So I climb on the bike this morning and get a good soaking riding to Poitiers.  Strip off all the wet weather gear and climb on the platform.  The train is 5 minutes late, unusual but not unheard of on SNCF.

 

We get about 20 minutes out of Poitiers and the train becomes slower and slower until it stops.  Then we get the announcement, "we have a little problem, don't open the doors".  OK no sweat, this happens from time to time.

 

Then we get announcement two.  The technician is looking at the problem, but doesn't know what it is.  The time to fix is "indeterminate".....

 

We wait a little and then, in good order, the train services start to shut down.  Until we are sitting in the dark.  Slowly, one by one, the services come back on again.  The train starts again slowly and gradually builds up speed.  We have been delayed by 15 minutes.  This translates into a 10 minute late arrival.

 

So who believes that they didn't "reboot the train"??? 

Way back when Ah were a nipper (as the saying goes), trying to synchronise Domino clusters using Lotusscript was a nightmare.  You needed to deploy "universal replicas" which were modified with the correct information before detaching.  You had to have a source agent and a destination agent because Lotusscript could not create replicas on other servers.

 

Now all that is by the by, but a wonderful new feature post 4.x has been a boon to me over the years.  Why?  Well when you are locked out of that server and you "really" need to get in, what do you do?  I'll tell you.

 

Create a universal replica (an uninialised 4.x replica with your name in the ACL as manager and also with the server you need to get into as manager) ensuring that it is ns4 and ODS20.  In the database title, insert the replica id of the domino directory followed by a pipe symbol | and then *

 

Back up the ACL of your current Directory If you can.  Best way is to another database, add yourself to the ACL .  If you can't, then take a physical file system copy of the database outside of the Domino directory, Local on your machine would be good, but not in the replica path.

 

Place this replica on the requisite domino server from the file system.  Bounce the box.  Then when it comes back up, on the server console replicate the server with itself Only for names.nsf.

 

Now, D6 (and possibly 5), has a nice "feature".  When you do this kind of replication, it replaces the ACL on the primary directory with the one on the uninitialised.  You are now a manager of the directory and consistent ACL is off.  You can then modify the security groups with your name.  If you have a backup of the ACL modified to give you acces, then paste it back, otherwise place the physical file system copy of the original directory back on the server with another name (names2.nsf perhaps) and log off.  Log on again and create a new temp database in temp\temp.nsf.  Delete the database.  You can now see the file system copy you placed in the directory as the dbdirectory has been refreshed.

 

If you had to replace the old Domino Directory, you now have manager acces to the old directory through the security groups.  Use the Domino Administrator ACL Copy feature to replace the ACL on the Original directory ( the one updated by the replicator) with the original.

 

Voila, you are in business.

 

OK so if they fix the replicator what are we going to do now?  Well, the reason we have an NS4 stub is because it will replicate all that good stuff to the new database in 4.x format.  We then file system copy the database to our workstation and use the 4.6 client with the disable consistent ACL setting enabled.  Don't open the database (it won't work and you'll break it trying), but just modify the ACL with your name.

 

File copy the database back to the server, fix it up, then replicate the server with itself again for names.nsf.  You are in as manager and can modify the ACL and security groups.

 

Why do I blog this when I am a fairly srong supporter of Domino?  Well it's time system designers started thinking about encryption and Extended ACL.  Which will defeat this kind of attack.  The security is there, but if it is not used, then expect me to get it......

 

Given that many sites don't correctly fix the ECL or the database settings to defeat internal attacks, how could I expect them to keep me out?

I just read an entry on Ed Brill's Blog http://tinyurl.com/2rhvol  about why OEM's are ripping Vista off machines and replacing it with XP???

 

Well there's no point in commenting on his blog as you just get drowned out with the background noise, but it goes like this.

 

Microsoft said "You'll need a gig to run Vista, but you can *run* it in 512".  The suppliers took *run* with their usual pinch of salt and budgeted 512 Mbytes for Vista.

 

Gues what?  You *NEED* a gig to *run* vista.  So are the suppliers putting the extra ram in the machines and rebudgeting?  Not a chance, they're ripping Vista off the machines and putting customers back on XP.

 

Is this Microsofts fault?  You could argue this all year, but lets put it this way.  My 3.5 year old Laptop with 2 gig of RAM (I needed that in XP also) runs faster under Vista now that I have fixed it (more below) than it does running XP.  So is Vista a dud?  I don't think so, but the suppliers are.

 

As I recollect, this happened with 98, 2000, XP and just about every OS Microsoft has shipped.  So why is it so much of an issue today?  Is it the visibility and competition now?  Who knows, all I can say is I won't be ripping Vista off my machine, it's too fast and too pretty and I didn't have to buy one of those horrible Mac things......

 

What I had to do.

 

Disable that awful user account management crap

Override all the NTFS permissions on ALL files

Disable the indexing service

Disable Defender

Go through the Windows options and judiciously remove anything I don't want.

BUT

I do have IIS FTP and web hosting installed.  So it's not minimal.

 

Then again, for the first time in 10 years, I'm not running Notes on a machine I use.  Perhaps it's not to do with MS at all, perhaps it's not having the CPU guzzler installed?