Team Network VS Team Server for control of DNS....... FIGHT!

T

thedude0901

n00b
Joined
Oct 17, 2004
Messages
41
Right now we have two groups that manage our outside domains and outside DNS - The Windows admins and the Web Admins as they are the ones that require the most changes. Some recent SNAFUs with email MX record and our entire primary domain getting deleted has brought into question who should manage this stuff. The Web admins never really wanted the responsibility and are eager to pass it to someone else.

The Windows server team says they should control the external domains and external DNS because they already manage the internal DNS and DHCP via AD. To them managing the external DNS and domain is a natural extension of what they do.

The network team says they should manage it because they're the ones that'll have to poke the holes in the firewall and DNS is a network function anyway. Their main argument is by having the network team manage the external DNS it forces the Server and Web teams to go to them to make changes which adds dual control to the equasion.

The network team is also saying they should manage the internal DNS and possibly the DHCP servers as well since those servers provide network functions.

There is a battle royal brewing over this and I'm caught in the middle.

What do your organizations do and how are these responsibilites structured? I could really use some input here before the blood starts to flow. :eek:
 
Personally, in a business that is doing it's own hosting you should have 3-5 public IP's.

The first IP should be controlled by the network admin's and should only be used for the private, internal network. No public services should be hosted on this IP (except VPN server). The network admin's should have complete control over this network. The only thing that the network admin's would need to request is that "private.yourcompany.com" points to their IP.

The other 2-4 IP's should be for the web, DNS and email servers. I prefer using 5 IP's total because you can put each service on it's own IP. This entire system should be controlled by the web admins. Email access should be restricted to the other public IP that the internal network runs on, and all email should be SSL anyways. Access to administrative portions of the web servers should be controlled by encrypted VPN. If the web admin's aren't capable of creating a secure network then the network admin's should set it all up and secure it, and allow the web admin's to make any changes they need to. The only thing that you would have to add to that system is a way of receiving a notification of any changes made.

If you have a public web server, email server and 2 DNS servers all on the same network that all your company information is on, you are asking for trouble. One hack or one virus brought into your business from a user, and you could have a serious issue on your hands.

Basically, I'm saying that they should be separate networks anyways, so there shouldn't be anything to argue about. Network/windows's admin's control the internal network and shouldn't have access to the public DNS, email and web servers. The web admin's should not have any control over the private network either. They should be separate systems managed by separate people.

Never EVER EVER run publicly available services on the same subnet as your private network.

Really, the only thing that anyone should have to fight over is who sets up the switch that directly connects to your ISP.... At that point you'll have 3-5 CAT5e connections to hand everyone and say "set your shit up". One goes to a router for the private internal network, and the rest go to another router for the web services.
 
Last edited:
IMO, both sides should be able to. But I supposed in a larger organization, if you had to choose a side, the "network" guys should..as they control the firewall, public IP addresses, port forwarding for services, VPN, etc.

I don't see why the Windows server guys are using internal DNS and DHCP as a point of why the should manage it. DHCP is for the internal LAN, has nothing to do with public DNS. Also active directory internal DNS is for the inside of the network, again, nothing to do with public DNS. But I can see where the Windows guys want some control of the DNS because they're probably involved with doing things like assisting with Outlook Web Access, or Outlook Anywhere, or terminal server stuff, other remote access, etc etc.

Website guys also need access to this.

I guess I don't have an answer...unfortunately it's a circle that has to involve three teams...the server guys, network guys, and website guys.
 
If your DHCP services are run from the (Cisco?) switches, then the network team should manage it.

If DNS and DHCP are run from windows servers the windows team should manage it.

I am a jack of all trades admin but I have noticed in big environments when you have dedicated specialized people for network and also for server admin stuff neither really knows the others environment too well.

Network people are used to CLI.. windows admins are better int he GUI's.
I wouldn't want a BGP/OSPF/MPLS master monkeying around in a windows GUI... it's not his cup of tea.
 
@cry0n

I'm a network guy and we handle both DNS and DHCP, mainly because the server guys don't want the added responsibility. But the funny thing is (and something that I have noticed since I became a Jr. Enginner) is most good engineers know both sides. I said that I wouldn't want to learn anything Microsoft but with the network, everything affects everything. Plus, we manage our own internal servers.
 
I can't imagine your internal stuff is hosted with your external stuff. Give the network guys access to the external let the internet sys admins work on the internal stuff and call it a day. No need to piss everyone off
 
DNS generally should fall under the purview of a network administrator (not necessarily an engineer) but it can also be a good fit for a systems administrator. Depends on where your skills are. At some orgs, 'network guys' are just routers/switch/firewall/appliance admins plus an electrician or two that does closet/pulls. Other places, the 'network guys' includes a systems administrator (part time or fulltime) that handles things related to DNS, SNMP monitoring, managing LDAP or auth systems (whether just to support the net infra, or possibly the org.)

Either way, the role of managing the DNS should fall to someone who understands DNS well, and is somewhat meticulous and good with change management. If DNS gets messed up, it affects a lot of people as indicated earlier in this thread... and can wreak havoc on directories/kerberos/antispam, etc. It's all infrastructure. Give primary control to the person best suited to marshall it, and make sure they appoint and train a backup.
 
Also a good DNS admin will have no problem (in a larger organization) delegating out a subdomain, eg, tech.example.com. to another DNS server admin'd by a group for their use if they have a reasonable need and are willing to be responsible for their subdomain.
 
You must log in or register to reply here.
Back
Top