How to piss off your Notes admin
Okay, the quickest way to get on my bad side is to somehow screw up our domain’s Domino Directory, names.nsf. For the uninitiated, names.nsf holds all of the configuration information for your entire environment. It holds specific server info, domain-wide settings, as well as all of your users and their authentication info. Needless to say, you don’t fuck with names.nsf if you don’t know what you are doing.
Well at my new job we have normal NT admins on the coasts that have full admin rights to our Notes servers. It was like that when I got here, so being the new guy, I haven’t pushed hard to change that. After today, it’s changing, mark my words.
You see, an admin in Atlanta accidentally replaced the design of the Domino Directory with the design of the MAIL TEMPLATE. Yes, the mail template. And the bad thing is that he had no clue that he did it. He said he was just replacing the design on a user’s mailbox.
You can imagine what this did to the environment. I had another admin in Chicago ask “Is there anything wrong with the mail server?” I said I didn’t think so, and then I looked over his shoulder. He had the Notes console up and the errors were streaming off the page. It basically said it couldn’t find the certifier for our domain, repeatedly. After my heart started again, I ran for my machine.
I opened our NAB and got email instead. You could visibly see the veins on my neck pop out. I checked the database and yup, the template was showing iNotes6. I hastily replaced the design whilst praying to various deities and alternately cursing the bastard responsible. Once the design was replaced, there were still several errors related to on-disk structure, so I rebooted the Domino services. Luckily everything was back to normality at that point.
That’s when forensics began, and we traced it to Atlanta. In the meantime, the design replace had replicated to EVERY server in my domain (eleven to be exact) So I had to replace the design and reboot each one to get the environment right. I’m glad this happened first thing in the morning. It made it so our west coast offices didn’t even know there was problem.
August 6, 2004 @ 12:27 pm
Exact same thing happened to one of my customers ten years ago. It was an admin in Morristown, NJ who replaced the design of Names.NSF with the mail template. All hell broke loose, and this was an R3 environment with more than 50 servers. What a mess!
-rich
August 10, 2004 @ 4:11 am
I have seen this quite a few times over the years. I have a number of recommendations.
1. Kill the person responsible as an example to others
2. Remove admin rights (or at least restrict them on the respective server)
3. Remove manager rights from the LocalDomainServers group on the directory and demote to editor. Select your hub (or hub cluster) and leave with manager rights. Make sure these servers are directly managed by yourself or people you trust.
Personally, Option 1 gets my highest recommendation!
August 12, 2004 @ 6:10 pm
Have you considered using a product such as iDM? It allows you to “lock down” access to all Domino directories (if you’re running multiple domains) whilst still allowing your inexperienced (
) admins to perform normal tasks.
The system validates all requests and enforces all your standards (for naming users and groups, group content etc…) whilst locking away your certifiers, ID files and related passwords but still allowing authorised users/admins to manage users (create, delete, disable, move in OU etc) and groups (create, assign management rights, rename, delete, add users, remove users etc).
This is only a VERY brief description of it’s functionality. If you’re interested or just curious, its distributed by a company called Centric. Go to http://www.centric.co.uk/software/overview.htm and take a look! You’ll also find some more information at http://www.hadsl.com.
I’ll be honest and up-frint and let you know I’m one of the 3 guys who designed and built this. I don’t want to be accused of any nefarious actions.
Roy H
Aka: TheOldGit
August 12, 2004 @ 6:50 pm
Ahh. I’ve seen large organisations have almost exactly the same issues.
An country domino administrator deciding that he didnt want anyone outside of that country in his directory. So he deleted them.
Or someone dropping “localdomainservers” into a deny access/terminations group (large pharma company, 50,000 users. 300+ servers switched off. Merry Xmas!).
And every time it boils down to muppets (and I use that word very carefully) having too little training, and too much access, and under too little control.
There’s nothing you can do – you cannot improve the design if its still driven by and controlled by an idiot.
So hence – and this is where I’ll come clean with Roy – any tool -and I mean ANYTHING – that prevents these idiots screwing up complete businesses – should be considered. Locking up your directories is the first step.
Dont be like the company with a 3,000 document DISPARITY between replica copies of their directory. And then wonder why there is problems.
Of course these professionally managed companies respond by:
1. Cutting the pay of decent folks, driving them out.
2. Promoting idiots, thus culling even more good people.
3. Retraining NT Admins as Domino Admins in 4 hours,
4. and then, OUTSOURCING the lot to some other culture, 6 hours away.
And then wonder why it all falls apart ?
Perhaps this could be one of the reasons why Notes takes a pounding out there. its very very customisable. Its very flexible, and its very secure.
Unless its driven by idiots – in which case, its very unforgiving..
—* Bill
August 17, 2004 @ 8:04 am
Bill….
Perfectly said. I was thinking of creating a Domino Horror story category on my site. What do ye all think..