Andrew Pollack's Blog
Technology, Family, Entertainment, Politics, and Random Noise| Professional Services | Second Signal | Presentations | Andrew's Blog | Support |
Dear IBM - Wake the hell up. Your utter failure in enterprise identity management is killing all your products.
By Andrew Pollack on 10/17/2010 at 08:28 PM EDTWhat’s killing Lotus Notes as a first choice for Enterprise Mail in so many companies is not Lotus Notes.
We know that with the work of DAOS, ID Vault, and other advances; the Domino server is kicking serious ass in terms of platform efficiency, server consolidation, resource management, and performance. We also know that the client has improved to the point where it no longer compares as the backward, ugly, hick relation to Outlook. Indeed, there are plenty of people who find it better looking and more effective. Sure, plenty don’t – but the point is that neither is so much better that it’s a market making difference. Why then, is the Domino mail decision rapidly becoming either a holdout position for companies already invested and not willing to lose the workflow functionality of their applications – or the fall back choice for those few who want to resist going with Microsoft for complete control over their I.T. Budget?
The answer is that IBM has totally and completely fumbled the ball with their enterprise desktop management strategy. They’ve so totally failed in this arena, that a majority of IT workers would be very hard pressed to even tell you what alternatives exist for a large enterprise that did not want to standardize on Active Directory. If you run a medium sized business or an enterprise, you need a directory access management solution that ties your file sharing, network sharing and other services, email, and possibly phone system together. In all but the most hardcore resistant sites, that means Active Directory today. It didn’t used to.
When IBM essentially ceded the market for identity management to Active Directory (through failing to provide a competitive alternative), they made what may be the most costly mistake in the history of software. A company that goes with Active Directory (and really, who isn’t at this point?) is buying into a licensing suite for Windows servers that includes their file and print sharing, the directory services, their access control, DNS management, etc. From there it is a very easy sale to just include the Exchange server, the web application server, etc.
Sure, we can – if given the chance – make the case from a license cost perspective, functional perspective, end user perspective, manageability perspective, and almost any other perspective that Domino provides better value, lower cost, and more reliability. We don’t get that chance however, until after the decision to go with Exchange has already been made. At that point the battle is against a decision that management types have already invested significant reputation capital as well as budget in. You can’t win that battle by just being right. You have to be overwhelmingly and irrefutably right, and you have to time that winning combination to match a significant failure in the current plan. It’s not an easy fight to win.
While IBM wasted vast amounts of time and budget on services dependant schemes to put J2EE servers on every rack (expecting to reap massive services revenue as a result -- which never really did pan out), Microsoft did for identity and access management what Notes had long ago accomplished for messaging. They built Active Directory into a very scalable, deceptively easy to manage, comprehensive credential and role management system that is in most cases sufficiently run on a just a single server in each location. Sure, backup servers are commonly used – just like in Domino – but those are even easier to set up.
As few as ten years ago (Domino/Notes golden age, btw) many sites didn’t use an enterprise wide directory management system. Those tools were localized to buildings, departments, or sometimes campuses and generally not much bigger than the local LAN segment. Today, credential and access management is expected to fully span the enterprise. While there are alternatives to doing this with Active Directory, most people don’t know what they are. The cost and complexity of building a true enterprise wide alternative is so high as to be prohibitive for most enterprises.
I did a Google search on “Alternatives to Active Directory”, and then “Tivoli Alternatives to Active Directory” and guess what? IBM Tivoli Software was not even in the first page of results – not even with their name mentioned in the search. Not even when I added the “+” sign making it a mandatory search term! I went to IBM’s site for Tivoli and it took me 4 page clicks to even find Access Manager and even then no description of what it could do.
The sad truth is the combined software strategy for the desktop in the enterprise under Steve Mills, IBM’s Senior Vice President and Group Executive - Software & Systems, has been an unmitigated disaster. During his tenure, IBM has completely ceded the marketplace to Microsoft in the most critical enterprise management system there is – the network. IBM no longer even offers a seriously competitive alternative in this space. His management of IBM Software spans the time when IBM has gone from having a significant share of the network management marketplace to nearly zero, where failed attempts by competing internal software groups have led to significant market loss in every single segment, and where current predictions nearly uniformly agree that the percentage of IBM software on Enterprise Desktops will continue to decline. Mr. Mills can no doubt cite excellent looking growth numbers in software revenue since the mid 90's. Who the hell can't? The entire industry has been on fire for most of that time. What those numbers will not show, however, is growth in the IBM share of that rapidly increasing market. Growth is good, but failing to grow as fast as the industry is only good until you look closely.
Dear IBM – Please wake the hell up.
MS AD and windows servers. Most linux shops I know swear by samba. I presume
that this may have been a standard offering from IBM.
"Since Samba 3 arrived in 2003, Windows network administrators have been able
to use Samba and Linux as a drop-in replacement for an NT file/print server.
You could, and many have, used Samba in place of an NT PDC (primary domain
controller). " http://www.linux-watch.com/news/NS9104718779.html Sept 2007"
100 compuses. You CAN set up linux boxes and openLDAP, and SAMBA, and
Kerberos, and CUPS, etc etc.
But you're going to need a hell of a lot more than than one kid fresh out of
the local community college to manage each of those sites and keeping them tied
together is going to keep you pretty busy.
It can be done -- it can even be done better than with AD. But very, very,
few people are able to make it happen.
lucrative for consultants. Those that really want to make the best
recommendation to their clients is offered an ethical dilemma. I just can't go
there, AD is the way to go.
service combined with exceptional file and print services.
Architecturally they never really had a chance. Banyan had a better chance
but they lacked an attractive user interface, funding, and an intelligent
management team as well.
ability to integrate with Active Directory, they do it with lot's of products,
even lot's Lotus products. The question is, why don't they do it with Domino?
the AD -- eventually hoping to be able to entirely run in the AD world without
its own directory.
That's not enough. It would help -- or would have 5 years ago anyway. It
still makes you totally dependent on your key competitor for how your product
works.
What IBM needs is a serious AD competitor that's capable of competing with AD.
It hasn't happened yet and doesn't look like it's going to happen any time soon.
Mills blew it. You can't un-screw it up.
to be directory independent:
http://www-01.ibm.com/support/docview.wss?rs=899&uid=swg21416004
Almost point for point. He works at a big Notes shop and the lack of AD
integration is causing problems for him to upgrade to ND8.5.1--particularly
with SSO. Then there is the SPNEGO aspect too: the Lotus Notes long-term
strategy therein, and by his using it, SPNEGO will force him to keep Windows
desktops rather than using a heterogeneous desktop strategy, which is preferred
for his firm (based upon user roles and job required tools). Made for an
excellent conversation.
Great post.
strategy. I can't see him changing that either, until the whole services thing
stops working for him.
I wonder when / if that will happen? I see IBM "consultants" working for big
customers at GBP 1,000 per day, adding nothing (and I mean NOTHING!); IBM seem
to be betting the farm on a pretty shaky foundation.
But hey, what do I know, I just work for a livingu2026
this business and I think he is willing to sacrifice what is suffering from
this decision.
I expect it would be very hard to implement an alternative Directory Service in
a Windows (desktop) dominated world. Personally I would have hoped that some
bigger company would try to bring Samba 4 out of Alpha in all these years of
its development.And that would even only offer a cheap copy of Active
Directory.
as IBM in Waltham, MA is a plus. Why IBM hasn't purchased them to get their
SUSE Linux, Identity Management Suite and a ton of great technology IP is
beyond me. If for no other reason IBM should buy them to keep Oracle from
adding this to their growing technology stack.
our Domino platform, but then, we use very few clients (99% web with a couple
dev/admins). Still, I find that we are often called upon to fill the gaps
between AD and other platforms like PeopleSoft, Cisco phone systems, etc. Add
to that all the manual processes around keeping AD up-to-date and we have quite
the disjointed environment. Sure, it's easy for the Windows folks to say "we
have everything centralized in AD" and that sounds nice - but they only see it
from their small POV, the rest of the enterprise is scrambling.
Full "Identity Management" has yet to hit us. What they have asked for, and I
feel they really need, is a simple way for the "Access Group" to centrally
manage users for the variety of platforms, including sophisticated
onboarding/offboarding and with solid reporting and auditing. We don't get
that from AD, not even close...
that "AD" doesn't even exist. I think that they are just now realizing that
this "AD" thing may actually be sticking around and they may need to address
working with it. Of course, I'll believe it when I see it.....
the Groupwise customers a free Notes licence and use eDirectory as alternative
for AD. After all this is where AD got its blueprints from. eDirectory scales
well and customers could put an end to the AD Forrest madness that came to live
due to the poor AD scalability
strategy.
Other Recent Stories...
- 01/26/2023Better Running VirtualBox or VMWARE Virtual Machines on Windows 10+ Forgive me, Reader, for I have sinned. I has been nearly 3 years since my last blog entry. The truth is, I haven't had much to say that was worthy of more than a basic social media post -- until today. For my current work, I was assigned a new laptop. It's a real powerhouse machine with 14 processor cores and 64 gigs of ram. It should be perfect for running my development environment in a virtual machine, but it wasn't. VirtualBox was barely starting, and no matter how many features I turned off, it could ......
- 04/04/2020How many Ventilators for the price of those tanks the Pentagon didn't even want?This goes WAY beyond Trump or Obama. This is decades of poor planning and poor use of funds. Certainly it should have been addressed in the Trump, Obama, Bush, Clinton, Bush, and Reagan administrations -- all of which were well aware of the implications of a pandemic. I want a military prepared to help us, not just hurt other people. As an American I expect that with the ridiculous funding of our military might, we are prepared for damn near everything. Not just killing people and breaking things, but ......
- 01/28/2020Copyright Troll WarningThere's a copyright troll firm that has automated reverse-image searches and goes around looking for any posted images that they can make a quick copyright claim on. This is not quite a scam because it's technically legal, but it's run very much like a scam. This company works with a few "clients" that have vast repositories of copyrighted images. The trolls do a reverse web search on those images looking for hits. When they find one on a site that looks like someone they can scare, they work it like ......
- 03/26/2019Undestanding how OAUTH scopes will bring the concept of APPS to your Domino server
- 02/05/2019Toro Yard Equipment - Not really a premium brand as far as I am concerned
- 10/08/2018Will you be at the NYC Launch Event for HCL Domino v10 -- Find me!
- 09/04/2018With two big projects on hold, I suddenly find myself very available for new short and long term projects.
- 07/13/2018Who is HCL and why is it a good thing that they are now the ones behind Notes and Domino?
- 03/21/2018Domino Apps on IOS is a Game Changer. Quit holding back.
- 02/15/2018Andrew’s Proposed Gun Laws
with them, but, the part that is clear is the things that you and I consider
important are not the same thing that the decision makers consider important.