Sanity Check

First the good news.

I went to the Lotusphere 09 session on the new Domino 8.5 ID Vault feature and have read a number of articles about it like this one at Dominoblog.  In all the technical descriptions I've read / heard I think they miss the easiest way to describe it. In a nutshell, ID Vault  makes Notes Domino function as if there were no ID File. If you are in the habit of logging into Notes from multiple workstations (e.g. a desktop and a laptop) no doubt you've experienced the occasional pain when your Notes ID passwords get out of sync, especially if your administrator has turned password checking on as they should. Addressing this pain, the ID Vault will synchronizes your ID files automatically. Secondly, if your ID file was deleted or damaged, the Vault can be configured to automatically download a copy of your ID file to your workstation (great when setting up new users). Third, ID Vault simplifies the Help Desk when users forget their passwords. Just call your help desk and an authorized person can reset your ID password in a jiffy with a couple mouse clicks in Domino Administrator. Then the user simply logs in using the new password and all is well. In effect, your users could just forget the ID File even exists. That said, obviously this lowers security to some degree, but as long as your org isn't an army or a bank, it should be a good compromise for most. Its optional and you can continue using the existing ID recovery process for all or any subset of your users.

Setting up the ID Vault was a little hairy. Access to your Cert.ID file is required and the the copy I had on disk didn't match any password I had written down. Fortunately, if you've migrated your certifier to the CA process there is a copy of your Cert.id along with a computer generated password in a document in the ICL NSF used by the CA process. If you can accurately type the mega-long automatically generated password, properly distinguishing the ambiguous characters 0 and O as well as 1 and l (I suggest using a monotype font to display the password) you can recover access to your Cert.id and change the password to something humans can type. I was lucky. And I count this as one of my nine lives expired. This post would have stopped right here otherwise as there is no recourse except to recertify your entire environment which I imagine would not exactly be the most fulfilling experience and I quite honestly can't say I would have pursued that option turning a deaf ear to any talk of the ID Vault forthwith.

After finally setting up the ID Vault on the administrative server, I created a test security policy and using Dynamic Policies (another new Domino 8.5 feature I just learned about) I applied the Security policy to just me and my Director. I was impressed that both our ID's magically appeared in the vault within seconds of restarting Notes.

Now the ultimate test. I bravely and confidently deleted my ID file (Ok, I'm not that reckless. it went into the Windows Recycle Bin plus I have copies on a couple USB sticks , just in case). I started up Notes not knowing what would happen next. I entered my password and with only a slightly longer pause than normal up popped the Notes homepage. Checking in my Data directory, there was my user id restored, as if it never left. Cewl.

Now the bad news, part A.

I noticed that the date of our ID files inside the ID Vault was never more than 10 minutes old. I guessed that our ID files were being uploaded over and over. Lotus Support eventually confirmed this was the case and asked me to check for anything unusual in the Administrative database (Admin4.nsf) used by the AdminP process. Boy was there ever. There were thousands of HTTP password change requests in there, as frequently as every 10 minutes. I was informed that there was a conflict between the security policy setting that automatically syncs the Internet password in your person document when your Notes ID password changes. I was given SPR  JRED7SNU25 as a reference but not told in which release this issue would be addressed. I was hoping for 8.5.1 but nobody knows. That's not good as many of our users also rely on iNotes from home or when traveling. In effect this is two steps forward one step back; replacing the password sync issue between copies of Notes ID's with a new sync issue between Notes and HTTP passwords. In our case, this will prevent us from implementing ID Vault until this SPR is addressed.
I  temporarily changed the test security policy turning off the HTTP password sync and otherwise everything works with ID Vault as expected.

Bad news, part B.

Next, since we have 4-5 users on Macs runing Notes 8.5, I targeted one of them with the same policy.  His ID never uploaded to the vault. Another PMR and a few log files later it seems clear that ID Vault isn't functioning for MAC, at least not for us. If anyone knows any different, let me know.

UPDATE re Mac & ID Vault (June 30):  Since I am not getting much timely assistance from Lotus Support, I went ahead and applied this security policy to two other Mac users and their ID's uploaded the following day, so it does not appear to be an issue where the Mac8.5 client is not working with the ID Vault. It could be a case where the Mac users where it worked were clean installs and the one where it was not working was an upgrade install...just a guess, but I want to make it clear that if you have Macs, don't not implement because of my report of a problem with my initial test.

So, ID Vault in summary....great feature, we want it. But there's an SPR to address before we can use it in production here.
 

Truthfully, there is not a single human being that multi-tasks. We're all creatures who occupy time and space, with single-thread of primary consciousness. Like a computer CPU that processes instructions sequentially, albeit at a blinding pace, about the best we can do is switch tasks quickly and appropriately, and re-orient ourselves on the fly to each task's current state and data. In other words, multi-tasking is really just illusory. The efficiency of task switching is the real skill that enables some people to get much done in an 8 hour day and others, well...not so much. I prefer the feeling at the end of the day that I have spent my time wisely and moved the needle forward on the projects and tasks that matter. This is why I follow the principles of GTD.

The GTD principle is keep a list of ALL pending projects tasks in an external system (i.e. not in your head) and to define the very next action for all of them. Its so simple, yet profound. When I complete a next action for a project, I take 20 seconds and record the next next action that is required. Doing this consistently means that when I switch to the next project displayed in my Today view, having already defined its next action, I save on valuable re-orientation time and I can go straight into execution mode.

Using eProductivity for my Lotus Notes mail file (same tool David Allen uses) keeps me disciplined to "next action" all my projects. But further, eProductivity leverages Lotus Notes' main document / response document architecture so that you can organize and link all the related emails, calendar items, and reference documents to the relevant project or next action. The result is that whenever you view your project or next action document t all the related linked documents are visible in an embedded view. Context is everything.

For example, take a typical server upgrade project that has a life of one month. Let's say in the end, this project requires 50 emails, 5 meetings resulting in 5 minutes documents, and 20 reference documents. When you switch tasks and focus on the next action, you may need to refer to some particular information contained in one of those 75 documents. How much work is involved in searching out that info? In eProductivity,  if you've been linking pertinent documents to the action or project document as you go, the document you need is sitting right there in the embedded view. Can you accomplish this same thing using a folder created for that particular project? Yes, but you will have to go to your folders and find it. The power of eProductivity is that what you need is where you need it...in context.

I am addicted to eProductivity and am proud to admit it.

About two years ago I inherited the voluntary IT Admin role at my church. My predecessor, a Microsoft Business Partner, left behind an Active Directory infrastructure consisting of an MS2003 server, 4 XP Pro workstations, XP laptop, permanently mounted projector used for Powerpoint during services (songs, sermon outlines), Panasonic copier/printer, and all the networking peripherals connecting the whole domain together wired and wirelessly. Having training primarily in Lotus Domino Administration and Development with a little exposure to Windows infrastructure at work, it took me a while to document and fill in the missing gaps of knowledge in maintaining an AD environment. In time I implemented some needed efficiencies, like printing cheques through Quickbooks, and moving a few functions to the cloud such as the church directory, tracking donations, and generating tax receipts (see ChurchEquip.com).

My first priority was to assume the worst and put together the essentials of a disaster recovery plan. I needed to get an image of the server, all the workstations, and implement an automated backup. Apparently, backups were previously done manually  and sporadically and by the time I inherited the infrastructure, there was no backup for a good year. This was scary because a church is designated by the government as a charity (this is Canada) and there are many financial regulations related to maintaining records and annual audits. If you don't comply, you risk losing your charitable status. Finding the MS ASR backup to be a rediculously ancient method of backing up (you need a floppy disk?), I imaged everything using Acronis and setup a Carbonite.com online backup.

Learning the AD infrastructure was my next challenge. There are many sensitive files related to benevolence, counseling, payroll, and donations, and there are many volunteers and roles with varying degrees of access, so its essential to have a good handle on system security. Although I found it fascinating adding many of these Windows admin skills to my toolbelt, the whole system seemed quite kludgey and non-intuitive. The whole security aspect of a Windows domain is just way more complex than it needs to be. I found it incredulous how much effort was required to determine a user's total access to their PC and all the resources on the domain. I think the "Active" in Active Directory refers to the active administrators to maintain such a system. I had a DR plan which I was not comfortable with due to its complexity. Further, being in a volunteer position with limited hours to devote to maintaining the domain and vet all the all-too-frequent OS and application patches, I was actively looking for a simple alternative. There had to be a better way.

Enter Lotus Foundations. Naturally, through the yellowverse and Lotusphere 2008, I learned about the IBM's Nitix acquisition, a Markham, Ontario company, the same city where I work. I took the 2 day training course and was amazed by both its simplicity and power. Why MS allowed their system to evolve to such a complex, non-intuitive mess that is both hard to administer and hard to recover is beyond me. I convinced the powers that be to invest in a software-only Foundations license, selling the benefits of a solid, autonomic, and easily managed infrastructure. Another church in the same denomination had previously worked with Nitix to create a case-study which helped with the credibility.

Due to other priorities and tasks, I took my sweet time writing the migration plan over several months. I filled in my gaps of knowledge considerably by purchasing a not-for-resale version of Lotus Foundations software for myself, and installing it at home (see my previous postings). Having confidence through hands-on experience at home and with confidence in IBM support who beat all other industry support satisfaction levels, I was ready to upgrade the church's domain. It really went quite smoothly. I was moving to new (used) hardware so I could just set aside the existing server keeping it intact just in case I had to revert back. In a nutshell here was the process:

1. Copied all data off the old server to a USB hard drive
2. Searched all the workstations for data that the users may not have saved to network drives and copied this to appropriate directories on the USB drive.
3. Disjoined the workstations from the domain. I also cleaned up the workstations deleting the old user accounts, running  Windows cleanup, defragging the drives, and replacing the ancient Symantec AV with Kaspersky 2009 for Internet Security.
4. Server Setup: Connected the new server with Eth0 (nic) going to the hub for the LAN and Eth1 going directly to the DSL modem. Installed Lotus Foundations from CD. The software found 3 drives, two of which I raided, and the third became a hotswap backup drive. It automatically figured out the network, found the Internet, and activated the firewall isolating and protecting the entire LAN. I was up and running in 20 minutes with the RAID building silently in the background while I continued configuring. Under File services, I configured the server as the domain controller. I turned on AV, and scheduled backup.
   
5. Added user accounts and teams (aka groups) and set appropriate access and drive mappings.
6. Joined the domain from each workstation and confirmed all the appropriate drive mappings were perfect.
7. Setup the other resources like Projector (static IP) as well as the network printers.
8. Reset the Logmein.com remote access for the key PC's so users could continue to access workstations from home.
9. Copied data back from the USB drive into the appropriate team and individual file shares.
10. Testing and backup.

(Post install: Made DNS changes to enable dynamic DNS resolution between the org's Internet Domain name and IP).

All this was accomplished between 10 AM and 4 PM and I was not moving quickly either. Being my first migration, I expect if I were to do it again, I could accomplish it in half the time. The plan was the most important thing of course. I've now got a revised template I can use for other organizations that want to make the switch.

A quick side note: As everyone who has installed an OS knows, after you install, there are always patches and upgrades that need to be downloaded and applied. This can easily triple the install time for a Windows OS which seem to have a never-ending stream of updates and updates to updates. With Foundations, after installing the OS, it went out to the Internet and found a new release. Since the core Linux OS is so small (only a few hundred MB) their methodology for updates is replace, not patch. Clean, reliable, simple. The entire new OS was downloaded and installed with a single click in 10 minutes. After rebooting the server, the previous OS is available if you choose to revert to it, again with a single mouse click. How cool is that!

Additional functionality I'll be deploying over the next little while include the Domino add-on server, as well as the VMWare add-on, both included in the base price. I've also got a Quickr server I'd like to integrate somehow with the same accounts. Need to research that one. 

Onward and upward.