on what you will use this jumpbox for. You can place a check next to "AD DS and AD LDS Tools" and/or DNS Server Tools
   
   
   
9. You can opt to have the server restarted as required.  I have left this unchecked, click on install
   
   
   
10. Click on Close
    
    
    
11. Once the installation completes, you can click the flag and confirm this
    
    
    
12. If you click on Tools, you will now see a set of Active Directory modules and the DNS module.  
    

Installing the IPAM Client

NOTE: Depending on the server version you are installing on.  When you install the RSAT tools it may automatically install the IPAM client.  Follow the steps below to install the IPAM client.  If it is installed you can continue by adding the IPAM Server to the server list.

1. On your server, in your server manager dash board, click on Manage → Add Roles and Features
   
2. Click on Next
   
   
   
3. Click on Next
   
   
   
4. Click on Next
   
   
   
5. Click on Next
   
   
   
6. Scroll down until you see Remote Server Administrator Tools and expand Feature Administration and place a check next to IP Address Management (IPAM) Client then click next
   
   
   
7. You can opt to have the server restarted as required.  I have left this unchecked, click on install
   
   
   
8. Click on Close
   
   
   
9. Once the installation completes, you can click the flag and confirm this
   
   
   
10. Once installed, to manage IPAM remotely from the server, you must add the IPAM server to your server pool.  In server manager, in all servers, right click and select Add Servers
    
    
    
11. In the pop up, enter the IPAM Server name and select Find Now
    
    
    
12. Highlight the server name, click on the arrow in the center to add it to the list. Then click on OK
    
    
    
13. Now you will see a second server in the list of servers.
    
    
    
14. You will also see on the left side that IPAM is now available for management
    

Additional information

Microsoft RSAT 2012 R2 : https://www.microsoft.com/en-us/download/confirmation.aspx?id=39296
Microsoft RSAT tools information : https://docs.microsoft.com/en-us/windows-server/remote/remote-server-administration-tools
Install IPAM Client : https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj878334(v%3Dws.11)