Problem with old Person Documents Replicating Back In
Friday 20th March, 2009I was talking to a customer recently who had an issue where old person documents kept replicating back into the Directory. In our conversation to find a way to stop this from happening, the following ideas came up as possible solutions. Just wanted to share our thoughts with everyone in case you find yourself with the same issue.
Option 1:
Set up Deny Access List for Servers:
Everyone has a Terminations Group for users as they are removed from the Domino Directory. This prevents someone from using the terminated user's ID and connecting to a Domino Server. In this same principle, create a Terminations Group for Decommissioned Servers. One of the root causes that was identified for old person documents replicating back in was someone found an older server and decided to boot it up to see what was on it. By chance, they plugged the server up to the network and Domino loaded automatically and immediately started replicating with the Hub Server. If a Terminations Group for decommissioned servers existed, the server would not have had rights to connect and replicate.
Option 2:
Remove "Replicate or Copy Documents" Rights for users in the ACL:
Another possibility for old person documents replicating back in could be the fact an end user has decided to create a local replica of the Domino Directory. This is very rare in large environments due to the size of the Directory; however, in smaller environments, the Domino Directory could be used locally to look-up people's phone numbers, addresses or even as a Mobile Directory Catalog. If an end user allowed a local replica to sit and not replica for more than 30 days, typically at this point you have passed the 30 day purge interval for Deletion Stubs so the end user would then start replicating old person documents back to the Domino Directory the next time they replicate. In this scenario, the idea was to first ensure "Enforce Consistent ACL" was enabled on the Directory and then remove the check box to allow users to "Replicate or Copy Documents" from the ACL. This would break the functionality of end users maintaining local replicas of the Domino Directory and force them to use Mobile Directory Catalogs. The only problem with this is users are unable to copy any data from the Directory even when trying to copy data to the clipboard to paste somewhere else.
These were just some ideas that came from a meeting. These suggestions are not necessarily recommended by IBM as best practices since these methods have not been thoroughly tested. If you choose to implement these suggestions, please test them thoroughly in your environment first. Especially the idea to remove the "replicate or copy documents" option from the ACL.
Option 1:
Set up Deny Access List for Servers:
Everyone has a Terminations Group for users as they are removed from the Domino Directory. This prevents someone from using the terminated user's ID and connecting to a Domino Server. In this same principle, create a Terminations Group for Decommissioned Servers. One of the root causes that was identified for old person documents replicating back in was someone found an older server and decided to boot it up to see what was on it. By chance, they plugged the server up to the network and Domino loaded automatically and immediately started replicating with the Hub Server. If a Terminations Group for decommissioned servers existed, the server would not have had rights to connect and replicate.
Option 2:
Remove "Replicate or Copy Documents" Rights for users in the ACL:
Another possibility for old person documents replicating back in could be the fact an end user has decided to create a local replica of the Domino Directory. This is very rare in large environments due to the size of the Directory; however, in smaller environments, the Domino Directory could be used locally to look-up people's phone numbers, addresses or even as a Mobile Directory Catalog. If an end user allowed a local replica to sit and not replica for more than 30 days, typically at this point you have passed the 30 day purge interval for Deletion Stubs so the end user would then start replicating old person documents back to the Domino Directory the next time they replicate. In this scenario, the idea was to first ensure "Enforce Consistent ACL" was enabled on the Directory and then remove the check box to allow users to "Replicate or Copy Documents" from the ACL. This would break the functionality of end users maintaining local replicas of the Domino Directory and force them to use Mobile Directory Catalogs. The only problem with this is users are unable to copy any data from the Directory even when trying to copy data to the clipboard to paste somewhere else.
These were just some ideas that came from a meeting. These suggestions are not necessarily recommended by IBM as best practices since these methods have not been thoroughly tested. If you choose to implement these suggestions, please test them thoroughly in your environment first. Especially the idea to remove the "replicate or copy documents" option from the ACL.
Comments [15]