You are on page 1of 52

Lotus Notes Interview Questions for L1 Level 1) What is ACL ?

Access Control List 2) What are the diff types of ACL access? Manager, Designer, Editor, Authour,Reader,Depositor,No accses 3) Diff between Manager access and Designer access? Manager : He can create the Database with manager access,delete,encrypt and compact the documents Designer : He can access designer elements like view ,forms He can create the FT index , he can delete the documents with manger access 4) Diff between Editor access and Author access? Editor : He can create , read and modify the document, he can delete the document with Manger access Author : He can read the document and delete the document if authour is the owner of the document 5) What is clustering? Group of two or more server provides the users with constant access. Domino cluster continually communicate with each other to keep updated on the status of each server and to keep database replicas synchronized. 5) Transaction Log problems - Troubleshooting? Invalid transaction log path : Check the log path path is correct restart the server Not solved, edit TRANSLOG - PATH setting in notes.ini to point to different log path restart the server Transaction log damaged or corrupted : We can see the error message Transaction log damaged or corrupted on the console promt- restart the server If continues delete the transaction log file restart the server- server create the new log file- load fixup perform the database backup. 6) Resource and Reservation databases, busytime databases. Resource reservation database : Users can schedule and manage meeting resources. User can select the resource and reserve the time for it ( RESRC60.NTF ) Busytime databases : When not in a cluster, each server contains a database that includes scheduling information for all users who use that server as their mail server. 6) Components or tasks involved in Domino Clustering? Components : Server : Domino 6.5 or Domino 6 enterprise server or Domino 6 utility server

Cluster with LAN or WAN - TcpIP, It should be with same domain and share a common domino directory, Server shud have adequate CPU and Memory capacity. Client : Notes client must run notes release 4.5 or later. Tasks involved in Domino Clustering : ? 7) Port used by Notes? NRPC Notes remote process call ( 1352 8) What is ECL? Execution control list 9) What is replication? Replication is the process of synchronizing documents from the same databases on different workstations or servers 9a) Different types of replication? 1. server to server replication 2. workstation to server replication Pull pull Pull push Pull only Push only In pull push, the initiating server replicator pulls changes from the called server and the pushes data to the called server, only the initiating servers does te work writing in both servers. 10) If replication between 2 databases does not work, then what are the troubleshooting steps taken? Check replication history and log, Replicate with server not responding : check network communication Check cross certification for the database Mislenious event log 11) If users recieve error "Unable to find path to server" - what would be the problem ? DNS issue or host entry or connection document problem 12) smtp routing ?

To sending mail to internet users 13) Mail routing ? A server base task that allows users to exchange mail via a LAN, WAN , Gateways 14) Difference between replica and new copy? New replica have same replica ID, New copy will not the same 15) To have console access what do you require in Server Document ?

16) Transactional Logging? Transaction logging captures all the changes made to a database and writes them to a transaction log. Transactions are recordered sequentially in the log files,which is much quicker than database updates to random. 17) difference between refresh desing and replace? Refresh : Refresh page contain up to date information Replace : Change the existing one to new one 18) Compact tasks and types. Tasks : ? Types : In-place compacting with space recovery In-place compacting with space recovery and reduction in file size Copy-style compacting 19) difference updall and update Update : Update is loaded at server by default and runs continually . It will update view index. Updall : Updall dosent continually or work from qeue, run updall when it is needed, It will update view index. 20) Fixup details and it's syntax ? 21) R5 and R6 differences, new in R6? ? 22) Can external LDAP directory be used in Domino ?

No 23) What is directory Assitance? what is the benefit using this? Directory assistance : Directory assistance is a feature a server can use to look up information in a directory other than a local primary Domino Directory (NAMES.NSF) Benefit : ? 24) What is the step to recover from a Server Crash? 25) What is the steps to recreate a corrupt log.nsf? 26) Domino upgrade steps from 5 to 6 or 6.5 ?

Lotus Notes Interview Questions for L2 Level

1) Difference between Adjacent Domain Document and Non Adjacent Domain Document? 2) What is the Foreign Domain Document? 3) What is the Foreign SMTP Domain Document? 4) What is the Global Domain Document? 5) Difference between Domino and Domain? 6) How many ways to open Notes.ini? 7) Difference between ACL and ECL? 8) Difference between R5 and R6? 9) What is the NRPC? What is Port number? 10) What are the port numbers for SMTP, POP3, IMAP, HTTP, LDAP and SSL? 11) Difference between Replace and Refresh? 12) Difference between Updall and Update? 13) Difference between compact and fixup? 14) What is the transaction logging? How many types are there for Transaction logging? How do you disable transaction logging? 15) What are the features in R6? 16) What is Minimum configuration and Maximum configuration for Domino? 17) How do you monitor the server? 18) How do you replicate the address book from location to another location? 19) What are the necessary files for backup? 20) How many partitions can support domino? 21) How many cluster servers can support domino? 22) What do you know about pass-through server? 23) What is the CA? 24) Difference between connection document and Program document? 25) Difference between server document and configuration document?

26) What are the tasks run server when clustering is started? 27) Difference between Newcopy and replication? 28) Difference between NNN and DNN? 29) What is the information is contain id file? 30) What is ISPY? 31) Difference between Public key and private key? 32) What are the Topologies for the Domino? 33) How many Organizations we can create? 34) How many Organizations Units we can create? 35) How many ways are there to create / Register user? 36) How can you identify whether it is a main server or additional server? 37) How many ACL levels are there? 38) Can you describe ACL level (Manager, Editor, Author, Designer, Depositor, Reader and Unassigned)? 39) What is the ICL? 40) What is CRL?

Lotus Notes Interview Questions. 10) Difference between Adjacent Domain Document and Non Adjacent Domain Document? http://www.codestore.net/help/help6_admin.nsf/f4b82fbb75e942a6852566ac0037f284/91 8e6b784b0fb52d85256c1d0039527e?OpenDocument MAIL Creating an Adjacent domain document You create an Adjacent domain document when you need to restrict the transfer of mail from one adjacent domain to another. For example, if you are in domain B and want to prevent mail from an adjacent domain A from traversing your domain to reach another adjacent domain C, create an Adjacent domain document that names C as the adjacent domain and denies mail from A.

The restrictions you define in the Adjacent domain document apply to the domain of the previous hop only. That is, in the Adjacent domain document created in the previous example, adding A to the Deny list prevents mail originating in A from routing to C. This includes mail that domain A may receive from domain Z for eventual transfer to C. But suppose you want to allow mail from A, but deny mail from domain Z, which uses A and B as intermediate domains to reach C. If the administrator in domain B removes domain A from the deny list of the Adjacent domain document for domain C, and adds domain Z, domain Z is allowed to route mail to C. This is because once the message arrives in domain B the domain of origin appears to be A, rather than Z. In the absence of restrictions on transferring mail from A to C, Domino allows the message to route.

You also use Adjacent domain documents to allow Free Time searches across domains. For more information, see Setting up scheduling. Note Restrictions set in an Adjacent domain document work in conjunction with those in the Configuration Settings document. Domino always defaults to the most restrictive entry. Adjacent Domain documents do not provide connectivity to adjacent domains, and are not required to enable connections between adjacent domains. To define routes between adjacent domains, create a Connection document. Using Adjacent domain documents to restrict mail By default, a domain that can route mail to your domain can also route mail through your domain to another adjacent domain. When mail routes from one domain to another through your domain, it ties up your resources. To prevent your servers from being used to transfer mail between other domains, you can selectively allow and deny mail routing through your domain to the domain named in the Adjacent domain document. The Allow and Deny fields on the Restrictions tab of the Adjacent domain document let you control the flow of messages from other domains to the adjacent domain. Entries in these fields must be the names of adjacent domains; the Router ignores entries for nonadjacent domains beyond the previous hop. If you deny a domain from sending mail through your domain, the Router denies all mail received from that domain, including messages the domain may have passed on from another, non-adjacent domain. There is no way to restrict specific users from routing to a Notes domain. Restrictions apply to all users in specified domain. The settings in the Allow and Deny fields work in conjunction with the Allow and Deny fields on the Router/SMTP - Restrictions and Controls - Restrictions tab of the Configuration Settings document. In the event of any conflict between settings, Domino applies the most restrictive entry. Messages may be further restricted by Adjacent Domain documents, Non-adjacent Domain documents, and Configuration Settings documents set up between domains along the routing path. To create a Adjacent domain document 1. From the Domino Administrator, click the Configuration tab and then expand the Messaging section. 2. Choose Domains. 3. Click Add Domain to create a new Domain document.

4. On the Basics tab, complete these fields: Field Domain type Adjacent domain name Enter Choose Adjacent domain The name of the adjacent Domino domain. The current domain must have a Connection document to this domain.

Domain description Optional description of the domain 5. To restrict other domains from routing mail through the current domain to the adjacent domain, click the Restrictions tab, complete the following fields, and then click Save and Close: Field Allow mail only from domains Enter Enter the names of adjacent Domino domains that are allowed to route mail to this adjacent domain. To allow any domain to route mail through the local domain to this adjacent domain, leave this field blank. Deny mail from domains Enter the names of adjacent Domino domains that are not allowed to route mail to this adjacent domain.

To allow any domain to route mail through the local domain to this adjacent domain leave this field blank. Note You cannot use wildcards in the Restrictions fields. You must enter explicit domain names. 6. Create a Connection document to specify how servers in the current domain connect to the adjacent domain. MAIL Setting up routing to non-adjacent Domino domains Non-adjacent domains are Domino domains that are not directly connected, but have an intermediary domain, adjacent to both of them in common. For example, domain A and domain B are adjacent and have Connection documents defining the route between them. Similarly, domain B, in turn, is adjacent to domain C and mutual Connection documents exist between them; and domains C and D are likewise adjacent to each other and linked by Connection documents. Domain B is thus adjacent to domain A on one side, and domain C on the other; and domain C is adjacent to B and D, respectively. If no direct connection exists between A and C, these two domains are considered to be non-adjacent domains. Similarly if there is no direct connection between B and D, these two domains are also non-adjacent.

Because there is no direct connection between two non-adjacent domains, you cannot define the routing path between them in a Connection document. Connection documents can only be used between two directly-connected, adjacent domains. However, users in non-adjacent domains can send mail to each other by routing it through the intermediary domain. One way to do this is to use explicit addressing -- telling the Router how to reach the destination domain through the intermediary domain by placing the entire routing path in the address field. For example, if Kathy Burke in domain A wants to send a message to Robin Rutherford in the non-adjacent domain C, she addresses the message by way of domain B, as follows: Robin Rutherford@C@B In processing the message, the Router on the domain A mail server looks only at the last part of the address, and uses the Connection document to determine the route to domain B. The domain B server then uses the Connection document in its Domino Directory to transfer the message to domain C. Although the use of explicit addressing is an effective method for directing mail to nonadjacent domains, because it relies on a complete knowledge of the inter-domain routing topology, it's also not a very practical solution. This information is not readily available to a typical user. To simplify routing and addressing to non-adjacent domains, you can create a Non-adjacent domain document in the Domino Directory to define the path between the non-adjacent domains. Using a Non-adjacent domain document Administrators can create a Non-adjacent domain document to control message routing to a non-adjacent domain. A Non-adjacent Domain documents serves three functions:

Specifies a routing path to the non-adjacent domain by supplying next-hop domain information Restricts mail from other domains from routing to the non-adjacent domain Defines the Calendar server used to enable free time lookups between two nonadjacent domains.

Non-adjacent domain documents are only required to specify routing restrictions to a non-adjacent domain. However, to simplify addressing on messages destined for a nonadjacent domain, it's useful to have a Non-adjacent domain document for that domain. Without a Non-adjacent domain document in the Directory, the Router has no defined routing path to the non-adjacent domain. The Router can transfer a message to the nonadjacent domain if the recipient address uses explicit path routing (User@AdjacentDomain@NonAdjacentDomain), but cannot transfer a message with a simple domain address (User@NonAdjacentDomain). When explicit addressing is used the Router uses the Connection documents between domains to calculate the path to the next-hop domain. But when a Non-adjacent domain document is available, the Router obtains intermediary domain information from that document. This eliminates the need for users sending mail to a non-adjacent domain to use complex, explicit addressing. Thus, if domain A has a Non-adjacent domain document for domain C, when Kathy Burke in domain A sends mail to Robin Rutherford in domain C, she uses the address Robin Rutherford@C (rather than Robin Rutherford@C@B). Because the Router finds the intermediate domain information in the Non-adjacent domain document, the message is transferred successfully to domain C by way of domain B. Using Non-Adjacent domain documents to restrict mail Using Non-adjacent domain documents to simplify addressing makes them valuable enough. But Non-adjacent domain documents play another equally significant role. Although they are not strictly required to enable routing between non-adjacent domains, they are needed if you want to restrict routing of messages from certain domains. By default, any domains that can route mail to your domain can also route mail to the destination domains named in a Non-adjacent domain document. Mail routed from one domain to another through your domain consumes your network resources. To prevent your servers from being used to transfer mail between other domains, you can selectively allow and deny mail routing through your domain. The Allow and Deny fields on the Restrictions tab of the Non-adjacent domain document let you control the flow of messages from other domains to the non-adjacent domain. Entries in these fields must be the names of adjacent domains; the Router ignores entries for non-adjacent domains beyond the previous hop. If you deny a domain from sending mail through your domain, the Router denies all mail received from that domain, including messages the domain may have passed on from another, non-adjacent domain.

The "Deny mail from domains field" in a Non-adjacent domain document does not block messages that use explicit domain addressing, that is, addresses that explicitly name every domain on the routing path. A Non-adjacent domain document can only block mail that relies on information in the Non-adjacent domain document to supply the name of a a missing intermediate domain. If the entire routing path is contained in the recipient address, the Router doesn't need to check the document to determine where to route the message, and thus cannot block it. For example, if in the previous example, the administrator in domain B creates a a Non-adjacent domain document for domain D and adds domain A to the Deny mail from domains field. Kathy Burke in domain A can still send mail to Judy Kaplan in domain D by specifying the following explicit domain address: Judy Kaplan@D@C@B. To prevent Kathy Burke from sending this message, the administrator in Domain B would have to create an Adjacent domain document for domain C that names domain A in the Deny mail from domains field. The settings in the Allow and Deny fields work in conjunction with the Allow and Deny fields on the Router/SMTP - Restrictions and Controls - Restrictions tab of the Configuration Settings document. In the event of any conflict between settings, Domino applies the most restrictive entry. Messages may be further restricted by Adjacent Domain documents, Non-adjacent Domain documents, and Configuration Settings documents set up between domains along the routing path. To create a Non-adjacent domain document 1. From the Domino Administrator, click the Configuration tab and then expand the Messaging section. 2. Choose Domains. 3. Click Add Domain to create a new Domain document. 4. On the Basics tab, complete these fields: Field Domain type Enter Choose Non-adjacent domain

Mail sent to domain The name of the non-adjacent Domino domain you want to route mail to. Route through domain The name of the intermediary Domino domain through which you want to route mail for the destination domain. The current domain must have a Connection document to this domain. Also, the Domino Directory in the intermediary domain must have a Connection document to the destination domain.

Domain description An optional description of the domain 5. Click the Restrictions tab, complete one or both of these fields, and then save the document: Field Allow mail only from domains Enter Enter the names of Domino domains adjacent to the current domain that are allowed to route mail to this non-adjacent domain. Leave this field blank to allow any domain to route mail through the local domain to the non-adjacent domain. Deny mail from domains Enter the names of Domino domains adjacent to the current domain that are not allowed to route mail to this non-adjacent domain.

Leave this field blank to allow any domain to route mail through the local domain to the non-adjacent domain. Note You cannot use wildcards in the Restrictions fields. You must enter explicit domain names. 6. Create a Connection document to specify how servers in the current domain connect to the intermediary adjacent domain. Note Since, by definition, all servers in a domain use the same Domino Directory, only one Non-adjacent domain document is required for each non-adjacent domain. You do not have to create a separate document for each server.

11) What is the Foreign Domain Document? http://www.codestore.net/help/help6_admin.nsf/0/d9e9410025f7d41f85256c1d0039531a ?OpenDocument MAIL Setting up routing to external application gateways Domino treats external messaging applications, such as fax or pager gateways, as foreign domains. To route mail from a Domino domain to an external application, create a Foreign domain document. Creating a Foreign domain document

A Foreign domain document defines the path between a Domino domain and an external application, such as a fax or pager gateway. A Foreign domain document identifies the Domino server that acts as the gateway to the external application. Applications such as X.400 and cc:Mail use their own specialized versions of the Foreign domain document to direct the messages through a message transfer agent (MTA). For more information about MTAs, see the documentation for the specific MTA. Although Foreign domains are mostly used for third party applications, you can also use them to transfer messages between a Release 5.0 or later server and a Release 3.x SMTP server. Restrictions that you set on this Foreign domain document apply only to the From domain of the previous hop. These restrictions work in conjunction with those in the Configuration Settings document. Domino always defaults to the most restrictive entry. To create a Foreign domain document 1. From the Domino Administrator, click the Configuration tab and then expand the Messaging section. 2. Choose Domains. 3. Click Add Domain to create a new Domain document. 4. Click the Basics tab, and complete these fields: Field Domain type Foreign Domain Name Domain description Enter Choose Foreign domain. The domain name of the foreign mail system. This name was chosen when the MTA or gateway was installed. An optional description of the gateway or MTA.

5. Click the Restrictions tab, and then complete these fields: Field Allow mail only from domains Enter The names of Domino domains that are allowed to route messages to this foreign domain. Leave this field blank to allow any domain to route mail through the local domain to the foreign domain.

Deny mail from domains The names of Domino domains that are not allowed to route messages to this foreign domain. Leave this field blank to allow any domain to route mail through the local domain to the foreign

domain. 6. Click the Mail Information tab and complete these fields, and then save the document: Field Gateway server name Enter The name of the Domino server running the gateway software.

Gateway mail filename The gateway's mail file name. See the documentation that came with the gateway for the proper file name. 7. Create a Connection document to specify how servers in the current domain connect to the foreign domain.

12) What is the Foreign SMTP Domain Document? http://www.etf.europa.eu/help/help65_admin.nsf/f4b82fbb75e942a6852566ac0037f284/8 f4313d03868fddc85256dff004b1a57?OpenDocument MAIL Overview of routing mail using SMTP By default, Domino uses the Notes routing protocol to transfer mail between servers. You can configure Domino to use SMTP to route mail instead of or in addition to using Notes routing. Message transfer over SMTP routing is performed as a point-to-point exchange between two servers. The sending SMTP server contacts the receiving SMTP server directly and establishes a two-way transmission channel with it. To send a message over SMTP: 1. The sending server checks the recipient's address, which is in the format localpart@domain, and looks up the domain in the Domain Name System (DNS). 2. DNS returns the Mail Exchanger (MX) record for the domain, indicating the IP address of the servers in the domain that accept mail over SMTP. 3. The sending server connects to the destination server over TCP/IP, establishes an SMTP connection on port 25, transfers the message, and closes the connection. Enabling SMTP on the Domino server Domino supports sending and receiving mail over SMTP by means of the SMTP listener task and SMTP Router, respectively, each of which you enable separately. The SMTP listener task handles incoming SMTP connections and delivers messages received over

those connections to MAIL.BOX. It does not handle subsequent delivery or transfer of those messages. You configure the SMTP listener task for receiving mail on the Basics tab of the Server document. For more information about configuring Domino to receive SMTP mail from other servers in your organization and/or from the Internet over SMTP, see the chapter, "Setting Up Mail Routing." The Router task for SMTP is the same Router task that handles Notes routing. When a message in MAIL.BOX requires transfer to another server, the Router determines where to send it and whether to send it over Notes routing or SMTP. By default, SMTP is disabled. To configure Domino to use SMTP to send mail, you must change settings on the Router/SMTP-Basics tab of the Configuration Settings document. You can configure Domino to use SMTP when sending mail to destinations:

Outside the local Internet domain Within the local Internet domain

How the Router determines when to use SMTP On servers that support both SMTP and Notes routing, each time the Router detects a new message in MAIL.BOX, it chooses the protocol by which to transfer the message. The routing decision is based on the message's address and format, and whether the server is configured to send SMTP within the local Domino domain, outside the local Internet domain, or both. Using SMTP to send mail to local domain addresses Enabling SMTP within the local Domino domain allows the Router to consider SMTP as an alternative routing protocol when transferring mail to another Domino server in the same Domino domain. When configuring servers to send SMTP within the local Domino domain, you have the following options:

SMTP allowed for MIME messages only - If the destination is a Domino server running the SMTP listener and the message deposited in MAIL.BOX is already in MIME format, the Router sends it using SMTP. Messages in Notes rich text format are sent over Notes routing. SMTP allowed for all messages - If the destination is a Domino server running the SMTP listener, the Router always uses SMTP when transferring a message to another Domino SMTP host, regardless of the message's current format. If a message deposited in MAIL.BOX is in Notes format, the Router converts the messages to MIME before sending.

When the Router picks up a message in MAIL.BOX, it reads the address to determine whether the recipient is in the local domain. If the recipient is local, the Router looks in

the ($Users) view of the Domino Directory for a Person document containing that address. If SMTP is allowed within the domain and the message format matches the format specified in this setting, the Router uses TCP/IP to connect to the destination server, establishes an SMTP connection, and transfers the message. By default, enabling SMTP within the local Domino domain allows the Router to use SMTP to transfer mail to any other Domino SMTP host in the same Domino domain. You can restrict the use of SMTP within the local domain so that SMTP is allowed only for message transfers that take place between servers in the same Domino named network. To set this restriction, use the field "Servers within the local Domino domain are reachable via SMTP over TCPIP" on the Router/SMTP - Basics tab of the Configuration Settings document. If the receiving server is running the SMTP listener, servers configured to send SMTP within the local Domino domain always use SMTP to send MIME messages to destinations within the same Domino named network. For messages in Notes format, the Router sends SMTP only if the server is configured to send all messages over SMTP. Sending SMTP outside the local Internet domain Enabling Domino to send SMTP to external Internet domains allows the server to transfer outbound Internet mail either directly to a host in the receiving domain or indirectly to an Internet host. If a message in MAIL.BOX has a recipient address that contains an @ sign and a domain part (the part of the address to the right of the @ sign) that does not resolve to the local Domino domain, the Router identifies the message destination as non-local. A non-local address can be an RFC 821 Internet address (where the domain part contains a period and is in the form localpart@org.domain) or an address in another Domino domain (including Foreign domains such as a pager or fax gateway). To determine whether an Internet address is local, the Router checks whether the domain part of the address matches any of the local Internet domains defined in the Global Domain document in the Domino Directory. Local Internet domains include any domains listed in the Local primary Internet domain and Alternate Internet domain aliases fields in the Global Domain document. If there is no Global Domain document, the Router compares the domain in the recipient's address to the server's host name. For example, if the message is addressed to jdoe@mailhost3.acme.com and the Router is on the server mailhub.acme.com, the Router knows that the recipient is in the local Internet domain. Connecting the Domino mail system to the Internet Because Domino routes mail using the Internet-standard SMTP routing protocol, it's easy to configure the Domino system to send and receive mail from external Internet domains. For outgoing mail you can use a gateway routing architecture in which only designated servers use SMTP to route mail to external domains, or you can enable all mail servers to

use SMTP to route mail to external domains. For inbound mail, you need to decide how to route mail coming in to your Internet domain from a firewall to Domino servers. How you set up inbound mail depends on whether your organization uses a single Internet domain name or multiple names and on the distribution of your servers. For information on connecting Domino to the Internet, see the topics Preparing to send and receive mail to the Internet and Routing mail to external Internet domains. Using a relay host A relay host is an SMTP server or firewall that connects to the Internet and forwards, or relays, inbound or outbound Internet mail. A relay host can also be a DNS name that maps to multiple MX records. To configure Domino to use a relay host, you use two fields on the Configuration Settings document of the sending server. Add the relay's DNS or host name to the "Relay host for messages leaving the local Internet domain" field and enable "SMTP used when sending messages outside of the local Internet domain." Note R4 SMTP MTA servers use the relay host specified in the SMTP Connection document. Using Notes routing to transfer outbound Internet mail to an SMTP server On internal Domino servers that do not use SMTP to route mail, Domino uses Notes routing to transfer outbound Internet messages to a Domino SMTP server, which then transfers the messages to the Internet, either directly or through a relay host. To configure servers that use Notes routing to transfer Internet mail to a Domino SMTP server requires use of a Foreign SMTP Domain document and an SMTP Connection document. MAIL Enabling a server to receive mail sent over SMTP routing To set up a server to receive SMTP-routed messages, you must enable the SMTP Listener. Then the server can "listen" for SMTP traffic over the TCP/IP port (usually port 25) and receive SMTP messages in the MAIL.BOX database(s). Enabling the SMTP listener causes the server SMTP task to start up automatically every time the server starts. Disabling the SMTP listener prevents the SMTP task from starting up when the server starts. Note Do not add SMTP as a task to the task list in the NOTES.INI file or this feature will not work. To enable or disable the SMTP Listener 1. From the Domino Administrator, click the Configuration tab and then expand the Server section.

2. Select the Server document to be edited it and then click Edit Server. 3. On the Basics tab, complete these fields: Field Fully qualified Internet host name Enter The server's complete combined host name and domain name, including the top-level domain. For example, smtp.acme.com; smtp is the host name; acme is the second-level domain; and .com is the top level domain. In the absence of a Global Domain document, the Router uses the entry in this field to determine the local Internet domain. Typically, the fully qualified host name is added to the Server document during server setup or by the Administration process (AdminP). A routing loop can result if this field does not contain a valid entry. SMTP listener task Choose one: Enabled to turn on the Listener so that the server can receive messages routed via SMTP routing

Disabled (default) to prevent the server from receiving messages routed via SMTP routing

4. Click the Ports - Internet Ports - Mail tab. 5. In the Mail (SMTP Inbound) column, ensure that the TCP/IP port status is set to Enabled, and then click Save and Close.

13) What is the Global Domain Document? MAIL How Domino uses Global domain documents during inbound and outbound SMTP routing When Domino receives an inbound SMTP message, it attempts to determine whether the message is for a local recipient. When the Domino Directory does not include a Global Domain document, Domino accepts only messages addressed to users in the same Internet domain as the server, as indicated in the Fully-qualified Internet host name that appears in the Server document. But if the Domino Directory includes a Global domain document, Domino can receive mail for multiple Internet domains. To determine whether to accept a message, Domino compares the domain part to the local primary Internet domain listed in the Global

domain document. If it does not find a match in this field, it examines the secondary Internet domains -- the "alternate Internet domain aliases" -- listed in that document. The role of Global domain documents in determining whether to accept inbound SMTP mail If the Domino Directory contains multiple Global domain documents, Domino uses a similar process to determine whether a recipient is local: it first checks the primary Internet domain in each Global Domain document, and then, if it still hasn't found a match, it continues by checking the alternate Internet domains. If the domain in the address does not match any of the domain entries in any Global domain document, the message is considered an attempt to relay, and Domino rejects the message. Inbound address lookup when the Domino Directory contains multiple Global Domain documents After Domino accepts a message, the Router attempts to match the recipient's Internet address to an entry in the Domino Directory. When looking up the recipient in the Domino Directory, if the domain suffix in the address matches an alternate Internet domain aliases defined in a Global Domain document, and no Person document includes this address, the Router performs a secondary lookup. In this secondary lookup, the Router pairs the local part of the address with the domain suffix of the primary Internet domain specified in the Global domain document. For example, a server receives a message for craig_bowker@acmewest.com. The Router searches all of the Person documents in the Domino Directory for this Internet address, but cannot find a match. However, in the Domino Directory, there is a Global domain document that includes the domain suffix acmewest.com as an alternate Internet domain alias. In this same Global Domain document, the primary Internet domain is acme.com. After the primary lookup fails, Domino performs a secondary lookup, using the address craig_bowker@acme.com. Domino performs secondary lookups only if the Router is configured to perform fullname, or fullname, then local part lookups. In cases where the Domino Directory contains multiple Global domain documents, and a secondary lookup is required, when replacing the domain suffix in the original address with the domain suffix of the primary Internet domain, the Router only considers Global domain documents that list the alternate Internet domain alias. That is, Domino always replaces the domain suffix from within a given document; it never replaces an alternate domain listed in one document with a primary domain from another document. To prevent the Router from using domain aliases when looking up addresses, do not include alternate Internet domain aliases in a Global domain document. Instead, create multiple Global Domain documents, each specifying a different primary Internet domain. Controlling outbound addresses construction with multiple Global domain documents

When the Domino Directory contains a single Global Domain document, the address construction rules in that document determine how a server forms the sender's address in an outbound SMTP message. However, if the Domino Directory contains multiple Global Domain documents, when constructing the sender's address, Domino uses the Internet domain specified in the Server document and the address construction rules defined in the Global Domain document listed last, alphabetically, in the directory. If you want Domino to form the sender's outbound address from the primary Internet domain and the address construction rules contained in a particular Global domain document, designate that document as the default Global Domain document. Designating a default Global domain document When there are multiple Global Domain documents in the Domino Directory, designate one as the default so that when a servers construct a sender's outbound Internet address, the addresses created are based on the primary Internet domain and address construction rules specified in the designated document. 1. From the Domino Administrator, click the Configuration tab and then expand the Messaging section. 2. Choose Domains, and click Global Domain 3. Select the Global Domain document you want to designate as the default and click Edit Domain. 4. On the Basics tab, complete following field, and then click Save & Close: Field Enter

Use as default Global Domain Select Yes to designate this Global Domain document as (for use with all Internet the default Global domain for this Domino Directory. protocols except HTTP)

14) Difference between Domino and Domain? 15) How many ways to open Notes.ini? 16) Difference between ACL and ECL? 17) Difference between R5 and R6? Differences between Domino R5 and Domino R6 The following options are different for Domino R5 and Domino R6: Domino R5 The "Access Server", "Run restricted Java/Javascript/COM" and "Run unrestricted Java/Javascript/COM" lists in the Security Section of the Server Document must contain

the name of the Internet user. Using the Lotus Domino Administrator 5 client you can enable this option by clicking the "Configuration" tab, then "Server / Current Server Document" and then the "Security" tab. On the "Security" tab in the "Server Access" section there is the "Access Server" list, in the "Java/COM restrictions" section are the "Run restricted Java/Javascript/COM" and "Run unrestricted Java/Javascript/COM" lists. Add to these three lists the name of the Internet user. Domino R6 The "Run unrestricted methods and operations" list on the Security tab of the Current Server Document must contain the Internet user name. Using the Lotus Domino Administrator 6 client you can enable this option by clicking the "Configuration" tab, then "Server / Current Server Document" and then the "Security" tab. On the "Security" tab in the "Programmability Restrictions" section there is the "Run unrestricted methods and operations". Add to this list the name of the Internet user.

18) What is the NRPC? What is Port number? Notes remote Procedure call Port Number 1352 10) What are the port numbers for SMTP, POP3, IMAP, HTTP, LDAP and SSL? 11) Difference between Replace and Refresh? http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21097253 Problem What are the differences between Replace Design and Refresh Design? Note: This information applies to all versions of Notes R3, R4, and R5 and 6. Cause Solution There are a few key differences between Replace Design and Refresh Design. First, Replacing the Design of a database will remove all design elements in a database and replace them with those from a new template. This process also resets the Database properties (specifically the Database properties you see on the Design tab in the InfoBox (a.k.a. Properties Box) when you select File, Database, Properties.) In contrast, Refresh Design will use this information to

do essentially the same job with the design elements, but the Design properties of the database will not change. Refresh Design is the process which runs every night on the server by default (Design server task). Second, Refresh Design will not give an option to select a new template. You can only select a different server to use as a template server for the Refresh process. An important side note to this information involves the attribute, 'Do not Allow Design Replace/Refresh To Modify.' This property of specific design elements will prevent the Replace Design or Refresh Design task from modifying the element. When the database as a whole inherits its design from a template, all new design elements will have this option selected by default. In contrast, if the database as a whole does not inherit its design from a template, all new design elements will have this option deselected. This is important because if the database property is changed, the design element property is not changed. It is also possible for a single design element to inherit its design from a different template than the database as a whole. Supporting Information: Design-Refresh details: - Design Refresh locates the template the database is based on by the template name (you can determine the template name by checking the Design tab in the InfoBox for Database properties. Select File, Database, Properties and switch to the Design tab, which is 4th tab from the left). - It scans both the database and the template for design elements. Design elements are considered to be corresponding versions based on the $TITLE field of the design note. - If there are Design elements in the database that do not have a corresponding element in the template, these design notes are deleted in the database. - If there are Design elements in the template that do not have a corresponding element in the database, these design notes are added to the database. Additionally: - If there is a Design element in the database which has a Design element of the same name in the Template, first the sequence times are compared to check the revisions.

In case there is no difference -> skip Design Element. Given the Sequence time of the Template is different -> update Design Element Actually when updating the design element it checks whether there really are changes to the Design element, for example, by looking in the $AssistVersion field of an agent. In case there is no difference the update is only logged but not done/executed. Whenever you apply changes to an agent using the Notes Client, even changes of the aliases in the Title, the $AssistVersion field is updated. Notes: - This does not apply to private views or folders that are stored in the client's Desktop.dsk file. - Design Refresh does not use the Universal IDs of the Design elements, but only names and aliases to identify what to update/add/remove. - The Designer Task has an issue customers should be aware of; for more information refer to the document "Load Design Server Task Only Refreshes Databases the First Time" (#162622 ) . Design-Replace details: The only difference from Design-Refresh is that first the template name the database is inherited from is changed to the new one. After this a regular design refresh runs. This means: - The existing Design notes are not swept from the database in the first step. In case there are Design elements of the same name, these are "updated" using the logic described above. What if you have duplicate design elements in your database? Does Designer remove one of these? This might happen when replicating the templates and/or databases containing design elements that do have the same Title but different universal ID. Unfortunately, neither the Design task nor Design - Replace or Design - Refresh detect this. They update only the first design note found having the same title in the template. The other design note is left untouched. One must manually remove the obsolete design

element from the database or replace the design. Additionally: A design element may be inherited from a different template than specified in the Database properties. You will find this on the Design tab in the properties of the design element itself. When doing a Design Refresh these are taken from the appropriate database. Related Documents: Load Design Server Task Only Refreshes Databases the First Time Document #: 1093752 (162622) Replacing R5 Design with Template Having Hidden Design Does not Delete Existing Design Elements Document #: 1087252 (171851) "Inherit Design from Template" Option Unchecked After User Is Renamed Using AdminP Document #: 1092014 (164002) Refresh Design Does not Replace Design Elements which Have Been Modified in the Db Document #: 1156429 Related Old Product Document: Which Mail Template Is Used when Registering a New Notes User? Document #: 148470

12) Difference between Updall and Update? Database Indexing Indexing View indexes are used to display the list of documents in a database. They are created automatically, and are kept up to date by the system UPDATE task. This means that if you create a new document, it will not appear on the index until the UPDATE task runs, or you run an update manually. Full-text indexes are used to speed up document searches. Full-text Indexes are created manually, and are also maintained automatically by UPDATE, or by manually forcing an

update. Indexes are not replicated across servers, so each replicated copy of a database needs a full-text index defined. If you want to update a specific database full-text index, Select Files tab for the required database, then Tools - Database - Full Text Index - Update - OK Indexes are updated automatically by the UPDATE task. You set the frequency of update in the same panel. Options are

Daily Hourly Immediate Scheduled (by UPDALL server task)

To create a full-text index, select the files tab, then select Tools - Database - Full-text Index and follow the instructions on the screen. If you index an encrypted field, other users may be able to read the encrypted text without the encryption key. Full-text indexes are stored in a subdirectory, which is in the same directory as the main database. The subdirectory will be called databasename.ft If an index becomes corrupt then do not delete the subdirectory manually, but use the Index tool described above to delete it. You can also search multiple databases using a Multiple database index for example srchsite.ntf, define the search scope by specifying which databases to include then Select Files - Tools - Database - Multi-database Index Follow the instructions shown to create a full-text index for the Search-Site database UPDATE and UPDALL tasks UPDATE is usually scheduled to run continuously on the server, UPDALL will be scheduled to run overnight, and can also be run on demand. The main differences between them are

UPDALL will refresh the full-test indexes on all databases, UPDATE only refreshes those which are set to immediate or hourly UPDALL will purge deletion stubs UPDALL can be run manually with options UPDALL will delete unused view indexes

To run UPDALL (maybe to fix a corrupt index), enter the command LOAD UPDALL PATH OPTIONS

from the server console. PATH is the pathname to the database or databases you want refreshed. Options include

-F only update full-text indexes -V only update views -X only rebuild views -R rebuild both full-text indexes and view indexes. Use carefully, it will use loads of resource

There are loads of other options, which restrict the actions depending on database refresh settings.

13) Difference between compact and fixup? Problem How can a Domino administrator view the UPDALL, FIXUP, and COMPACT options from the Domino server console? You do not have access to client Help files as the server is in a secure area and no client is available, and you need to find information about the different options for Updall, Fixup, and Compact. Solution To display online Help information for these commands, you enter the command followed by a hypen and question mark (-?). Examples of the complete command to enter and the output are below. Issue the command "load updall -?" at the Domino server console to get following output:

Similarly, the commands you issue to see the online help text for the other tasks are as follows: load fixup -? load compact -? For more information on the Load command, see the section titled "Load" in the Domino Administrator Help.

14) What is the transaction logging? How many types are there for Transaction logging? How do you disable transaction logging? 15) What are the features in R6?

Microsoft Word Docum ent

16) What is Minimum configuration and Maximum configuration for Domino? 17) How do you monitor the server? 18) How do you replicate the address book from location to another location? 19) What are the necessary files for backup? 20) How many partitions can support domino? INSTALLATION Partitioned servers Using Domino server partitioning, you can run multiple instances of the Domino server on a single computer. By doing so, you reduce hardware expenses and minimize the number of computers to administer because, instead of purchasing multiple small computers to run Domino servers that might not take advantage of the resources available to them, you can purchase a single, more powerful computer and run multiple instances of the Domino server on that single machine. On a Domino partitioned server, all partitions share the same Domino program directory, and thus share one set of Domino executable files. However, each partition has its own Domino data directory and NOTES.INI file; thus each has its own copy of the Domino Directory and other administrative databases.

If one partition shuts down, the others continue to run. If a partition encounters a fatal error, Domino's fault recovery feature restarts only that partition, not the entire computer. For information on setting up fault recovery, see the topic Fault recovery. Partitioned servers can provide the scalability you need while also providing security. As your system grows, you can migrate users from a partition to a separate server. A partitioned server can also be a member of a cluster if you require high availability of databases. Security for a partitioned server is the same as for a single server. When you set up a partitioned server, you must run the same version of Domino on each partition. However, if the server runs on UNIX, there is an alternative means to run multiple instances of Domino on the server: on UNIX, you can run different versions of Domino on a single computer, each version with its own program directory. You can even run multiple instances of each version by installing it as a Domino partitioned server. For more information, see the topic Installing Domino on UNIX systems. Deciding whether to use partitioned servers Whether or not to use partitioned servers depends, in part, on how you set up Domino domains. A partitioned server is most useful when the partitions are in different Domino domains. For example, using a partitioned server, you can dedicate different Domino domains to different customers or set up multiple Web sites. A partitioned server with partitions all in the same Domino domain often uses more computer resources and disk space than a single server that runs multiple services. When making the decision to use partitioned servers, remember that it is easier to administer a single server than it is to administer multiple partitions. However, if your goal is to isolate certain server functions on the network -- for example, to isolate the messaging hub from the replication hub or isolate work groups for resource and activity logging -- you might be willing to take on the additional administrative work. In addition, running a partitioned server on a multiprocessor computer may improve performance, even when the partitions are in the same domain, because the computer simultaneously runs certain processes. To give Notes users access to a Domino server where they can create and run Domino applications, use a partitioned server. However, to provide customers with Internet access to a specific set of Domino applications, set up an xSP server environment. Deciding how many partitions to have How many partitions you can install without noticeably diminishing performance depends on the power of the computer and the operating system the computer uses. For

optimal performance, partition multiprocessor computers that have at least one, and preferably two, processors for each partition that you install on the computer. 21) How many cluster servers can support domino?

Workload balancing with Domino clusters Level: Advanced Document options Print this page E-mail this page Document options requiring JavaScript are not displayed Rate this page Help us improve this content

Michael Kistler, Senior Software Engineer , Software Solutions Division 01 Dec 1997 This article explores some of the common approaches to workload balancing available to Domino administrators, with special emphasis on the server workload balancing capabilities of Domino Advanced Services' clustering feature. Many customers today are looking for ways to make their Domino servers highly available. Domino clustering satisfies this need by providing failover of databases and server facilities to other servers in the cluster. This is an important capability, but it has been covered by a number of other articles, most notably the articles, "Lotus Domino Advanced Services: High Availability Powered by Notes" and "Notes.Net exposed: Using Domino clusters for your Web site." Another key requirement for customers using Domino for enterprise-class, business-critical applications is scalability. Basically, scalability is the ability to add computing power to an existing system in a seamless fashion. A key aspect of scalability is workload balancing, which is the ability to distribute workload to the available computer resources in a way that maximizes the utilization of these resources. Workload balancing is not new to Domino. There are a number of mechanisms a Domino administrator can use to balance workload across a set of Domino servers. The clustering feature of Domino Advanced Services takes workload balancing a giant step forward by enabling you to scale your Domino installation in a way that is relatively transparent to end users. Many of the platforms that support the Domino server also provide some form of built-in clustering support. In particular, there has been considerable attention paid to the newly introduced Microsoft Cluster Server (code named "Wolfpack"). While these OS-level clustering solutions have some distinct benefits, most provide support only for application failover, no workload balancing. In particular, the Microsoft Cluster Server will not support workload balancing until its "phase two" release, which isn't expected until late 1998 at the earliest. Therefore, customers looking to build truly scaleable Domino installations need to strongly consider Domino clustering. This article will explore some of the common approaches for workload balancing available to Domino administrators, with

special emphasis on the server workload balancing capabilities in the clustering feature of Domino Advanced Services. Workload balancing in Domino Domino administrators can use a number of techniques for balancing workload across servers in a Domino domain. Two of the most effective techniques are: Allocating users and applications to servers. The administrator can assign users to home servers in a way that spreads the load across this set of servers. Similarly, the administrator can spread applications (databases) across a set of servers, and create replicas when necessary, to spread the application load across a set of servers. Setting the maximum number of users for a server. Through a Notes.ini setting, Server_MaxUsers, the administrator can specify the maximum number of user sessions allowed on a server. When the server reaches this limit, it rejects requests for additional sessions until the number of sessions again falls below the Server_MaxUsers value. These techniques work on any Domino server, whether or not it is part of a Domino cluster. While these techniques are generally effective, they are somewhat static and coarse grained. The real advantages come when you use Domino clusters for workload balancing. In Domino clustering, server workload balancing allows heavily-used servers to pass requests to other cluster servers. This form of workload balancing is dynamic, fine grained, and generally transparent to the user, which means that work can be evenly distributed across the servers in the cluster. Clusters let you grow your system as the number of users you support increases. You can distribute user accounts across clusters and balance additional workloads to optimize system performance. You can create multiple database replicas to maximize data availability and move users to other servers or clusters as you plan for future growth. Back to top

Overview of workload balancing in Domino clusters The Domino server and Notes client work together to provide workload balancing. When running as part of a cluster, the Domino server constantly monitors its own workload. To measure the workload, the Cluster Manager process on the server monitors the average response time of a representative set of server operations initiated by Notes clients (network time is not considered). The Cluster Manager also polls all the other servers in the cluster to determine their workload. When the workload on a server exceeds a certain level designated by the administrator, the server becomes "busy," and the Domino server rejects subsequent database open requests until the workload falls back below the specified level. When the cluster-aware client (Notes R4 or later) tries to access a database on a busy server, it receives an error code indicating the server is busy. The client then contacts the Cluster Manager on one of the servers in the cluster. (Whenever the client accesses a server that is a member of a cluster, it stores a list of servers in the cluster in a persistent cache.) The Cluster Manager uses the Cluster Database Directory (CLDBDIR) to determine which other servers in the cluster have replicas of the database being requested, and then selects the least heavily loaded of these servers to handle the client request. The client then reissues the open request to this server. Note that this target server could be the same as the original server. On this second request, the open will succeed even if the target server is busy. Figure 4. Workload balancing animation

Similar to failover, an icon for the new database will appear in the workspace, either stacked on top of the original icon or in a free area on the same workspace page as the original icon. Workload balancing can be triggered in a wide variety of situations, such as: A user double-clicks on a database icon in the workspace. A user tries to launch a doclink, view link, or database link that is connected to a server that is busy. A user activates a field, action, or button that contains an @Command(FileOpenDatabase) formula and the specified server is busy. A LotusScript routine issues a DB.OPENWITHFAILOVER call to open a database on a server that is busy. An agent written in Java issues an openDatabase method with the failover parameter set to True for a database on a server that is busy. A C API program issues an NSFDbOpenExtended call to open a database on a server that is busy. Back to top

Distribution of databases in the cluster In a cluster, the distribution of users and databases takes on a new importance. When a server in the cluster fails, user requests are automatically redirected to other servers in the cluster. Ideally, this load should be spread equally across all other servers in the cluster. However, this can only happen when replicas of the databases on the failed server are spread roughly equally across the other servers in the cluster. An example can illustrate this best. Suppose you have 1200 mail users that you want to put on a cluster with four servers. To start, you will probably allocate 300 users to each server. Now, to give these users high availability to their mail databases, you want to create a replica of each user's mail file on another server in the cluster. You might take all users on Server 1 and put a replica of their mail file on Server 2. This is not a good idea. If Server 1 fails, all 300 of its users will be redirected to Server 2. Servers 3 and 4 will not absorb any of this failover load, because the necessary databases are only available on

Server 2. Clearly, a better approach is to spread the replicas for Server 1's users across the other three servers. If these are spread evenly -- that is, 100 of Server 1's users on Server 2, 100 on Server 3, and 100 on Server 4 -- a failure of Server 1 should result in a roughly equal increase in workload for the other three servers in the cluster. Figure 1. Mail user distribution across four servers

Back to top

The server availability index As mentioned above, each server in a cluster periodically determines its own workload, based on the average response time of requests recently processed by the server. The workload on the server is expressed as the server availability index, which is a value between 0 and 100, where 100 indicates a lightly loaded server (fast response times), and 0 is a heavily loaded server (slow response times). Despite the fact that the server availability index is a number between 0 and 100, it is not a percentage. Some people think that a server availability index of, say 85, means that the server is 85% available. This is not the case -- in fact, it is far from it. The actual formula for determining the availability index is not described anywhere in the Notes publications. What I am about to tell you is accurate for the Notes 4.5 and 4.6 releases, but may change in future releases. The server availability index is closely related to a common performance metric called the expansion factor. The expansion factor is simply the ratio of the response time for a function under the current load to the response time for this same function in an optimum (light load) condition. So, for example, if the system currently takes 3 seconds to perform a database open, but could perform the same database open in .3 seconds under optimum conditions, the expansion factor for this operation is 10. The expansion factor for a set of operations can be computed as a simple weighted average. To compute the server availability index, the Domino server computes the expansion factor for a representative set of Notes RPC transactions over a recent time interval (roughly the last minute). The server availability index is then set to 100 minus this expansion factor.

Remember that the server availability index only considers the response time as measured at the server, which is typically only a small portion of the overall response time as seen by clients. In particular, the network time between the client and server often accounts for a significant portion of client response time. So a server availability index of 90 does not indicate that the response time as seen by clients is ten times the optimal value -- only that the server processing of this request took ten times longer than the optimal value. Back to top

The server availability threshold Now that you know how Domino measures server load, you are ready to configure the server to indicate when it is busy. This is done with a Notes.ini setting called Server_Availability_Threshold. When Domino recalculates the server availability index (approximately once a minute), it checks to see if the index is below the server availability threshold. If the server availability index is less than the server availability threshold, the server is marked as busy. In other words, the server availability threshold specifies the lowest value of the server availability index for which the server should be considered to be available. To set the server availability threshold, edit the Notes.ini file for the server and add the following: Server_Availability_Threshold=<threshold value> Or you can set the threshold from the Domino server console with the command: Set Config Server_Availability_Threshold=<threshold value> When set from the server console, the new threshold value takes effect immediately. When set by editing Notes.ini, the new threshold value takes effect the next time the server is started. The default value for the server availability threshold is 0, which means load balancing is effectively disabled. Specifying a threshold value of 100 puts the server into the busy state regardless of its actual availability. Back to top

Selecting the proper server availability threshold As you have probably guessed, the server availability threshold is a key configuration setting for workload balancing. Therefore, you should choose this parameter with some care. Setting the threshold too high can cause user requests to fail unnecessarily. Setting the threshold too low can result in poor performance for some users that may have received better service from another server. One point I must stress is that workload balancing is not a solution for a general capacity problem. If your Domino servers are struggling to keep up with the workload they have, and there aren't other available servers to handle the excess workload enabling workload balancing will only exacerbate the problem. In other words, don't think that increasing the server availability threshold will necessarily make your server more responsive. If there is nowhere else to send client requests, they will continue to be handled by the busy server, and the process of looking for another available server for each request will only worsen the workload on the server. To determine the proper value for the server availability threshold, you should start by simply monitoring the server availability index during periods of normal to heavy load. There are a number of ways to do this. One way is to use the built

in statistics monitoring of Domino (described in more detail later). If your server is running Windows NT, you can also use the Windows NT Performance Monitor to monitor any of the Domino server statistics (see Maintaining the Domino System for details on how to enable this feature). In particular, this gives you a way to graphically monitor the server availability index (statistic Server.Cluster.AvailabilityIndex). I recommend you set the Update Time (under Chart/Options) to 60 seconds, since this is how often the Stats package (which is the source for this data) is updated. It may seem natural to set the server availability threshold to the same value on all servers in the cluster. While this may be a good rule of thumb, differences in hardware, operating systems, and levels of the Domino server can influence the server availability index and thus the proper setting of the server availability threshold. Once you have gathered some data on the range of typical values of the server availability index for a server, the next step is to select an initial value for the server availability threshold. This should be a value toward the lower end of the range of typical values. You should also consider how a server outage may impact server workload. If a server in the cluster fails, the failover capability in Domino clustering will direct clients to other servers in the cluster. To allow for this case, you may want to set the server availability threshold to allow some "extra" capacity to handle the failover workload. Note that the extra capacity needed for failover depends on how many servers are in the cluster. For a cluster with just two servers, you would need to allow for an almost 100% increase in workload in the event of a server failure. When there are six servers in the cluster, each server would only need to handle roughly 20% increase in workload. Once you've selected an initial value, configure this on the server and monitor its operations. Domino gathers a number of statistics on cluster failover and workload balancing that you can use to monitor how well things are going. You can see these statistics by using the Show Statistics server command at the server console. You can also report statistics to any database designed for this purpose, although typically the database is the Statistics database (STATREP.NSF). The Collecto or Reporter task creates the Statistics database automatically if you choose to report statistics to it and if it doesn't exist already. Cluster statistics are available in the Statistics Report / Cluster view. The statistics related to clustering all have the prefix "Server.Cluster". These are all documented in the Domino Administration Help. Of particular interest when evaluating the workload balancing for a server are the following:

22) What do you know about pass-through server? 23) What is the CA? 24) Difference between connection document and Program document? 25) Difference between server document and configuration document? 26) What are the tasks run server when clustering is started? 27) Difference between Newcopy and replication? 28) Difference between NNN and DNN? http://www.leadershipbynumbers.com/MS.nsf/d6plinks/BMMA-68MKMF 29) What is the information is contain id file? Password Public KEY Private Key 30) What is ISPY?

http://www.alise.lv/ALISE/technolog.nsf/0/e69349554888d8654225690600470d8c? OpenDocument The Ispy Domino Server Task Tmas:Lotus Domino, Lotus Domino servera administrana From "How You Can Use New Capabilities of Domino R5 and the Administrator Client to Meet Administrative Service Level Agreements," by Dwight Morse, the Lotus product manager for Domino administration and management, which originally appeared in the March/April 2000 edition of The View, http://www.eview.com. In addition to Server probes, you can configure probes that monitor Mail and Internet services in your network. The new Domino R5 server task, Ispy, must be running in order for your Mail and Internet probes to work (the Ispy task is not required for Server probes). To enable the Ispy server task, add ISPY to the ServerTasks= line in the server's NOTES.INI file. The ServerTasks parameter is not dynamic, so just adding a task will not cause that task to start. To get Ispy to launch immediately, start the task from the Administrator Client in the Server Status tab, or type "Load ISPY" at the server console (or remote server console). You'll still want to add Ispy to the NOTES.INI to ensure that it launches every time the server does. Configuring Mail Delivery Probes You can set up a probe that monitors Mail delivery time in the same general area of the Administration Client as you configure a Server probe, and in much the same way. Mail probes are configured on the Configuration tab, under Statistics & Events(alternatively, you can configure them right in the Statistics & Events database). In the Administrator Client, click "Mail," then "New Mail Probe." A mail probe measures the message delivery time from a specified server to a particular user. This measurement allows you to keep tabs on how long it takes new mail to get from point A to point B in your network, or to monitor the delivery times of messages sent to important executives. When configuring a Mail probe, it's a good idea to set up an event notification if the response time goes beyond a desired threshold. You do this the same way you did for the server response time. Notice that you can set the probe interval for a Mail probe in the "Send interval" field. How long you set this interval depends on how important it is to you and your organization to get response time data. Keep in mind that Mail probes initiate network traffic between servers. If bandwidth is a concern when considering Mail response times, adding many probes will add to the

problem. The statistics associated with Mail probes all start with the letters QOS, which stand for "Quality Of Service." QOS is the first string in a group of service level type statistics, including the Internet services statistics that are created when you configure TCP Server probes.

31) Difference between Public key and private key? http://www.codestore.net/help/help6_admin.nsf/b3266a3c17f9bb7085256b870069c0a9/e 67d2b4b646d575985256c1d0039938a?OpenDocument SECURITY Encryption Encryption protects data from unauthorized access. Using Notes and Domino, you can encrypt: Messages sent to other users. Then an unauthorized user cannot read the message while it is in transit. You can also encrypt saved and incoming messages. Network ports. Encrypting information sent between a Notes workstation and a Domino server, or between two Domino servers, prevents unauthorized users from reading the data while it is in transit. SSL transactions. You can use SSL to encrypt information sent between an Internet client, such as a Notes client, and an Internet server, to prevent unauthorized users from reading the data while it is in transit. Fields, documents, and databases. Application developers can encrypt fields within a document, an entire document, and local databases. Then only the specified users can read the information. For information on SSL encryption, see the topic Setting up SSL on a Domino Server. For information on field, document, and database encryption, see Lotus Domino Designer 6 Help. Public and private keys For all types of encryption except network port encryption, Domino uses public and private keys so that data encrypted by one of the keys can be decrypted only by the other. The public and private keys are mathematically related and uniquely identify the user. Both are stored in the ID file. Within the ID file, the public key is stored in a certificate,

but the private key is stored separately from the certificate. The certificate containing the public key is also stored in the Domino Directory, where it is available to other users. Domino uses two types of public and private keys -- Notes and Internet. You use the Notes public key to encrypt fields, documents, databases, and messages sent to other Notes users, while the Notes private key is used for decryption. Similarly, you use the Internet public key for S/MIME encryption and the Internet private key for S/MIME decryption. For both Notes and Internet key pairs, electronic signatures are created with private keys and verified with public keys. You can use one set of Internet public and private keys or you can set up Notes to use a set of Internet keys for S/MIME signatures and SSL and another set for S/MIME encryption. For information on dual Internet certificates, see the topic Dual Internet certificates for S/MIME encryption and signatures. When you register a user, Domino automatically creates a Notes certificate, which contains the user's public keys, and adds it to the ID file and the Domino Directory. The private key is created and stored in the ID file. You can also create Internet public and private keys after user registration. Domino stores Internet certificates, which contain public keys, in the ID file and also in the Domino Directory. The Internet private key is stored in the ID file, separately from the certificate. To create Notes public and private keys, Domino uses the dual-key RSA Cryptosystem and the RC2 and RC4 algorithms for encryption. To create the Internet public key, Domino uses the x.509 certificate format, which is an industry-standard format that many applications, including Domino, understand. Both the Notes client and Domino server support 1024-bit RSA key and 128-bit symmetric key for S/MIME and SSL. The Notes proprietary protocols use a 630-bit key for key exchange, and a 64-bit symmetric key. Encryption strength All Notes IDs contain two public/private key pairs. Prior to 5.0.4, key lengths were restricted for the purposes of encrypting data, but not for authentication or signing. Anything over 512-bit RSA key and 56-bit symmetric key was considered strong encryption and was not allowed for export by the U.S. Government. Customers were required to order and choose among kits of different cryptographic strengths. With the relaxation of US government regulations on the export of cryptography, the Domino server and the Domino Administrator, Domino Designer, and Lotus Notes client products have consolidated all previous encryption strengths -- North American, International, and France -- into one strong encryption level resulting in a single "Global" release of the products. The Global release adopts the encryption characteristics

previously known as North American. Strong encryption in Global products can be used worldwide, except in countries whose import laws prohibit it, or except in those countries to which the export of goods and services is prohibited by the U.S. government. Customers are no longer required to order Notes software according to cryptographic strength. When you upgrade to a Global release of Domino and Notes, stronger cryptography will be used without a requirement to reissue existing IDs. These changes are seamless to users as well as administrators. When two different versions of software are communicating, the encryption negotiation will result in a step-down to the weaker level. Therefore, the full benefits of stronger encryption will only be realized when all software has been upgraded to the Global (release 5.0.4 and later) level. However, any mixed versions of the software will interoperate. The "Register New User" dialog box still offers a choice between North American and International Ids. It was left this way because administrators often use the North American or International distinction for administration purposes, or there may be older versions of the software still in use in some companies. In addition, countries have their own import rules. Preserving this distinction will allow Lotus to respond to specific country changes, if required. Note These regulations pertain only to export from the United States. For other countries with import regulations, customers need to check the requirements of the specific country. While Lotus takes all steps to acquiesce with governmental encryption regulations worldwide, Lotus recommends that customers familiarize themselves with local encryption regulations to remain in compliance. Interoperability issues

Support for ID types. Both North American and International ID types continue to be supported for the Global release. This is for backward compatibility with pre-5.0.4 clients. Lotus Notes users can keep their existing International IDs if the Global version of the software is installed. The Global version will automatically allow the use of stronger encryption. Browser users can keep their existing key ring, but users must follow the manufacturer's recommendations for upgrading the browser to stronger encryption. Interoperability with post-5.0.4 releases. If your organization's clients and servers are all running release 5.0.4 or later, it makes no difference whether you create North American or International IDs. Both types of ID will work the same way. Interoperability with pre-5.0.4 releases. Lotus Notes users, as well as Domino servers which have been upgraded to release 5.0.4 and later, can authenticate and continue day-to-day operations securely with clients and servers running on earlier releases of software. However, if your organization has clients or servers running releases earlier than Notes and Domino 5.0.4, you should continue to create the same types of IDs you created with the earlier versions. International

versions of releases prior to 5.0.4 do not allow users to switch to North American IDs, so when registering new international users, you shouldn't create only North American IDs. Similarly, North American versions of earlier releases use weaker cryptography when running with International IDs, so you shouldn't create only International IDs. The best strategy for deciding between North American and International IDs is to continue using the decision process that was in place for earlier releases of Notes and Domino. Eventually, as you upgrade the Notes clients and Domino servers, the decision will not matter. 32) What are the Topologies for the Domino? Replication Topology MailRouting Topology 33) How many Organizations we can create? 34) How many Organizations Units we can create? 35) How many ways are there to create / Register user? http://www.codestore.net/help/help6_admin.nsf/0/39010a286bd5465285256c1d003919fa ?OpenDocument USER AND SERVER CONFIGURATION Using Advanced Notes user registration with the Domino Administrator Advanced registration offers all the settings included in Basic registration and also allows you to change default settings and apply advanced settings to users. Note You can modify user settings at any time once you add the user to the User Registration Queue by selecting the user from the queue and then making changes. You can also modify certain settings for multiple users at once by selecting the users in the queue and making changes. You can cancel user registration and clear all fields at any time by clicking the red X. Hosted Environments If you are working in a hosted environment, when registering users, ensure that you are using a certifier that was created for the hosted organization into which you are registering the users. This applies regardless of whether you are using a certifier and password or the server-based CA. To use Advanced registration with the Domino Administrator

1. Make sure you have the following access before you begin registration:

Access to the certifier ID and its password, if you are not using the Lotus Domino 6 server-based certification authority (CA). Access to the Domino Directory from the machine you work on Editor access or Author access with Create Documents role and the UserCreator privilege in the Domino Directory on the registration server Create new databases access on the mail server if you plan to create user mail files during registration Create explicit policies and settings documents if you plan to use policy-based system administration Access to the certification log (CERTLOG.NSF) on the registration server

2. From the Domino Administrator, click the People & Groups tab. 3. From the Servers pane, choose the server to work from. 4. Select Domino Directories, and then select People. 5. From the Tools pane, click People - Register. 6. Enter the certifier password and click OK. Note The Certifier Information Recovery Warning dialog box appears. Review the information in the dialog box, select the check box and click OK. 7. Click Advanced. 8. From the Basic tab, complete these fields: Field Registration Server Enter Click Registration Server to change the registration server (which is the server that initially stores the Person document until the Domino Directory replicates), select the server that registers all new users, and then click OK. If you have not defined a registration server in Administration Preferences, this server is by default one of these: The local server if it contains a Domino Directory The server specified in NewUserServer setting of the NOTES.INI file

The administration server

First name, Middle name, The user's first and last names and (if necessary) middle name.

Last name

The user's Short name and Internet address are automatically generated. To change the Short name or Internet address, click the appropriate space and enter the new text. A short name in the format FirstInitialLastName is automatically created as you enter the user's name. For example, JSmith is the short name for John Smith. You can modify this field. A password for the user ID. Click Password options to set a level for the password in the Password Quality Scale. The default level is 8. For more information, see "Understanding the password quality scale." Click the check box "Set Internet password" to give Internet users name and password access to a Domino server and to set an Internet password in the Person document. This field is automatically selected if you select the Other Internet, POP, iNotes, or IMAP mail types. Click "Synch Internet password with Notes ID password" to make the Internet password in the Person document the same as the Notes password. This is a requirement for users who want to use iNotes Web Access to read encrypted mail or work offline.

Short name

Password Password options

Mail system Explicit policy Policy synopsis Let this person roam

Click to change the user's mail system from the default of Lotus Notes to an Internet-based system or iNotes Web Access. Select the explicit policy to apply to this user. For more information on policies, see "Policies." Click to see a summary of this user's effective policies. Click to enable roaming capabilities for this user. Doing so enables the Roaming tab.

Create a Notes ID for this Click to create a Notes ID for this person during the registration person process. 9. Click the Mail tab and complete any of these fields. Domino uses default values (if available) for any fields you do not modify. Field Mail system Enter Choose one of the available mail types and complete the necessary associated fields: Lotus Notes (default) Other Internet POP IMAP

iNotes Other None

If you select Lotus Notes, POP, or IMAP, the Internet address is automatically generated. If you select Other Internet, POP, or IMAP, the Internet password is set by default. If you select iNotes (iNotes Web Access), you can change other user registration selections to iNotes Web Access defaults by clicking Yes when prompted. If you select Other or Other Internet, enter a forwarding address. This address is the user's current address, where the user wants mail to be sent. For example, if a user temporarily works at a different location and/or uses a different mail system, the user can have her mail forwarded to that new address. Or, a user may resign from the company but leave a forwarding address so that mail addressed to the old address is forwarded to the new location. Mail server The user's mail server. If you have not defined a mail server in Administration Preferences, this server is (by default) the local server if it contains a Domino Directory; otherwise, it is the Administration server. The file name of the mail file. By default, the path and file name are mail\<firstinitial><first7charactersoflastname>.nsf. Choose one: Create file now (default) Create file in background - Creating mail files in the background forces the Administration Process to create the files and saves time during the user registration process. When you migrate users who have mail to convert, this field is automatically set to Create file now. Mail file template A mail template from the list of available mail templates. For a description of the template, select the template and click About. The default is Mail(R6) (MAIL6.NTF). Click to open the Mail Replica Creation Options dialog box on which you can select the servers to which the mail file will replicate. This option only applies to clustered servers. Select the level of access in the access control list to assign to the

Mail file name Create file now/Create file in background

Create full text index Click to generate a full-text index of the mail database. Mail file replicas

Mail file owner

access

user of the mail database from the Mail file owner access list. By default, mail users have Editor with Delete documents access to their own mail files; all other users have no access. This option can be used to prevent mail users and/or owners from deleting their own mail file. If the mail owner access is Designer or Editor, the administrator ID currently being used is added to the mail file ACL as Manager. Click to enable, and then specify a size limit (maximum of 10GB) for a user's mail database. Click to generate a warning when the user's mail database reaches a certain size, and then enter the warning size (maximum of 10GB).

Set database quota Set warning threshold

10. Click the Address tab, and enter values in any of these fields. Domino uses default values (if available) for any fields you do not modify. Field Internet address Internet Domain Address name format Separator Enter The Internet e-mail address assigned to this user. The domain to be used in the Internet address -- for example, Acme.com. The format of the Internet address. The default format is FirstNameLastName@Internet domain without a separator -- for example, RobinRutherford@Acme.com. The character inserted between names and initials in the Internet address. The default is None.

11. Click the ID Info tab, and enter values in any of these fields. Domino uses default values (if available) for any fields you do not modify. Field Enter

Create a Notes ID for Click to create a Notes ID for this user. this person Certifier Name list Choose a certifier ID to use when creating the user name during user registration when a Notes user ID is not being created for the user. This field appears if the check box "Create a Notes ID for this person" is not selected. If you are working in a hosted environment and are registering a user to a hosted organization, be sure to register that user with a certifier created for that hosted organization. Use CA process Click to use the Lotus Domino 6 server-based certification

authority (CA) to register this user. The certifier ID and password will not be needed to complete the user registration process if you use the Lotus Domino 6 CA. If you are working in a hosted environment and are registering a user to a hosted organization, be sure to register that user with a certifier created for that hosted organization. This field appears if the check box "Create a Notes ID for this person" is selected. Certifier ID Click if you want to use a certifier ID and password instead of the server-based CA. To change to a different certifier ID, click Certifier ID, select the new ID, enter the password, and then click OK. If you are working in a hosted environment and are registering a user to a hosted organization, be sure to register that user with a certifier created for that hosted organization. This field appears if the check box "Create a Notes ID for this person" is selected. Security type Choose either North American or International. The security type determines the type of ID file created and affects encryption when sending and receiving mail and encrypting data. North American is the stronger of the two types. This field appears if the check box "Create a Notes ID for this person" is selected. Certification expiration date The expiration date of the user ID in mm-dd-yy format. The default is two years from the current date. This field appears if the check box "Create a Notes ID for this person" is selected. Location for storing user ID Choose one: In Domino Directory (default). The ID file is stored as an attachment to the user's Person document. In file (default location: <datadirectory>\ids\people\user.id). Click Set ID file to change path. In mail file. This option is only available with iNotes Web Access and allows Notes users to read their encrypted mail while using iNotes Web Access. This field appears if the check box "Create a Notes ID for this

person" is selected. 12. (Optional) To add the user to an existing group:


Click the Groups tab with the user highlighted (you can highlight multiple users also). Select the group or groups to assign and click Add.

For more information on adding users to groups, see the topic Adding members to a group. 13. (Optional) If you have enabled roaming capabilities for the user, click the Roaming tab, and complete any of these fields. The fields do not appear if you did not click "Let this person roam" on the Basic tab and "Create a Notes ID for this person." Domino uses default values (if available) for fields you do not modify. Field Enter

Put roaming user Click to store the user's roaming information on the same server used files on mail server for mail. Roaming Server Click Roaming Server to open the Choose Roaming User Files Server dialog box on which you specify the server that stores the user's roaming information. If you select Put roaming user files on mail server, the Roaming Server defaults to the user's mail server. The subdirectory that contains the user's roaming information. By default, this is based on the sub-folder format you specify, but you can customize it.

Personal roaming folder

Sub-folder format The method used to name roaming subdirectories on the roaming server. This determines the default Personal roaming folder for each user. Create roaming files now/Create roaming files in background Choose one of these: Create file now - Default

Create roaming files in background - Click to create the user's roaming files the next time the Administration Process runs. Creating roaming files in the background forces the Administration Process to create the files and saves time during the user registration process.

Clean-up option

Choose one of the following roaming user client clean-up options. Clean-up will only occur on clients that have been installed and configured for multiple users. Do not clean-up (default). -- Roaming user data will never be deleted from the Notes client workstation to which the user roamed.

Clean-up periodically. -- Enables the "Clean up every N days" field on which you specify the number of days that should pass before roaming user data is deleted from the Notes client workstation. Clean-up at Notes shutdown. -- Roaming user data will be deleted from the Notes client workstation immediately upon Notes shutdown. Prompt user -- The user is prompted on exiting the client as to whether they want to clean up their personal files. If the user chooses Yes, the data directory on that client workstation is deleted. If the user chooses No, the user is prompted as to whether they want to be asked again on that client. If the user chooses No, the user is not prompted again. If the user chooses Yes, the user is prompted again the next time the user exits the client on that workstation.

Roaming Replicas Click this button to open the "Roaming Files Replica Creations Options" dialog box on which you can designate to which servers a user's roaming files should replicate. This option only applies to clustered servers. 14. Click the Other tab, and complete any of these fields. Domino uses default values (if available) for fields you do not modify. Field Setup profile Enter Name of an R5 User Setup profile to assign. Note If you are using policies, you cannot use a user setup profile. Unique org unit Location Local administrator A word that distinguishes two users who have the same name and are certified by the same certifier ID. Departmental or geographical location of the user. The name of a user who has Author access to the Domino Directory but who does not have the UserModifier role. This setting allows the local administrator to edit Person documents. A comment about the user, regarding the user's registration. Choice of alternate name language. The certifier ID used to register this user must contain the alternate name language for it to appear here. For more information, see Adding an alternate name and language.

Comment Alternate name language

Alternate name

The alternate name of the user. The certifier ID used to register this user must contain the alternate name language for it to appear here. A word that distinguishes two users who have the same name and are certified by the same certifier ID. The certifier ID used to register this user must contain the alternate name language. Choose a preferred language for the user, that is, the language that the user prefers to use.

Alternate org unit

Preferred language

Windows User Options Click to set user options for Windows NT or Windows 2000. Opens the "Add Person to Windows NT/2000" dialog box on which you can specify whether to add the user to Windows NT and/or the Windows 2000 Active Directory. Enter the Windows account name for the user, and select the name of the Windows NT or Windows 2000 group to which you are adding the user. 15. Click the green check mark. The user name appears in the Registration status view (the user registration queue). 16. Click Register and then click Done.

36) How can you identify whether it is a main server or additional server? 37) How many ACL levels are there? Access control lists An access control list (ACL) determines access to a given database, and the type of access allowed. The following table lists the access levels for Domino. ACL levels Level No Access User Access No access to the database Server Access No access to the database (except, optionally, for a special class of documents called public documents)

Depositor

Cannot replicate Can create documents in the database, but cannot read, edit, or Note: This ACL level is not normally delete documents, including assigned to servers. those they create

Reader

Can read documents, but cannot create, edit, or delete them

Can replicate to receive only (not send documents) Minimum access for servers to get data Can replicate new documents, but cannot modify documents Minimum access for servers to send data

Author

Can create and read documents, and edit own documents if Authors fields are used Note: Designers can modify a database to allow users to edit their own documents.

Note: This ACL level is not normally assigned to servers Can replicate all new and changed documents

Editor

Can create, read, and edit all documents

Designer

Can modify the database design, Can replicate all new and changed but cannot modify the ACL or documents, and replicate design delete the database elements Can perform all operations on Can replicate ACL changes as well as the database, including changing all document and design changes ACLs and deleting the database

Manager

38) Can you describe ACL level (Manager, Editor, Author, Designer, Depositor, Reader and Unassigned)? 39) What is the ICL? http://www.codestore.net/help/help6_admin.nsf/f4b82fbb75e942a6852566ac0037f284/94 6a94e42fc58f5b85256c1d00398b48?OpenDocument SECURITY Domino server-based certification authority You can set up a Domino certifier that uses a server task, the CA process, to manage and process certificate requests. The CA process runs as an automated process on Domino servers that are used to issue certificates. When you set up a Notes or Internet certifier, you link it to the CA process on the server in order to take advantage of CA process activities. Only one instance of the CA process can run on a server; however, the process can be linked to multiple certifiers.

You can set up Notes and Internet certifiers to use the CA process. Consider using the CA process because it:

Provides a unified mechanism for issuing Notes and Internet certificates. Supports the registration authority (RA) role, which you use to delegate the certificate approval/denial process to lower-echelon administrators in the organization. Does not require access to the certifier ID and ID password. After you enable certifiers for the CA process, you can assign the registration authority role to administrators, who can then register users and manage certificate requests without having to provide the certifier ID and password. Simplifies the Internet certificate request process through a Web-based certificate request database. Issues certificate revocation lists, which contain information about revoked or expired Internet certificates. Creates and maintains the Issued Certificate List (ICL), a database that contains information about all certificates issued by the certifier. Is compliant with security industry standards for Internet certificates -- for example, X.509 and PKIX.

To manage the CA process from the Domino console, you use a set of server Tell commands. Issued Certificate List (ICL) Each certifier has an Issued Certificate List (ICL) that is created when the certifier is created or migrated to the CA process. The ICL is a database that stores a copy of each unexpired certificate that it has issued, certificate revocation lists, and CA configuration documents. Configuration documents are generated when you create the certifier and sign it with the certifier's public key. After you create these documents, you cannot edit them. CA configuration documents include:

Certificate profiles, which contain information about certificates issued by the certifier. CA configuration document, which contains information about the certifier itself. RA/CA association documents, which contain information about the RAs who are authorized to approve and deny certificate requests. There is one document for each RA. ID file storage document, which contains information about the certifier ID.

Another CA configuration document, the Certifier document, is created in the Domino Directory when you set up the a certifier. This document can be modified.

For more information, see the topic Modifying a certifier. Certificate Revocation List (CRL) A CRL is a time-stamped list identifying revoked Internet certificates -- for example, certificates belonging to terminated employees. The CA process issues and maintains CRLs for each Internet certifier. A CRL is associated with a certifier, is signed by that certifier, and resides in the certifier's ICL database. A copy of the CRL is also stored in the Domino Directory, where it is used to assert certificate validity by entities that require certificate authentication. You configure the CRL when you create a new Internet certifier. You can specify the length of time for which a CRL is valid and the interval between publication of new CRLs. After CRLs are configured, the certifier issues them on a regular basis and they operate unattended. Using CRLs, you can manage the certificates issued in your organization. You can easily revoke a certificate if the subject of the certificate leaves the organization or if the key has been compromised. HTTP servers and Web browsers check the CRLs to determine whether a given certificate has been revoked, and is therefore no longer trusted by the certifier. When you use Internet Site documents to configure Internet protocols on the Domino, you can also enable CRL-checking for each protocol. There are two kinds of CRLs: regular and non-regular. For regular CRLs, you configure a duration interval -- the time period for which the CRL is valid -- and the interval at which new CRLs are issued. Each certifier issues a CRL at the specified time, even if no certificates have been revoked since the last CRL was issued. This means that if an administrator revokes a certificate, it appears in the next scheduled CRL issued by the certifier. The CRL duration period should be greater than the time period between each CRL issuance. This ensures that the CRL remains valid. Otherwise, the CRL could expire before a new one is issued. However, in the event of a critical security break -- for example, if the administrator needs to revoke a particularly powerful certificate or the certifier certificate is compromised -- you can manually issue a non-regular CRL - that is, an unscheduled CRL - to enforce the emergency revocation. This type of revocation does not affect either the timing or the content of the next scheduled CRL. You use a Tell command to issue a nonregular CRL. For more information on revoking a certificate, see the topic Revoking a certificate. For more information on enabling CRL-checking for Internet Site documents, see the topic Setting up security for Internet Site documents. For more information on configuring a regular CRL, see the topic Creating a certifier for a server-based CA.

For more information on issuing a nonscheduled CRL, see the topic Certificate authority process tell commands.

40) What is CRL? http://www.codestore.net/help/help6_admin.nsf/f4b82fbb75e942a6852566ac0037f284/e4 3f8497effb917d85256c1d003a3457?OpenDocument Certificate Authority process tell commands This table describes additional Tell commands you can use with the Domino CA process. Command Result tell ca quit tell ca stat Stops CA process. Displays summary information for the certifiers using the CA process; this includes the certifier's number, its hierarchical name, certifier type (Notes or Internet), whether it is active, and name of the ICL database.

tell ca show queue Display a list of pending certificate requests, revocation requests, and certifier number configuration modification requests for a specific certifier, using its number from the results of the "tell ca status" command. You can also use * to show this information for all certifiers that are using the CA process. tell ca activate certifier number password Activate a certifier if the certifier is created with "Require password to activate certifier," or use this for any certifier that has been deactivated. Activation is enabled during CA setup and creation. Activate a specific certifier by entering its number from the results of the 'tell ca status' command. Or you can actually unlock all server ID/password-protected certifiers at one time with this command, if you specify "*" for the certifier number. The CA process then prompts you for the password for each certifier. Deactivate a certifier. You will need to activate it again in order for it to process any request. Use * to deactivate everything, or deactivate a specific certifier by entering its number from the results of the 'tell ca status' command. Lock all certifiers that were set up with a lock ID, as specified during CA setup. Unlock all certifiers using the ID and password that comprise the lock ID. The lock ID is specified during CA setup.

tell ca deactivate certifier number

tell ca lock idfile tell ca unlock idfile password

tell ca CRL issue Issue a non-regular CRL for a specific certifier, where certifier number certifier number is the number of the certifier specified in the results of the "tell ca status" command.

tell ca CRL push certifier number tell ca CRL info certifier number [s/S/n/N] tell ca refresh

Push a certifier's latest regularly scheduled CRL to the Domino Directory, where certifier number is the number of the certifier specified in the results of the "tell ca status" command. Display CRL information for a specified certifier, where certifier number is the number of the certifier specified by the 'tell ca status' command. Use s or S for regularly scheduled CRLs, and n or N for non-regularly scheduled CRLs. Force the CA process to refresh its list of certifiers. As a result: newly configured certifiers will be added to the CA process previously unlocked certifiers will need to be unlocked again previously activated certifiers may need to be activated again, if the activation password has changed

the Notes certifier ID file in idstorage will be updated with the latest certificate information

tell ca help

List tell ca options