Wednesday, November 9, 2011

Do I Really Need to Document Everything? Yes!!!

Here's a story to illustrate one of the many reasons documentation is so important (and why one of the first things I do at a new job is review it all and update it if possible):

A user came up to me and said, "Are we having problems with the Exchange server?" (Note: if you're a user, it's actually more expedient to just jump right in and state what your problem is rather than approaching with a hypothesis, because the next question I have to ask is, "Why? What's happening?" You can start off with what's happening and save us a smidge of time.) I wound up at his desk and sure enough Outlook showed as disconnected. A check of the event logs showed specifically that Outlook was not able to validate the security certificate for the site. He was set up to use RPC/HTTPS, a remnant of my predecessor (although I would have set him up that way too since he's using a laptop, but even desktops are configured that way). I checked the certificate information through IE and guess what? It expired today.

Oh crap.

So, here's something I didn't know about SBS 2003. Actually, I've never set up a SBS server so there are a lot of things I don't know about them. When you first set up a SBS 2003 box, it walks you through this Internet and Email Connection Wizard. During that process you can elect to create and use a self-signed certificate, one which apparently expires in 5 years. All you have to do is make sure you manually install the certificate on your client machines, and voila. But what happens when the cert expires? As far as I can tell, you have renew the cert but that also means you have to re-install the certificate for every machine that uses it. This can be a real beast if people are out of the office, unavailable, etc. Their email is down, so how do you communicate to them what they need to do? Terrible business. I made the executive decision to purchase an SSL cert from GoDaddy ($69, which was quite a bit higher than I thought it'd be), so that the problem could be fixed without having to do a lot of manual work.

I went through GoDaddy's convoluted process. Honestly, the pricing has to be the only thing that keeps that site going. Their design is just plain painful, cluttered and poorly organized, and that makes it difficult to navigate. They need a user experience person to help them clean that up. The process is also not the most user-friendly. Get a Thawte cert and there is a very straightforward, streamlined process by which you select the cert, enter the information for your domain, purchase the cert, and then get sent to a page where you can check the progress of your request and look at installation docs. With GoDaddy, they send you to a whole new interface with sub-menus you have to click on and it's just plain weird.

Part of the process with GoDaddy is also getting an authorization email, which is sent to the administrative contact in your WHOIS record. Guess who didn't have an updated record? >>this girl<< The email went off to my predecessor, whose email address I had deleted a few months ago (after letting it hang out there for almost a year, just in case). Whoops. Better contact the registrar and update that info, huh? Sure. Except...who has the login info?

This began an investigation that would have made Columbo proud. Ultimately it turned out that the person who was listed as the administrative contact didn't actually have the login credentials. No one knew how to log in to Netsol. This was, mind you, our main domain. Not a small thing. One of the developers had a great idea though. Recreate the original email address of my predecessor, and use the "forgot password/id" feature. It was surprisingly simple to do, and I got the info I needed to log in and change the WHOIS info. Called GoDaddy up and asked that they re-send the authorization email and bam! Done. And I will give due credit to GoDaddy for their great customer support. I have sat on the line or in chat for what felt years with Thawte waiting for someone to talk to, but GoDaddy support picked up quickly.

After that it was a matter of minutes and I received my cert files, installed them, and verified everything was kosher.

The lessons then:

  • Keep your WHOIS record up to date. Don't ignore it. It's actually important. 
  • Register domains using a generic admin email account. That way you're not shuffling or losing this info every time you have a personnel change.
  • Document, document, document!
If you were paying attention you may be thinking, 'But Stevie, the first thing you said was that you document like crazy when you start somewhere. Why didn't you know you were lacking this info?' Good question. Only thing I can imagine is that we have at least 5 or so domains, each registered under different credentials or registrars all together, and I missed this some how. Ultimately I probably assumed that the people who'd registered these were keeping track of them, or would at least receive the emails associated with things like renewing them, and that would be their reminder to let me know about them. That's how I found out about at least 2 of our domains. But the onus does lie with me to check these things out, so lessen learned. 

No comments:

Post a Comment