The role of IT in business has evolved from ruling the back office towards dominating the front. Smart investments in software and the people who run it have become decisive factors in the blueprint for business success.
This white paper discusses how a comprehensive DNS, DHCP and IP Address Management (DDI) solution can boost a network team’s productivity, performance and general well-being, thereby greatly enhancing network security and elevating business efficiency.
THE DDI NETWORK TRIAD
Networks and network activity are akin to the inner workings of the human body: unseen and often unnoticed, yet absolutely essential to the existence of the organism - or organization - that hosts it. How well the inner workings of a body function greatly affect the strength and health of that body. In the same vein, how well the inner components of an organization’s IT network function critically affect the performance of any modern, competitive enterprise.
As technology advances, the number of devices with the potential to access and affect an enterprise’s network increases exponentially. An increase in the number of devices and how they are managed can have an acute influence on a network’s efficiency and connectivity. This inevitably elevates the risks of network downtime, outages or a breach in network security.
Too often negative incidents or outages can be traced back to problems in the functioning within, or interaction between, the three critical components of network connectivity: the triad of DNS, DHCP and IP Address Management, also known as DDI. While the quality of machines and technology often drive network capacity and capability, it is the DDI network design and administration that determine network efficiency, connectivity, and security.
What is DDI?
All devices that need to connect to an enterprise network, from printers to smartphones to production machines to security alarms, have one thing in common: they need an Internet Protocol (IP) address each and every time they access the internet.
Each of these IP address numbers, will always, and without exception, be allocated statically or automatically through a process called Dynamic Host Configuration Protocol (DHCP). And once a device is online, it depends entirely on the Domain Name System (DNS) to do what it was designed to do: enable human and digital communication and administration across the boundaries of distance and dispersed locations.
These three components form the critical foundation of any modern organization’s network.
Who does DDI?
Enterprises typically invest in teams of highly qualified and experienced engineers and technicians to optimize their network’s performance. Yet, as devices multiply, businesses expand and networks grow, so does the burden on networking staff. This affects not only network efficiency and security, but also team members’ performance and personal well-being.
THE UPS AND DOWNS OF DDI
Poor DDI management and administration, especially in larger enterprises, lead to:
- extra operational expenses
- compromised network safety, often as a result of human error
- business operations in danger of downtime due to outages
- low team productivity
- reduced staff well-being, leading to costly staff turnover
Many enterprises use pretty nifty homegrown DDI solutions, created by ingenious staff engineers and specialists who know their business’s business inside and out. Nifty as they may be, most of these solutions lack certain crucial capabilities essential to maintaining a healthy network: a unified overview of the network and all its separate parts, the ability to perform automated tasks and monitor system health, and ways to track – and audit – what was done by whom, and where and when.
This means highly qualified and valuable team members may be spending an inordinate amount of time managing DDI through manually managing and assigning IP addresses, troubleshooting and resolving IP address conflicts, maintaining IP subnets, making changes to network and subnet configuration, monitoring and configuring DNS and DHCP infrastructure and managing DDI data, auditing and reporting.
Network administrators describe common DDI points of pain as follows:
- The different critical components of our network function as islands. We lack a comprehensive overview of what is being used where, by whom and at what rate.
- Manual updating without a proper overview of the network leads to the allocation of IP addresses or leasing of sub nets that are already in use.
- Badly defined or non-existent network administration access control exposes the network to security breaches and human error.
- Manual registration of thousands of IPs is both time-consuming and prone to human error – even with a pretty nifty homegrown solution!
- It’s hard to determine which devices are connected, but not registered, or registered but not connected.
- Forward- and reverse-mapping of DNS (A-records / PTR records) too often end up in a mess.
- Distributed DHCP services and configuration lack analysis, monitoring and reporting.
- Lack of overview of DHCP scopes and how they are utilized lead to errors.
- There are mismatches between DNS configuration and DHCP reservations.
- MAC addresses in DHCP don’t match MAC addresses in the ARP cache.
- Lack of automated auditing impedes effective control and management of resources.
- Site and subnet registration in Active Directory is inadequate.
- Without automated synchronization of changes to the network, the risk of errors and/or network downtime, multiplies.
WHAT’S THE SOLUTION?
Investing in a strong DDI solution provides an enterprise with a robust return on investment, mostly through boosting network efficiency and reinforcing network security. Less visible, and largely undocumented, is the positive effect a DDI solution has on a network team’s productivity, ability to innovate and general employee wellbeing.
DDI solutions and network security
Fire, candles, lamps, electrical streetlights, CCTV, satellite imaging. Through the ages, man’s attempts at ensuring his own security have largely revolved around ways to make darkness light, and expose what is hidden to clear sight. The ability to see is, and always will be, the first step towards greater security. And it is no different for net- works.
Commentators on best network security practices list the comprehensive overview of a network as one of the paramount keys to effective network security management. Other best network security practices often mentioned include ensuring that all hardware and software components are installed correctly and are up to date, utilizing solid auditing, logging and tracking capabilities and managing network access privileges through user-defined network access control.
An effective commercial DDI solution ticks all the most common best practice network security boxes. It grants network engineers and administrators a global overview of their network’s DNS, DHCP and IPAM components, provides granular role-based access control capabilities and gives users comprehensive data on what is being used by whom, where, when and at what rate. Without an extensive DDI overview, network teams quite simply can’t see enough of their network and network activities to properly prevent or respond to breaches in security in the most beneficial manner.
DDI solutions and network efficiency
The 2015 Gartner report on DNS, DHCP and IP address management estimated that an enterprise’s operational expenses (OPEX) can be reduced by 50% or more by using a commercial DDI solution. This can lead to full-time equivalents (FTEs) savings in larger organizations.
Additionally, a recent IDC (International Data Corporation) report estimates that the costs of network downtime, depending on industry, generally range from between $100k/hour to $300k/hour, and even up to $500k/ hour or more for critical failure in large networks. This unforeseen expense can be significantly reduced, if not made redundant, by implementing the tools offered by a powerful, commercial DDI solution.
DDI solutions and DDI teams
Though reports have focused on how DDI solutions can reduce OPEX through FTE savings and the prevention of downtime, some of the greatest gains are made in productivity and improved staff wellbeing and satisfaction. Reducing the burden of manual administration frees up highly valuable team members to apply their knowledge and skills to innovation and the tending of other critical tasks. This, in its turn, boosts productivity and enhances employee satisfaction.
The more efficient utilization of human resources results in greater gains through less staff turnover, the retention of crucial in-house knowledge, and a generally more stable and secure networking environment.
HOW DO I CHOOSE A SOLUTION?
Since DDI solutions affect core IT infrastructure, it is a sticky business decision best not entered into hastily. A number of commercial solutions are available on the market. Top market analysts advise you to keep a 5 to 10-year horizon central to your assessment of the solutions on offer and base your choice entirely on what your organization needs – what works for one, doesn’t necessarily work for another. Central to your decision should be what type of infrastructure you already have, and how well, or not, the proposed solution integrates with your existing DNS and DHCP servers.
Instead of allowing perceived market leadership or brand to dictate your choice, rather consider your organization’s individual 4 Fs: fundamental, functional, financial and future requirements, as follows:
Replace hardware infrastructure or deploy software overlay?
- Must-have features included?
- Ease of implementation and upgrades?
- Integration with existing infrastructure?
- Simple, or simply painful, migration?
Justifiable costs of initial purchase, implementation, maintenance and upgrades?
- IPv6: Support for deployments?
- Cloud: Fully automated DNS/DHCP services with
- in the cloud?
- Scalability: No fuss, no mess?
MICETRO BY MEN&MICE AS A DDI SOLUTION
As a commercial solution, Micetro builds a sophisticated layer of non-intrusive, integrated DNS, DHCP and IPAM bridges on top of existing DNS and DHCP network infrastructure. The unified management interface and single IP address database provide a unique, real-time overview of an enterprise’s network, granting administrators centralized, organic control and administration of multiple DNS and DHCP servers in a pure Microsoft, Unix/Linux, Cisco IOS, ISC, cloud or mixed environment.
Deploying Micetro by Men&Mice enables the clean-up of stale records, improves IP Address utilization, markedly reduces errors in the registration of new devices and helps to identify any alien devices on the network, thereby significantly enhancing security.
How Micetro by Men&Mice solves particular points of pain
A disconnect between critical components
Problems don’t generally arise from the DNS Manager or the DHCP Management Console per se. It is the inability of additional tools developed to keep track of information, such as which IP address block is to be used for what purpose, that complicates matters. Since there is no direct connection between such documentation and the DNS and DHCP servers, it is down to the network administrators to remember to update, and synchronize the documentation.
Micetro by Men&Mice: One view, one console, one database. Views for DNS and DHCP, organized by Subnet, Scope or Zone are provided in one tool and in one console, with integrated functionality. Configuration and administration can be completed in one smooth motion. Micetro records, updates and synchronizes all changes in DNS servers, DHCP servers and database records. These changes are reflected in the Micetro database, as well as the original management tools.
If in use, then where and when?
Native IP Address Management tools can’t say whether an IP address is in active use. It also lacks the ability to provide sufficient information on the interplay of subnets, virtual LANs and Active Directory Sites. Simple and easy access to this information is essential for assigning an IP address correctly and efficiently.
Micetro by Men&Mice: IP address reconciliation. Micetro keeps track of the last time an IP address was ‘seen’ on the network and gathers information from DHCP leases and network traffic, as well as monitors which IP addresses are in use and which are not. Management also extends to IP ranges, DHCP scopes, DNS zones and subnets that can be integrated directly with Active Directory for the management of sites, subnets and IP addresses.
Coordinating reservations or managing split DHCP scopes
In case of server failure, it has become common practice for multiple DHCP servers to cover a single subnet. However, resulting “split-scope” arrangements are often hard to coordinate and configure. Though features are regularly being developed to deal with split-scope configuration, adding them on often requires costly re-investment or upgrading that can prove too daunting for some organizations.
Micetro by Men&Mice: A side-by-side graphical presentation of each server’s view of a DHCP scope allows for easy identification of incorrectly designated exclusions, missing reservations and other conflicted configurations.
Who did what and when?
Windows management tools do not provide an audit trail to ascertain who made changes to DHCP settings and when they did so. This severely complicates the troubleshooting of DHCP-related network problems, especially when trying to avoid a repeat of errors such as incorrectly assigning an IP address, documenting and updating DNS names and complying with DHCP reservation logging regulations.
Micetro by Men&Mice: Track everything. Yes. That’s it. A full change history for DHCP and DNS configuration is logged and a change history is kept for every item and every user. This means that you can easily find out which records were deleted, who did it and why – and quickly access the details of the deleted record to recover important data.
“All or nothing” access
Current basic management tools mostly require Administrator rights, providing for limited delegation or division of authority and thereby affecting efficient management of resources.
Micetro by Men&Mice: Fine-grained access control allows managers to define access and delegate control for individuals or groups from within Micetro. Additionally, they can control permission for specific actions by specific administrators or groups, as well as creating a more defined “mission task” web page through Micetro's web access.
Lack of custom properties
Windows DNS and DHCP lack built-in customs properties, which impinges on the ability to properly locate or manage devices on a network in an IP address database.
Micetro by Men&Mice: Micetro allows for the creation of a number of custom properties for objects such as subnets and devices. Additionally, the commitment of changes to the database and DNS and DHCP servers prompts the user for comments, which gives administrators the opportunity to supply explanations for actions.
Detecting system health issues
When a problem arises in a large network, it is often hard to determine exactly where the problem is in time to prevent a disruption to the network.
Micetro by Men&Mice: The System Health Monitor gives managers a clear indication of where the problem is, what it is and, through color codes, how severe it is. For instance, the System Health Monitor will warn managers when a slave zone is expiring or that zones have not been loaded on a server due to an error. Such issues can cause outages for users and have a serious impact on their business.
OTHER FUNCTIONAL BENEFITS ARE:
- Global Search and Replace: Save time by quickly finding and updating strings, such as a renamed department, wherever they occur.
- Web User Interface: Access Micetro from any browser, and create custom mission-oriented task pages.
- SOAP Interface: Programmatically configure or report on your infrastructure services. Easily tie into existing support systems.
- Access based scripting: Users can use scripts to be efficient and fast, but the scripts adhere to the access model and permissions.
- Change trigger based scripting: When an object is changed, a script can automatically be triggered, such as sending a notification email.
- DHCP lease history and issue detection: Micetro can detect and even rectify common situations like scope exhaustion, and concurrent (duplicate) leases.
- DHCP migration/failover: DHCP Scopes can be migrated between servers, either to create a split or to migrate from servers that are to be decommissioned.
- Analysis: DNS and DHCP configuration analysis and error checking.
- Statistics: Automated calculation and monitoring of subnet utilization.
WHY MICETRO BY MEN&MICE?
The Men&Mice team has been in the DNS, DHCP and IPAM business for a long time. Micetro's IPAM module was the first dedicated DDI solution to fully integrate with Microsoft Active Directory, laying the groundwork for a continued, and highly successful, core synergy with Windows DNS and DHCP servers.
Further Micetro support for BIND, Unbound, PowerDNS, Cisco IOS DHCP, ISC DHCP and Kea DHCP, as well as Microsoft Azure DNS and AWS Amazon Route 53, facilitates seamless integration of network performance - regardless of the diversity or distribution of servers. Requiring no replacement of existing network infrastructure, Micetro brings simplicity to the complex tasks of synchronization and security faced by networks operating in hybrid environments today.
The Men&Mice team’s long-lived expertise and experience in the field has culminated in the development of a user-friendly, no-frills, no-fuss solution. It’s easy to deploy and simple to maintain. Though Micetro lacks broad awareness amongst upper management, it’s always been popular with the people who know networking and need to use it: the network engineers, administrators and managers.
When asked what sets Micetro by Men&Mice apart, network teams invariably say ease of use, followed by great service and low cost of maintenance.
In varying measures, all DDI solutions cut down on OPEX, reduce errors, lower the risk of downtime and augment network security. Few, however, contribute as much to overall employee well-being as Micetro by Men&Mice, thereby providing an additional boost to productivity and leveraging corporate investment in human resources. As entrepreneur Chip Conley says: “We count numbers, but we count on people.”
For a sticky investment, Micetro by Men&Mice does a great job when it comes to the numbers an enterprise counts, but it does an exceptional job when it comes to the people on which the enterprise counts.