Net Admins - What "best practices" do you enforce.....

we hear that term being thrown around a lot.... what kind of best practices do some of you guys strictly adhere to that you bring to any job you accept?

not sure if this is the right forum for this...

Find more posts tagged with

Comments

Forsaken_GA

It's kind of a broad term, and the answer depends on what context it's used in, ie, best practices for design, best practices for deployment, best practices for administration, and so on.

WanBoy67

Generally it's a right-way and a wrong-way. Which means a logical reasoned way and a wrong, maybe not scalable, labourous or non-secure way. With many shades of gray in between. The 70-298 book is a good place to start to read best practices, within the scope of the exam of course. I'm sure others can suggest better books regarding best practices, probably the resource kits and most of technet.

slinuxuzer

1. Drink on the job; if it's allowed

2. work in at least two hours of study time a day; ebooks make this nice (why do it at home right?)

3. Always, apply at places with good looking women.

Alright, but seriously. Here are some of the things that I find makes my life alot easier. Some of these will be more soft skills.

Keep the following things up to date and in as good a shape as possible.

1. Patch managment specifically for the server and workstation OS, third party patch managment is alot to keep up with.

2. Keep your anti-virus up to date with the newest version and newest definitions.

3. As much as humanly possible try to configure all your backup jobs to run a full every night.

4. Implement workstaion imaging, preferably with universal images, there is a good write up on this at vernalex.com that describes doing this with GHOST, and has saved me hundreds of hours of reloading machines.

5. Actually run firmware updates on your servers specifically Raid controllers and Bios, this will keep your servers from doing "weird" things.

6. Every good network admin should know how to remove a windows patch from the command line; if you really want to make things easy install the recovery console on your servers so you can boot to it without the disk's. This way when your running your after hours manual patches on your servers (like I do, under 30 server shop, if I had 50+ I would use some automated way) and a patch crashes your server you can strip it out of there and not cry all night.

7. If your lucky enough to have a managers manager (meaning a non-technical manager) keep your cards close to your chest; take this to mean what you will, but don't let them think they can replace you with some 18yr old because everything is perfectly documented and don't let anyone know if you have 5 hours a day of play time. I'm not saying be a schlemrock, but the less you let people know about you at work the better for the most part. Sadly I have seen people at my job laid off because they had no family (this was admitted by their manager) or because they were "underworked" when it comes down to the workhorse or the showhorse wich one do you want them to think you are?

Thats it.

Forsaken_GA

slinuxuzer wrote: »

3. As much as humanly possible try to configure all your backup jobs to run a full every night.

Debatable, full backups every night is a big waste, as there are times where you'll be transferring very large files if a single byte changes. This is not always desireable behavior.

5. Actually run firmware updates on your servers specifically Raid controllers and Bios, this will keep your servers from doing "weird" things.

I've actually found this is *not* a good idea. I've seen it more than once where firmware gets upgraded, and all of a sudden, machine doesn't boot anymore because of some obscure bug. When it comes to servers and anything that's going to force a reboot, it should only be done if there's a *REALLY* good reason for it. Nothing sucks more than finding out that firmware upgrade had some obscure bug in it and your mission critical server no longer boots.

If you absolutely *have* to do it, do it in a lab situation first to make sure it'll go well, or at the very least have a hot standby available so you don't incur downtime while you're backing the change out (this goes for all hardware, not just servers)

NightShade03

I'd like to add a few:

1) Try to pick a naming standard and stick to it. I can't tell you what a nightmare it is trying to find users and computers with different naming conventions....

2) Never roll out software updates (Windows or otherwise) without testing it first....users really don't like it when things stop functioning all of a sudden.

3) Imaging is a great time saver (like ghost) but be careful in implementing high end imaging solutions like SCCM, they can run away and image machines you don't mean to if you don't have a complex understanding of the technology.

4) Take a lunch....be it 5 mins or an hour make sure that you take time away to clear your head and breathe, everyday, no exceptions.

astorrs

Have a look at this post from earlier today, I like the 3 criteria he listed to determine if a recommendation deserves the label "best practice".

Are Best Practices Just Shared Opinions?

blargoe

I try to stop the use of Built-in groups in AD as much as possible, those groups are too broad in scope for companies with more than 3 or 4 desktop/network people on staff. Almost everywhere I've walked into has given way too many permissions to people that don't need them.

tdean

excellent responses so far. one thing i do, depending on who i will be working with is give them an "user-adm" acct they can use for admin related tasks, and i just have them (and myself) log on to our work machines with minimal permissions. this may or may not be standard practice, i havent worked with enough other people to know.

Forsaken_GA

tdean wrote: »

excellent responses so far. one thing i do, depending on who i will be working with is give them an "user-adm" acct they can use for admin related tasks, and i just have them (and myself) log on to our work machines with minimal permissions. this may or may not be standard practice, i havent worked with enough other people to know.

That's fairly standard practice in the Unix world, you do your day to day work with a regular user account, you do your administration as root. Those who do their day to day work as root often find a cause to regret it at some point, as issuing the wrong command as root can have.... interesting consequences (knew one guy that did a recursive chown to his username as root. In /. That was a fun restore.)

tdean

slinuxuzer wrote: »

6. Every good network admin should know how to remove a windows patch from the command line; if you really want to make things easy install the recovery console on your servers so you can boot to it without the disk's. This way when your running your after hours manual patches on your servers (like I do, under 30 server shop, if I had 50+ I would use some automated way) and a patch crashes your server you can strip it out of there and not cry all night.

this is a weakness of mine. can you explain the process, or point me in the direction of some info on how to do this?

homerj742

tdean wrote: »

this is a weakness of mine. can you explain the process, or point me in the direction of some info on how to do this?

I would like to learn this as well.

HeroPsycho

If a vendor lists a best practice, I always follow it or document why I didn't.

Always test a major change before you do it in production, or get a manager, or someone else to accept the risk if they won't give you the time or resources necessary to test. Too many places I've worked fail to setup even a rudimentary lab environment. When something blows up because of a change you needed to make, it shouldn't be your fault that they failed to allow you to test it in a lab first.

Daniel333

Wow, that is a question with a million answers.
The MCSE, RHCE, CCDP books are packed full of best practices. You can pretty much write your policies right out these books.
Is a specific area that you are curious about? Layer 2 or layer 3 networking? Firewalls? Desktop or servers? SQL or Exchange?

tdean

im sorry if i want more clear. So far all the posts, seem to be on target... i guess i just wanted to discuss the more general net admin best practices if that makes sense. no need to dive into what a dba would do, or even high level router/switching. just some ad tricks, some email security, maybe backup tricks you do etc...

Forsaken_GA

There isn't any general overall rules besides don't make your customers and/or your bosses mad at you. Alot of it is context, and alot of it is opinion (for example, I wouldn't use the term network administrator for folks who work on network services as opposed to the actual network itself, I call those system administrators!)

TravR1

Least priviledge!

Forsaken_GA

If you want a pretty general run through of best practices, read this -

Amazon.com: Practice of System and Network Administration, The (2nd Edition): Thomas A. Limoncelli, Christina J. Hogan, Strata R. Chalup: Books

It's a pretty thick book, but it's got alot of good ideas and alot of common sense.

While you're at it, read this one too -

Amazon.com: Time Management for System Administrators: Thomas Limoncelli: Books