Planet Notes

50 Reasons to Invite Collaboration Tools into your Organization

I want to share with you this article, 50 Reasons to Invite Facebook Into Your Classroom by Tina Barseghian, which, as its title implies, is intended to encourage college teachers to use Facebook in their classrooms. You might wonder why I, a techie geek, would recommend this article to you or, for that matter, to my other reader, neither of whom, as all three of us now know, is a college teacher. The reason is because I've noticed that many of my corporate clients are leery of Facebook, some going so far as to block it entirely from their internal networks. It turns out that my clients' skepticism about allowing Facebook on their networks is mostly rooted in the same concerns as college teachers have about Facebook. That is, they think Facebook is a distracting time-waster, and they don't want to encourage their students/employees to waste even more time than they already do.

The author makes 50 arguments that Facebook brings far more benefit to the classroom than it brings problems. In essence, the author argues that Facebook fosters collaboration among the students, between the students and their teachers, and among the students and the outside world. Because of the collaboration, the students learn the subject matter of the class more effectively and thoroughly than they would using traditional teaching tools and techniques. 

It occurred to me that the author's 50 reasons why college students would benefit from using Facebook to learn collaboratively in the classroom are mostly applicable to my business clients' employees too. That is, that by fostering a more collaborative work ethic among their employees, my clients will foster more productivity among them as well as increased morale, despite Facebook's threat of introducing distraction into the workplace.

Okay, Facebook might not be the right tool for your company for any number of reasons. Not the least of which is Facebook's porous security and its owners' cavalier attitude toward the privacy of Facebook's users. The fact or at least the perception that Facebook's owners seem to think that they own the information their users share on Facebook might be a bit offputting to a lot of businesspeople, many of whom, oddly enough, think that they themselves should own that information.

But there is some collaboration tool out there, or some constellation of them, that is right for your company or for your clients' companies. Those tools might be ones like Lotus Notes and Lotus Connections that you deploy internally. Or they might be like LotusLive, residing in the cloud, offering subscription collaboration services. They might even (gasp) include Facebook. 

The point I'm trying to make isn't that any particular business should let its employees start using Facebook (or Twitter or LinkedIn or Google+ or even Lotus Connections) on company computers. (However, I do wish the ones I work for would do so. I find them all good, valuable resources.) The point is rather that, by fostering collaborative work habits and practices among their employees, businesses can greatly benefit themselves and their employees and their customers. How? Well, click the above link and you can read 50 good and mostly applicable examples.

Or,wait, maybe this collaboration thing is just meaningless jargon to you. Do you wonder what, exactly, people mean when they say collaboration is a good thing? Do you even wonder what the word collaboration means? Click the link and you can find 50 concrete examples of what collaboration is and what it's good for.

Why Notes 8's document selection feature is better than that in earlier versions

In one of my Domino Administration classes, a student Domino Administrator selected three people in the People view and promoted them to Roaming status, then put his/her computer to sleep and went home for the day. The next day the same student woke his/her workstation, clicked on one person from the same view and deleted that person. Later that same day the three people the administrator had promoted to roaming were found to have been deleted (and the one who was supposed to have been deleted was not).

Obviously what happened was that the student had forgotten that, the night before, he/she had selected three people. Worse, the student had forgotten to deselect the three when finished promoting them.

From this story I take away some best practices:

  1. Always quit Domino Administrator when you are finished using it. If Notes is still running, you can easily and quickly restart Domino Administrator.
  2. Always read the dialog box carefully before you click OK, especially during a delete operation.

And I would add these to the Lotus Notes New Feature wish list:

  1. Domino Administrator should present a secondary confirmation dialog on delete operations: "You are about to delete n <objects>." Even better, "You are about to delete the following <objects>: <Followed by a list of names>"
  2. View selections should automatically reset to "nothing selected" when the user clicks OK in a dialog box.

The most dangerous people in the Domino-using enterprise are not the Notes users or marauding outsiders, but the admins and developers. They have sufficient rights and knowledge to do massive harm. And they are human.

A good but distracting article

I was reading  a good article about turning Google Gadgets into Lotus Notes widgets. In it I clicked a hyperlink titled "Things I Gotta Do" that promised to lead me to some information that looked really useful. This three-year-old article appeared on my screen. It has so many good ideas, but at over three years in age is so old as to have been long forgotten by now in today's "What's new?" world, that I thought it deserved sharing. 

Unfortunately, the (second) article didn't include the content that I was looking for when I clicked the link that brought it to my screen. And therefore it ended up being a distraction from the task I was trying to accomplish. A really big distraction, as it turned out, because I liked the ideas in the article so much that I decided to share the article on LinkedIn. But I'm so long-winded that I couldn't fit my original comment within the space requirements of a LinkedIn update. Then I couldn't decide on the appropriate group to post it to. So then I decided to put the whole thing off by saving it as a Posterous draft (I do that a lot). But then I hit Publish by mistake, which meant that my blog post was going to appear on LinkedIn anyway, but without a link to the article that I wanted to share. So I quickly deleted the post. But not quickly enough, because my post appeared on LinkedIn anyway. So then I thought, dammit, now I have to fix this problem by fixing and publishing my post. And my original short but not quite short enough LinkedIn update became yet another narcissistic ramble about myself.

Therefore, I'd say this experience nicely encapsulates both the good and bad aspects of doing Internet research. Er, um, or maybe it's just a case of adult ADD. Okay, back to work.

Two Obscure Address Lookup Issues

Issue 1

A Notes user reported to me that he was trying to address a message to a group listed in our Domino Directory, and when he pressed F9 or Send, the Ambiguous Names dialog box was popping up, showing two instances of the group name to choose from. The first instance showed just the group name. The second instance also showed the domain name. If the user chose the first instance, the message was duly delivered to all the members of the group. If the user chose the second instance, no member of the group received the message.

When I tried to duplicate the user's experience, I could not. My copy of Notes accepted <groupname> as written. So I had the user look in his Personal Address Book. There were no contacts or groups there named <groupname>. For good measure, I also checked the Domino Directory. There was only one group named <groupname>. There were no people or mail-in databases or resources named <groupname>.

Where could the second instance of <groupname> be coming from? Aha! I remembered that we had a condensed mobile directory catalog ("dircat") that was generated on <servername> and replicated only to laptop users. Its purpose was to enable them to do address lookups when they weren't connected to a server. The Notes user who reported the problem was a laptop user. I was working from a desktop computer, so I didn't have a copy of dircat. Dircat must be the source of the second instance of the group name that appeared in the Notes user's Ambiguous Names dialog box.

To test this theory, I put a replica of dircat on my computer and added its name to my list of local address books. Then I addressed a message to <groupname> and pressed F9. Ta Da! Ambiguous Names! The second group name in the Ambiguous Names dialog box was indeed being pulled from the directory catalog.

So why was message delivery failing if the user selected the second choice (from the Directory Catalog) rather than the first choice (from the Domino Directory)? Because the Group docs in our Domino Directory didn't have the MailDomain field populated. The Directory Cataloguer task was supposed to grab the contents of this field, among others, when compiling the dircat. It seems the task didn't like the empty MailDomain fields, so it took it upon itself to populate the MailDomain field for the Group docs in the dircat with <domain name>. The result was that, when anyone with a local dircat db addressed mail to a public group, the Mailer in Notes would discover two different groups with that name: one from the DomDir with no data in the MailDomain field, the other from the dircat with <domain name> in the MailDomain field, and it would ask you which you wanted to use.

If you picked the first, from the dom dir, Notes would send the message to the server with just <groupname> in the To field, the server would find the matching group doc and it would expand the name into the names of all the group members, just as it should. But if you picked the second one, the Mailer would expand the name in the To field to <groupname>@<domainname>, then send the message to the server. The server wouldn't find a group doc that matched the name in the To field because the group doc didn't have <domainname> in the MailDomain field. So the Router couldn't expand the name into a member list, and no grouip members would receive the message. 

We solved the problem by adding <domainname> to the MailDomain field of every existing Group doc in the Domino Directory. Only it's not really a solution, but just a workaround, because now we have to remember to add the domain name to all group docs we create in the future. Bummer! 

Issue 2

Later, we had yet another user complain about always having to choose from multiple identical instances of a Notes user's address in the Ambiguous Names dialog box. The user had copied some of his colleagues' contact information from the Domino Directory to his Contacts database. This is easy to do using the Copy to Personal Address Book tool in the Action Bar of the People view of the Domino Directory or the Add to Contacts tool in the Select Addresses dialog box. And it can be really useful. But after doing so, whenever our user tried to send a message to one of the duplicated users, Notes would ask which version of the user (from the Domino Directory or from the Contacts database) to use, even though both entries were identical.

This problem had a more satisfying solution than the first. In the user's Location documents, under the Mail tab, we changed the Recipient name lookup field from "Exhaustively check all address books" to "Stop after first match". Sweet.

Note to self: Change this setting in all Desktop Settings documents. (But wait. There will be a downside to that too. Hmm. What to do? What to do?)

 

Can't sign a design note in Domino Administrator

Learned something new today (which happens all the time, but this might interest some Notes geeks). I tried to sign individual documents with the active server's ID in Domino Administrator, Files view, by choosing to sign "this specific Note ID". What I learned is that it doesn't work for design notes. When I try it, I get an "Invalid or nonexistent document" error message in the Notes log. If I try to "find" a design note by entering its Note ID, it works fine. But not signing.

LDAP Queries to a Domino Server Return NULL Results

My colleague was trying to get a Lotus Protector server to query a Domino server via LDAP today. He kept getting NULL results on his queries. We troubleshot the problem together.

First I tried querying another Domino server, in another Domino domain, from my own workstation. I used the SofTerra LDAP browser and ldapsearch.exe, a command line LDAP search tool that comes with Lotus Notes. My server returned the results we were hoping for. We compared my query syntax with my colleague's syntax to make sure his queries were syntactically correct - and they were.

Then we compared the LDAP settings of the two servers to see how they might be different from each other.

  • We checked the Domino server document to verify the LDAP port and authentication settings. Both servers were pretty much the same there.
  • Then we compared the settings under the LDAP tabs of the [All Servers] Configuration Settings documents for the two domains. There were some differences there, but none of them seemed like they should be relevant.
  • Finally we compared settings in the two servers' respective Directory Assistance databases and, BING BING BING, we found the cause of the problem.

For his server, my colleague had configured a Directory Assistance document in which the "Make this domain available to" field was set only for "Notes Clients and Internet Authentication/Authorization" and not "LDAP Clients". Actually, that was the default setting and he hadn't changed it. He selected the checkbox for "LDAP Clients", restarted the LDAP service on the server, and tested again. Ta-DA, his queries started returning data.

 

iPhone vs. Android. My experience. And Lotus Notes Traveler on both.

My brother, knowing I have used both an iPhone (3G) and an Android phone (Samsung SGH-i897, er, Galaxy, er, Captivate, whatever it's called) and looking to buy a new phone, asked me to compare the two. Here is my reply to him, mostly verbatim. I'd reorganize it. It needs it. It was an off-the-cuff, stream-of-consciousness reply, good enough for an email reply to me baby bro', but not up to my usual standard of publishability. Trouble is, as anyone who takes the trouble to review my vast body of, like, maybe, six lifetime blog posts can easily infer, my usual standard is perhaps a little too high, so high in fact that I end up never publishing anything because I don't have the time to polish my writing up to so high a sheen as to be presentable.

But I saw the movie The Social Network the other day and I noticed that the young proto-billionaire who invented Facebook blogged in short, almost spontaneous bursts, presentability be damned. (And look where he is today.) So I thought maybe I'd try to lower my standard of publishability a little bit. (No, I don't expect to become a billionaire any time soon.) So here's my reply to my brother, (with, I admit it, a few edits and additions because, despite what I just wrote, I'm just too compulsive to NOT touch it):

In general I'll take the iPhone over Android. Except for Swype.

The iPhone is simpler to use - fewer buttons, simpler interface.

The iPhone apps are better overall. There's a core of apps written by Apple that come with the phone that are truly useful and usable. The apps that came with my Samsung/AT&T Android are not nearly as useful and often can't be used at all without paying a monthly subscription, which mostly I refuse to do because I can't afford "death by 1000 cuts". Also, in general, the third-party iPhone apps are better and more reliable. That may be because the iPhone is more mature or it may be because Apple enforces higher standards. People who like the openness of Android tend to complain about Apple's "walled garden", its tight control over what apps are permitted to run on iPhone. But I kind of prefer having to pick among only trusted and high-functioning apps, rather than having to find a decent app from among the piles of crap at the Android Market - where, by the way, the apps are much less usefully described than are the apps at the iPhone app store.

On the other hand, if you have to enter text, Swype is far superior to standard typing on those touch screens. By standard typing I mean touching each letter separately. By Swype I mean like the teevee commercial where you drag your finger from letter to letter on the screen and the software figures out what words you are typing - ingenious software. If Swype would come to the iPhone, I'd abandon my Android in a second. For entering text the old-fashioned way, touching letter after letter, iPhone is better than my Android. The problem with typing on a touchscreen is it's easy to hit the neighboring key by mistake - you don't have the feel of the keys under your fingertips to tell you when you've done that, as with a physical keyboard. So you have to type slowly and carefully - which is bad if you have a lot to say. Both phones let you know when you've touched a key. On iPhone, a large image of the letter appears above the key. On Android, the key becomes highlighted. But you can't see the highlight easily because your finger is in the way. (Which is my main problem with Swype also, by the way - it's hard to see where the next letter is that you want to swype to, especially in the lower rows, because your hand hides them. Luckily, Swype mostly knows what you are typing even if your finger only slides to the approximate location of the key you want to slide to). Also on iPhone, you can touch a key, see the pop-up image and, if it's the wrong key, you can just slide your finger over to the correct key, then when you see the correct symbol pop-up, raise your finger. The key isn't "pressed" until you let up off it. My Android does have two alternate keyboards, one of which may work like the iPhone keyboard. But I've never looked at them because Swype is the thing I like the most by far about my Android.

If your needs are simple, consider getting a regular phone. When I look around me, the happiest phone users seem to be the ones who use their phones for phone calls and texting, who have mastered typing with their thumbs on the 12-key phone keypad, and who don't ever have to worry about using a browser on the tiny screen (a way overrated experience) and paying for data plans on top of the regular price of the phone plan. That said, check out the new Windows phone. It might be a good compromise between the app-heavy iPhone/Android/blackberry smartphone and the plain old cell phone ("pocp"). (Okay, Blackberry users look pretty happy too.)

Oh, here's another thing. My Android's battery life sucks. I'm constantly on the lookout for a battery charge. It seems the culprit may be the multi-tasking inherent in it, the fact that apps run in the background and pull data down from the network without my asking for it. I've taken to turning off almost all automatic updates to preserve battery life - which sort of defeats the main appeal of the phone, which is that I could receive feeds from all my favorite places, like Facebook, Twitter, Huffington Post, et al. The only autofeed I still have enabled is my email. Even so, I find that one moment I have an 85% charge and, the next, a 15% charge. Where did it go? Damned if I know. 

My iPhone is a 3G, which is not capable of multi-tasking, and battery life was much better on it, though not as good as on a pocp. My iPhone worked great until I upgraded it to iOS4, which came out with the iPhone 4, and introduced multitasking to the iPhone. My non-multitasking 3G got sluggish after that and drove me nuts as a result. I'd consider downgrading it back to iOS3 if I were still using it as my phone. Now I'm using it basically as an iPod Touch, listening to music on it and using the apps on it (rather than the equivalent apps on the Android phone) when I'm connected to a wifi network. I still use many of the iPhone versions of apps I have on both phones because they generally work better on the iPhone and, being more mature, have more features and fewer bugs. Example: the Best of the Left app on the iPhone lets me download the podcasts onto the iPhone instead of listening to them as a stream (which I don't like because I don't like the interruptions inherent in streamed content, which I tend to listen to when I'm driving around the countryside, where cell coverage can be a little spotty). That feature isn't yet available on the Android version of the app. (Update: I took another look and I see that BOTL for Android can now download podcasts. But BOTL is still buggy on the Android. It crashed on playback of the downloaded podcast the other day, thanks to my pausing it one too many times.) Another example: The iPhone comes with a great weather app. Simple. Straight forward. Accurate temps and a graphical indicator of the likelihood of precip. All at a glance, updated when I open the app. I haven't found a weather app for the Android that I like half as much. And that I actually have to go find one is a serious minus. My phone was preconfigured with a weather-ish widget called Daily Briefing. Although the weather piece of it is okay, it also includes a headline feed and a stock ticker. I don't own stocks so the stock ticker is useless to me. And I positively hate the headline feed, which only shows me the first three words or so of each headline, making it worse than useless because it is infuriating. I can turn off the pieces I don't want to use, and I have, but even so, the widget won't share space on the screen with any other widgets, even though, with two of its features turned off, it occupies less than half the screen. One star, if that.

An overall pet peeve of mine, in case you haven't yet guessed, is with news apps that have such a tight restriction on the space in which they list the article digests that they can't even display a full headline. If I have to open the full article to read the full headline, the app gets a one-star rating from me. But that problem is inherent in both phones and maybe in all phones, probably because their screens are so small. The problem might go away on iPad-size devices. Nonetheless, if I could get rid of the space-sucking pictures, maybe I could display the first five words of the headline instead of the first three words. Another Android news app (alongside Daily Briefing) to which I give only one star is Pulse - potentially good software that I hate because of the truncated headlines. I'd put the HuffPost app alongside those two as well, except that, if I turn the phone horizontal, I can mostly read the whole headlines. I'd probably have the same complaint about other news apps, but I don't have much experience with them.

Whatever smart phone you get (if you get one), read the user's guide. You'll be much happier with the phone and its apps if you know them intimately. I had a lot of complaints about Swype until I found the time to do the tutorials, read the help docs, and learn how to use it most effectively. One of the best investments I made in my iPhone was an iPhone app called iPhone Tips, which is a reference guide to the iPhone that's full of great usability tips. It helped me to quickly figure out how to use the phone well. Sort of like learning the keyboard shortcuts on a computer. I still haven't found good references for many of my Android apps (mostly, I suppose, because I haven't found the time), and that may be the biggest reason why I like my iPhone so much better. (An aside: I think that may be the biggest reason why many people disliked Windows Vista so much, too. When I brought home my new laptop with Vista pre-installed, I gave myself a whole weekend to discover what was new about Vista before making the decision to wipe it and put XP on it, and by the end of the weekend I concluded that Vista was much better than Windows XP, and I kept Vista and I pretty much never looked back.)

One last pet peeve: I don't play games on my phones. I wish the app market/store would do a better job of separating the games from the rest of the software in places like their best seller lists.

Addendum, because this blog is supposedly about Lotus Notes: The reason I started using the Android phone in the first place (ignoring the fact that my wife won it in a contest) was so I could beta test the Lotus Notes Traveler app on an Android. I did and now am using the production version on my Android. It's mostly as good as the iPhone version. But I find that I don't like the Contacts app on the Android as well as on the iPhone. It's not as intuitive to use. It seems to have lost some of the entries from my Notes Contacts. It seems to have added a lot of pointless entries that came from I-know-not-where, emails I guess. When I want to enter a new contact, it asks me whether I want to add it to the native Contact app or to Traveler's contacts app. I thought they were the same. I'm not sure what choice to make. Gotta figure that out. Maybe if I find some documentation and learn the finer points of the Android Contacts app and how Traveler works with it, I'd change my mind about liking Traveler on the iPhone better. Probably not, though. I didn't need to learn how to use the Contacts app on the iPhone. That's what I mean by intuitive, I guess. Is Traveler worse on the Android than on the iPhone? No, I think it's the platform that's worse. I suspect Traveler on both platforms works as well as it can with the tools at hand.

A story about iPhone and Google Phone and Android and, well, I squeezed in Lotus Traveler, too, because this blog is about Lotus Notes, right?

I just upgraded my iPhone 3G to iOS 4.1. The very first thing it did when it rebooted was notify me of two new phone messages. Here's the thing--the messages were from last July! I hadn't ever received them. Here's the other thing--they were the first messages my iPhone had informed me of since, well, probably July.  Hmm. It seems like it was right about, oh, July that I set myself up with a new Google Phone account, and thereafter all my phone messages have been showing up not as voice messages on my phone. Rather, they show up first as voice attachments in my gmail account, then as comically garbled SMS messages on my iPhone. Those two messages must have been lost in Limbo all this time, only to be released by my OS upgrade, which also seems to have broken Google Phone's hold on my phone messaging system (because the messages came in as regular voice messages).

You might, if you know me, wonder why a geek like me is still fiddling around with an iPhone 3G, especially when you learn that I could have upgraded it to an iPhone 4 in June for $199. There's a little story behind that. My bride Jane is a geek too, see, and she had been getting progressively more and more jealous of me and my iPhone over the past year or so because it did so many cool things that her Blackberry Bold couldn't do. Actually, her Blackberry Bold could do pretty much everything my iPhone could do, and some other nice things besides (like read her mail to her when she was driving). But I think she was really jealous of the big screen and the slick user interface, not the phone per se. So when she learned about the $199 iPhone 4 upgrade offer, she decided that it was time for her to upgrade to a bigger-screen phone. The offer was only available to me, not Jane, because it was only available to the "primary user" on our AT&T account. ("Primary user" is AT&T's term for the first phone on the account, which happens to be my phone. But "primary user" is emphatically not how Jane would describe me. But I digress.) Anyway, we got around that restriction by buying a new phone for me, then transferring it to Jane.

Only problem was, Jane couldn't get comfy with the iPhone's touch screen. The played and played with mine and with the iPhones in the store, and she just couldn't bring herself to give up a physical keypad for a touch screen. She just couldn't type fast or accurately enough on it. So then she started looking around at other big-screen phones that also had keypads. Those turned out to be mostly Android-based phones. Then she tried the SWYPE touch screen typing method on an Android phone. That's the one that you may have seen in the TV ads, where the guy just slides his finger from key to key on the touch pad, without having to lift it from the screen. Well, Janie took to that like a fish to water. Love at first touch. Suddenly she was prepared to try a keypadless phone again, but only if it had SWYPE typing.

For awhile she was all over the Droids and we tried and tried to figure out how to swing them. But we couldn't afford to close the AT&T account prematurely and buy two expensive Verizon phones, and we couldn't afford to carry accounts with two separate phone companies. And, anyway, Jane couldn't convince me to give up my iPhone. It's the first "smart" phone that I ever really liked, and I've gone through about six of them. And, okay, I love the damn thing. (Or I did until I upgraded it to iOS 4, but more on that later.) Then she heard that AT&T was coming out with a new Android phone, the Samsung Captivate Galaxy S, and that we could get one of those instead of an iPhone for the $199. It had a monster screen, SWYPE typing, lots of RAM, all that stuff that she just had to have. And I wouldn't have to give up my iPhone. It was almost perfect--not truly perfect, because I couldn't upgrade to an iPhone 4, but it solved Jane's problem nicely.

So that's what she did. She got a hot new phone on July 18th. The day the phone first went on sale. We actually waited outside the AT&T Phone Store for it to open on that Sunday morning. The rest of the phone users on our family plan (that would be Rob and, well, just Rob) will have to wait until January to upgrade our phones at low prices. Because, remember, only one new iPhone per account!

But wait, there's more. When Jane was researching all these phones, she ran across a contest in which one of the prizes was to be a Samsung Captivate Galaxy S, and, yes, she entered the contest. And, yes, a couple weeks after she bought her new phone (with which, by the way, she is in love), Samsung informed her that she was the winner of a Samsung Captivate Galaxy S! One catch--it was to be delivered in10 to 14 weeks. We could grow old and die in that amount of time. But, hey, this was definitely cool!

So now, as October looms, we're expecting a new phone to show up at our door any week now. What to do with it when it comes? We've been weighing that decision. Right now, it's looking like my iPhone might get demoted to iPod Touch status, as I may just follow Jane to Android nirvana. We'll see. I'm a little leery of it, as I'm quite smitten by my iPhone, and Jane's apps in general don't seem to be as good as mine, and I haven't taken to SWYPE quite as successfully as Jane did, and I'm kind of liking Apple's walled garden, where apps generally work as advertised and I don't have to worry so much about malware. But I have to maintain my geek cred somehow, and this Android freebie seems to be the shortest path to getting that done. So, the Apple fanboy that my son tells me I have become may end his iPhone love affair all too prematurely -- hopefully not before Lotus adds Android phone capability to Lotus Traveler though. Come on, Lotus, get moving!

Oh, and that thing about upgrading my iPhone to iOS 4? It's been a dog ever since. Apparently that's because it's a 3G with an old, slow processor. As a result, I don't get the multi-tasking that comes with iOS 4, just the slowness. Since I upgraded to iOS 4 Apple has released three newer updates, 4.0.1, 4.0.2, and now 4.1. The first two didn't help with the slowness. I'm hoping this one might. If it doesn't, I may just be happy, by the time my (er, Jane's) new Captivate arrives, to leave my iPhone behind.

A satisfying ending to a Domino 8.5.2 installation dilemma

Today I had one of those "walk-on-water" moments that occasionally make consulting satisfying. Over the weekend I assisted a client in upgrading nine Domino servers from version 7.0.2 to 8.5.2. The marathon upgrade went generally smoothly. The main problem with it was there were just not enough hours in the weekend to upgrade (via compact -c) all of the databases on all of the servers. In particular, the headquarters mail server has an eye-popping number of multi-gigabyte mail databases on it. Those top execs just can't bear to part with any of their mail, and of course you can't enforce quotas against them; they'd have you (a lowly tech) drawn-and-quartered if you tried. So the one mail server never did get all of its databases upgraded to ODS 51. But except for that and a couple other minor problems, everything was working great on Monday morning.

Then a field technician in England reported that he couldn't set up a Notes workstation for a user who had been registered the previous week. The Notes setup kept failing with the following error message:

The Policy and/or Settings document assigned to you has been edited by an unauthorized person. Please notify your Administrator that you cannot proceed with the client setup.

Some Googling revealed that this error message arises when a policy or settings document is (as the message plainly says) signed by one who is unauthorized to sign it.. How could this happen? As follows: An administrator might in the past have created Policy and/or Settings documents that worked just fine. But then the administrator left the company and his account was removed from the domain. As a result, the retired administrator's signatures on the Policy and/or Settings documents were no longer those of an authorized signer, which is defined as one who has Editor access to the Domino Directory and is assigned the Policy Creator and Policy Modifier roles. See Technotes 1110644 and 1205444. Both of these Technotes state further that, to re-sign a Policy or Settings document you can, among other techniques, edit and save it.

How did this apply to us? That was not clear. As we could plainly see in the Policies and Settings views, the signer of all of the the Policy and Settings documents in the domain was a generic user named "Administrator" who is still to this day being used to create new users and who has the requisite access rights and roles assigned. So the error message seemed to be bogus, telling us something which was demonstrably untrue. Nonetheless, we tried editing/saving the policy and settings documents to apply new signatures. And, according to the Policies and Settings views, this worked. The views showed that each newly saved document had a new signer. But even though this new signer also had sufficient rights and roles assigned, we discovered that we could not register a new user into the England OU. So our problem was not only that we couldn't set up a new workstation for users registered before the upgrade, but also that we couldn't register new users after the upgrade.

We were scratching our heads over this and hunkering down for a long siege against this problem, when one of us had the bright idea of looking at the console of the mail server in question. (In this particular domain, there are several regional OUs. Each region also has a dedicated mail server. Also, each OU has an organizational policy with several OU-specific settings documents assigned to it. So our problem was affecting the England OU, the England mail server, and the England-specific policy and settings documents.)

There on the England mail server's console, in bright purple letters, was a cascade of error messages, repeating every few seconds:

Policies and settings documents signed by XXXXX are no longer valid because this person does not have the required access level or roles to the Domino Directory.

 

More Googling revealed that this new error message had the same cause as the earlier message, that is, that a Policy or Settings document was signed by an insufficiently authorized entity. The server was trying to apply a mail policy to the mail users on the server, but it didn't like the signature on the policy or mail settings document. However, this message told us one other bit of information that the earlier message had left out, which was that the Policy or Settings document was signed by the mail server itself, not, as the Policies and Settings views claimed, by the Administrator who actually created or last edited each document. Either the error message or the views were lying to us.

But the server did not in fact have the Policy Creator or Policy Modifier roles assigned to it in the ACL of the Domino Directory. So that meant that the error messages were perhaps not bogus after all. Assigning those roles to the server in the ACL should have solved our problem. We'll never know, however, if it would have done so, because our second bout with Google revealed one other fact -- that there was another (newer?) way to re-sign the Policies and Settings documents:

 

Select the documents in the Policies or Settings views, then in the Actions menu choose Resign Policy.

 

We tried that and it worked like magic. The cascade of messages in the server's console abruptly stopped. Thereafter, we found we could once again register new users and set up Notes for them. Later we checked the other mail servers and discovered that the Mexico server was experiencing the same problem. So we re-signed all of the policies and settings documents. Just like that, the Mexico server's messages stopped too.

 

Conclusion: Something happened that shouldn't have when we upgraded two of the nine servers. Apparently that something is that, somehow, the upgraded servers' signatures were applied to the Policy and/or Settings documents. Also, the Policies and Settings views tell us that the last editor of a document is the signer of it, which makes sense. The Technotes cited above tell us that too. But in our case saving the Policy or Settings document did not apply a new signature to it. So the view is misleading in that regard (and so are the Technotes). I think I'll tell Lotus about this.