Skip to end of metadata
Go to start of metadata

Introduction

This document is intended to help administrators to install and configure the Men & Mice Suite. It will help the administrators to identify strategic servers to install the Men & Mice components on, as they do not have to be installed on all DNS and DHCP servers in the managed environment. 
The actual installation of the components is not covered in this document, as it is detailed in the installation guide.
Note that all the Men & Mice components can be installed on virtual machines.

Installation Task List

Install Men & Mice Components

  • Install Men & Mice Central
  • Install Men & Mice DNS Server Controllers
  • Install Men & Mice DHCP Server Controllers
  • Install Men & Mice Web Interface
  • Install Men & Mice Management Console
  • Add a Men & Mice appliance
  • Add IP Objects, Users & Groups and Roles
  • Add DNS Servers
  • IP Address ranges
  • Add DHCP Servers
  • Users and groups

Men & Mice Central Component

In smaller installations, Men & Mice Suite's Central component can be installed on one of the DNS or DHCP servers, as it will not require much resources. More resources are needed as the managed environment gets larger. Below is a table that can be used as a guideline for choosing suitable hardware for Men & Mice Central.

Type of environment

Number of objects

Hardware guidelines

Small to medium

Zones: fewer than 100
IP addresses: fewer than 5000
Subnets: fewer than 1000

Central can be run on a server alongside other services, such as on a DNS/DHCP server or a Domain Controller

Medium to large

Zones: fewer than 1000
IP addresses: fewer than 50000
Subnets: fewer than 10000

2 CPU or dual core server, 2 GHz or more
2 GB of memory

Large Enterprises and service providers

Zones: Tens of thousands
IP addresses: Millions
Subnets: Hundreds of thousands

2 CPU dual core server,
2 GHz or more
4 GB of memory

 

By default Men & Mice Central will use an embedded SQLite database.  The embedded database is suitable for small to medium environments but larger environments should instead use MS SQL server.  Information on how to use MS SQL as the database for Men & Mice Central can be found in the Men & Mice Knowledge Base.

If the organization is using Active Directory (AD) and wishes to use AD user authentication, Men & Mice Central must be installed on a Microsoft Windows member server in the domain. All users in that domain, that forest, and trusted forests, will be able to authenticate in Men & Mice, given that they have been granted access in the Men & Mice Suite. As the other Men & Mice Suite components (DNS Server Controller and DHCP Server Controller) can be installed on the DNS and DHCP servers, Men & Mice can manage DNS and DHCP servers that reside in forests where there is no trust between the forest where Central is installed and DNS/DHCP is installed.

Men & Mice Suite's Central component can also be installed on a second server that can be used as a "cold standby". The Men & Mice's embedded database will then be periodically copied from the active Central server to the cold standby and, if the active server becomes unavailable, the Central service on the cold standby can be activated.

Men & Mice Suite's DNS Server Controller

In an Unix BIND DNS environment the Men & Mice Suite's DNS Server Controller (i.e., DNS agent) is installed on each DNS server that is to be managed.  In a Microsoft AD environment, the DNS agent can be installed on some of the DNS servers or they can all be managed agent free.  If they are to be managed agent free, then the DNS Server Controller is typically installed on the machine running Men & Mice Central and when adding the DNS server, the option to add the server as "Microsoft Agent-Free" is chosen.  The DNS Server Controller must be running as a user that has necessary privileges.

If the plan is to install the DNS agent on some of the DNS servers in a Microsoft AD environment, and the environment is a pure AD environment (pure meaning that all zones are AD integrated), the DNS agent is typically installed on 2 DNS servers in each AD domain. Men & Mice will read and write DNS updates to the first server from each AD domain, but if the first server becomes unavailable it will failover to the second server. 

For more information see Edit Preferred Servers for AD Integrated Zones" in the User's guide.


Two DNS servers from each domain are added to Men & Mice Central.

Men & Mice Suite's DHCP Server Controller

There are a few strategies to install the Men & Mice DHCP Server Controller (i.e., DHCP agent). In a Unix ISC DHCP environment, the DHCP agent is installed on all DHCP servers that are to be managed. In a Microsoft environment, the administrator can install the DHCP agent on one server, some of the servers, or all the servers.
If all the DHCP servers are in the same security realm (maybe in different forests but with trust between them), the DHCP agent can be installed on one server, typically the server running the Men & Mice Suite's Central component.

If the DHCP agent is to be used to manage DHCP on other DHCP servers, the DHCP agent must be running as a member of the AD DHCP Administrators group.  
If some of the managed DHCP servers are not in the same forest as the Men & Mice Suite's Central component is installed and there is no trust between the forests, then the administrator must install at least on DHCP agent in the foreign forest. That DHCP agent can act as a proxy between Central and the DHCP servers and must be running as a member of the AD DHCP Administrators group in the foreign forest.
Finally the DHCP agents can be installed on each managed DHCP servers. In that scenario, the DHCP agent can be run as the Local System account, which means that no additional configuration is needed after the installation is complete.
Cisco IOS DHCP servers can be managed using the Men & Mice Suite. A Men & Mice DHCP Server Controller has to be installed on a machine in the environment, which will then act as an proxy to manage the Cisco IOS DHCP servers, and will use either plain telnet or ssh to connect to the managed servers.

Men & Mice Suite User Interfaces

Web Interface

The Men & Mice Web Interface can be installed on any server on the network running Microsoft Internet Information Services (IIS) or Apache. It is common practice to install the Web Interface on the same server that the Men & Mice Suite's Central component is installed on.

Management Console

The Men & Mice Suite's Management Console is a rich client that can be installed on as many client computers as required and is typically installed on each administrator's workstation.

Command Line Interface (CLI)

Similar to the Management Console, the CLI can be installed on as many client computers as required. However, it is usually only installed on the machine running the Men & Mice Suite's Central component and on a couple of the administrator's workstations. The CLI is used primarily for scripting and performing bulk updates.

Add a Men & Mice DDI or Caching Appliance

After all the components have been installed on the servers, the next step is to add the DNS and DHCP servers to the Men & Mice Suite. Initially, that is done by starting the Management Console and logging into the Central server with the following credentials: 
User: administrator
Password: administrator 

Once the network interfaces on a Men & Mice DDI or Caching Appliance have been configured the appliances can be added to the Men & Mice Suite.   That is done by right-clicking "Appliances" and selecting "New Appliance...".  The appliance must be added using its fully qualified name and once added, the relevant services on the appliances can be selected.  If the DNS Service is enabled on the appliance then the DNS server will be automatically added as a DNS server to Men & Mice and the same applies to the DHPC Service.

Add DNS Servers

The DNS and DHCP servers need to be added using their fully qualified names, like dns1.europe.ad.mmdemo.local. To add a new DNS server the administrator will select "File->New->DNS Server...".
 

The DNS agent will use two different methods to retrieve information from Microsoft AD integrated zones.  First it will do a zone transfer (both full and incremental) to get the latest records for the zone and then it will use Microsoft APIs to get detailed information for individual records.  Due to this it is important that the DNS agent is allowed to do a zone transfer from the local server.

The DNS agent on the DNS server must be able to transfer AD integrated zones from the local DNS server.
There is a global setting in that allows Men & Mice to adjust the zone transfer settings for dynamic or AD integrated zones. It is enabled by default but the administrator can change this setting by selecting "Tools->System Settings" and select the "DNS" tab.


Add DHCP Servers

The following table demonstrates the different options when adding a DHCP Server.

Server type

Description

Microsoft Agent-Free
(Use proxy not checked)

The DHCP Server Controller has been installed on the machine running the Men & Mice Central Component, and that machine will be used as a proxy.
Men & Mice is not able to track lease history data.

Microsoft Agent-Free
(Use proxy checked)

The DHCP Server Controller has been installed on the machine identified in the "Use proxy server" field, and that machine will be used as a proxy.
Men & Mice is not able to track lease history data.

Microsoft with Agent Installed

The DHCP Server Controller has been installed on the remote DHCP server. Men & Mice is able to track lease history data.

ISC

Either a Unix server running the ISC DHCPD or a Men & Mice Appliance with the mm-dhcpd package installed

Cisco
(Use proxy not checked)

The DHCP Server Controller has been installed on the machine running the Men & Mice Central Component, and that machine will be used as a proxy.

Cisco
(Use proxy checked)

The DHCP Server Controller has been installed on the machine identified in the "Use proxy server" field, and that machine will be used as a proxy.

IP Address Ranges and devices

Once the DHCP servers have been added to Men & Mice, all the scopes from the DHCP servers will be visible in the tool as scopes in the IP Address Ranges list. The organization might also have a spreadsheet or a database with other IP address range (subnet) allocations and maybe details on individual devices (IP addresses). This data can be manually entered in Men & Mice or more efficiently, imported by using the CLI.

Importing the IP Address Ranges and Device Properties Using the CLI

Before the IP address ranges are imported into Men & Mice the administrator has to identify which custom properties he wants to maintain for IP address ranges and individual IP addresses (devices).
To define the custom properties the administrator will select "Define Custom Properties" from the "Tools" menu and add the necessary custom properties for IP address ranges and IP addresses. After that has been done the administrator can start importing the data from the spreadsheet.
The import format is a comma separated value (csv) list, like:

Subnets (IP Address Ranges)

  network_address, subnet_mask, is_subnet, locked, can_auto_assign, Title,[custom_property_1,...]
network_address: possible format is "1.2.3.0", "1.2.3.0/24" or "1.2.3.4-1.2.3.6"
 subnet_mask: if the network_address includes the mask (such as "1.2.3.0/24") or is not on bit 
boundaries (such as "1.2.3.4-1.2.3.6") then the subnet_mask can be empty  is_subnet:is "1" except when the subnet (range) is not on bit boundaries (such as "1.2.3.4-1.2.3.6")
 locked: "1" if subnet is locked and IPs can't be allocated from the subnet in Men & Mice, else "0"
 can_auto_assign: "1" if users (that have access to the subnet) can use IPs from the subnet in auto
assignment in DNS
 Title: the name (or title) of the subnet
 custom_property_n: One entry per custom property or property maintained for subnets in the spreadsheet

Devices (IP Addresses)

  address:           IP address of the device
 custom_property_n: One entry per custom property maintained for IP addresses in the spreadsheet


The administrator will import the subnets and devices separately.  First he will import the subnets.  In this example the company has "Title, Description and Status" custom properties for subnets (IP Address Ranges) and "Description" and "Device Name" for IP Addresses.
The "Define Custom Properties" window, which appears when "Define Custom Properties" is selected from the "Tools" menu:

After the custom properties have been defined for IP Address Ranges and IP Addresses
The file to import the subnets will look like the following in the csv format (note that the first line is needed in the file):

network_address,subnet_mask,is_subnet,locked,can_auto_assign,Title,
Description,Status
192.168.202.0,255.255.255.0,1,0,0,First subnet,,used
192.168.203.0,255.255.255.0,1,0,0,Second subnet,,used
192.168.204.0,255.255.255.0,1,0,0,Third subnet,,used


To import the data into Men & Mice the administrator will start the CLI (mmcmd) from the command prompt like:

 mmcmd -s 127.0.0.1 -u administrator


The administrator will be prompted for a password.
Before the data is actually imported, there is a possibility to do a syntax check of the file to be imported:

 mmcmd> importdata -c subnets <mysubnetfile.csv>


If the file is reported clean, the data can be imported using:

 mmcmd> importdata subnets <mysubnetfile.csv>


Importing the device data (IP addresses) is very similar to the process above.  As noted earlier, the company has the custom properties "Description" and "Device Name" for IP Addresses:

 address,Description, Device Name
192.168.202.253,Router 1, my_device_1.mydom.com.
192.168.203.253,Router 2, my_device_2.mydom.com.


In a similar fashion the administrator will validate the syntax of the csv file:

 mmcmd> importdata -c devices <mydevicefile.csv>


And if the file doesn't contain any issues it can be imported with:

 mmcmd> importdata devices <mydevicefile.csv> 


This might take a while depending on the amount of data but after the operation has completed, all the imported devices will appear in Men & Mice with the associated data.

Users and Groups

Now that all the managed objects have been created or added to the tool, it is time to add users/groups and define what kind of access they have to Men & Mice and the objects within the tool.
It is possible to specify the roles of users either by using Active Directory groups or using Men & Mice groups. It is best to specify access to objects for the groups rather than specifying access for individual users. After the groups have been added by selecting the "Administration->User Management" menu item, the access for the group is specified by selecting the "Administration->System Settings" menu item and pressing the "Access Controls" button in the System Settings window.

Access for an AD integrated group to Men & Mice.


In the example above members of the AD group DOMAIN2\MM-Administrators will have access to the all the modules in the tool and will be able to login through all the clients except the CLI. In addition to this the DOMAIN2\MM-Administrators group can not use the report or task view in the Web UI.
After specifying access to the tool for all groups it is best to specify access to new objects for these groups. This will be the default access for objects that are either created in Men & Mice (such as an IP address range) or externally (such as a new DNS zone created outside of Men & Mice). The new object access is specified by selecting the "Administration->System Settings" menu item, pressing the "New Objects Access" button in the System Settings window and setting access for the different object types.


After the new object access has been defined the administrator can configure the access on existing objects. One thing to keep in mind is that users/groups must first have access to a DNS server in order to have access to a zone on the server. This means that the administrator must first grant the group "List (or view)" access to the DNS server and then "List (or view)" on a zone stored on the server to have a read-only access to the zone.

The diagram shows the access path from users to objects


For AD User 2 to have access to "Zone A" to the Advanced Zone View his "DOMAIN1\Group 1" has to be defined in Men & Mice in the User Management window. In the System Settings->Access Control the group has to have access to the Web Interface, the Advanced Zone View and the DNS Module. Then the group has to have access to the server hosting the zone and finally to the zone itself.

  • No labels