Problems with my organization changing Domino administrator

[gchiove]

I am have been hired to administer a group of 4 domino servers for an
organization whose previous administrator is leaving. Management has asked
us to "cooperate" during a brief transition period so he can transfer me all
passwords/privileges. Unfortunately, he is very wary of doing so and I am
not getting anything.

I am new to Lotus Notes/Domino. We are using Domino R5 and clients are Notes
R5. I need help identifying what I must require him to pass over to me.

To make it anonymous, the organization is ABC_Corp. There are four servers:
SERVER1/ABC_CORP
SERVER2/ABC_CORP
SERVER3/ABC_CORP
SERVER4/ABC_CORP

and our old admin is: OLDADMIN/ABC_CORP (he has cross-certificates with
the organization and exists as a certification entity; I don't quite
understand this).

Users appear as: JOHN_DOE/ABC_CORP and some as JOHN_DOE/ABC_CORP @ ABC_CORP
(PS: why is it so?)

The questions (please be as explicit as possible) are:
1. How should my ID be created as to guarantee I have administartive access
to servers and user databases.
2. What certification files (and passwords) should I request he should
transfer over to me.
3. Is there a guideline or steps to ban him from accesing our domain
(re-certification?)

I have read the Administering Domino Vols. 1 and 2 and have not found
explicit information that can help me.

Thanks (just for reading this long post)

German

 

[Guy987]

You need to inform management that he is not cooperating. This is very important. If he leaves the company and you don't have certain information, you will be hosed. He is probably very well aware of this and is trying to do everything that he can to prevent you from suceeding or is doing what he can to sabotage the situation.

The most important thing that you will need to obtain from him are the passwords that are associated with the certifiers that are used in the organization. These are critical, as without them, you will have no ablity to create new users, create new servers, re-certifiy users and servers when the expire.

You will need to have him set up an account for you (just an e-mail account). He will need to make you a manager of the database, with delete document priveledges. He will need to add you to the ACL of the database as a manager, with delete document rights and all roles will need to be selected.

He will need to go into the server document of the server and make you and administrator of the server and provide you with the rights to create replicas on the server. Unless he has this set up as a group, the server will need to be re-booted.

You will need copies of the ID files for your user id, every certifier ID in the organization and the server ID's. First place this on your machine. Open the administrator client, go to the configuation tab, open the Certification twistie and select ID properties. You want to change the ID password on all certifiers. ALSO, you will want to change the server ID password to blank to ensure that the server does not require a password on re-boot, otherwise it will never be able to be restarted remotely. After you have changed the passwords, copy them to their original locations and burn a CD of the ID files and place it in a safe place that he does not have access to. Check any machine that he has access to and remove any of the cert.id's that he has a local copy of. Remove him from having administrative access to the server and re-boot the server.

This is a major CYA thing that you need to do. If he has a copy of the certifier anywhere, he will be able to wreak a little bit of havoc before he leaves, if he is so inclined. By making copies, changing the passwords and making safe copies, you are limiting (somewhat) his ability to make changes that could be permenantly damaging.

Make a good copy of the names.nsf database with the server down and place this in a safe place. This is the directory. If he screws up something as a last ditch effort, you will have a safe copy that you can revert to. If you have to do this though, you will need to down your server before restoring and ensure that all transaction logging is disabled prior to restoring.

You will want to make certain that any account that he has is placed into the Deny Access group as SOON as he leaves the company. Make certain that the deny access group is listed in the server document under the security tab as may not access the server. Remember, if you change anything on the the server document, you must re-boot the server for the changes to take effect.

Make certain that all of the security settings on all of the servers are consistent. Make certain the the deny group does not have access to run any kind of agent on the server.

As far as the cross certificates go, I need more detail as to tell you their function in your company. If you would like to arrange for a private e-mail address to send me some screen cuts, I can help you to troubleshoot this a little more so that I can tell you whether or not there would be system wide implications for removing these or why they are there.

Be very proactive on this as soon as you can. This is something that can cause you great greif and may make your job impossible if you are unable to secure this immediately.

Leo L'Homme, PCLP