Professional Documents
Culture Documents
Lotus software
Lotus Domino 6
Printed in USA
software
Lotus Domino 6
Disclaimer
THIS DOCUMENTATION IS PROVIDED FOR REFERENCE PURPOSES ONLY. WHILE EFFORTS
WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION
CONTAINED IN THIS DOCUMENTATION, THIS DOCUMENTATION IS PROVIDED AS IS
WITHOUT ANY WARRANTY WHATSOEVER AND TO THE MAXIMUM EXTENT PERMITTED,
IBM DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION THE
IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT AND FITNESS FOR A
PARTICULAR PURPOSE, WITH RESPECT TO THE SAME. IBM SHALL NOT BE RESPONSIBLE FOR
ANY DAMAGES, INCLUDING WITHOUT LIMITATION, DIRECT, INDIRECT, CONSEQUENTIAL
OR INCIDENTAL DAMAGES, ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO,
THIS DOCUMENTATION OR ANY OTHER DOCUMENTATION. NOTWITHSTANDING
ANYTHING TO THE CONTRARY, NOTHING CONTAINED IN THIS DOCUMENTATION OR ANY
OTHER DOCUMENTATION IS INTENDED TO, NOR SHALL HAVE THE EFFECT OF, CREATING
ANY WARRANTIES OR REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR
ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENT
GOVERNING THE USE OF THIS SOFTWARE.
Copyright
Under the copyright laws, neither the documentation nor the software may be copied, photocopied,
reproduced, translated, or reduced to any electronic medium or machine-readable form, in whole or
in part, without the prior written consent of IBM, except in the manner described in the documentation or the applicable licensing agreement governing the use of the software.
Copyright IBM Corporation 1985, 2002
All rights reserved.
Lotus Software
IBM Software Group
One Rogers Street
Cambridge, MA 02142
US Government Users Restricted Rights Use, duplication or disclosure restricted by GS ADP
Schedule Contract with IBM Corp.
List of Trademarks
1-2-3, cc:Mail, Domino, Domino Designer, Freelance Graphics, iNotes, Lotus, Lotus Discovery Server,
Lotus Enterprise Integrator, Lotus Mobile Notes, Lotus Notes, Lotus Organizer, LotusScript, Notes,
QuickPlace, Sametime, SmartSuite, and Word Pro are trademarks or registered trademarks of Lotus
Development Corporation and/or IBM Corporation in the United States, other countries, or both.
AIX, AS/400, DB2, IBM, iSeries, MQSeries, Netfinity, OfficeVision, OS/2, OS/390, OS/400, S/390,
Tivoli, and WebSphere are registered trademarks of International Business Machines Corporation in
the United States, other countries, or both. Pentium is a trademark of Intel Corporation in the United
States, other countries, or both. Microsoft, Windows, and Windows NT are registered trademarks of
Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark
of The Open Group in the United States and other countries. Java and all Java-based trademarks and
logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other
countries, or both.
All other trademarks are the property of their respective owners.
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . xv
Volume 1
4 Setting Up Server-to-Server
Connections . . . . . . . . . . . . . . . . . . . 4-1
. . . . . . . . 1-1
Building the Domino environment . . . . . . 1-14
Guidepost for deploying Domino
. . . . . . . . . . . 2-1
Network security . . . . . . . . . . . . . . . . . . 2-6
Planning the TCP/IP network . . . . . . . . . 2-10
Planning the NetBIOS network . . . . . . . . 2-26
Planning the IPX/SPX network . . . . . . . . 2-29
Setting up Domino servers on the network . . 2-32
Server setup tasks specific to TCP/IP . . . . 2-43
Server setup tasks specific to NetBIOS . . . . 2-58
Server setup tasks specific to IPX/SPX . . . . 2-61
NOTES.INI settings for networks . . . . . . . 2-64
Lotus Domino and networks
...
Server installation . . . . . . . . . . . . . . . . . .
The Domino Server Setup program . . . . . . .
Installing and setting up Domino servers
...
Using the Domino Server Setup program . .
The Certification Log . . . . . . . . . . . . . . .
Server registration . . . . . . . . . . . . . . . .
Optional tasks to perform after server setup . .
3-1
3-3
3-8
...
3-46
. . . . . 4-1
How a server connects to another server . . . 4-4
Internet connections . . . . . . . . . . . . . . . 4-21
Passthru servers and hunt groups . . . . . . 4-23
Planning the use of passthru servers . . . . . 4-25
Setting up a server as a passthru server . . . 4-27
Setting up a server as a passthru destination . . 4-28
Planning for modem use . . . . . . . . . . . . 4-33
Commands for acquire and connect scripts . . 4-53
Connecting Notes clients to servers . . . . . . 4-55
Planning server-to-server connections
...............
...
Setting up client installation for users . . . .
Managing users . . . . . . . . . . . . . . . . . .
License Tracking . . . . . . . . . . . . . . . . .
Custom welcome page deployment . . . . .
5-1
5-38
5-41
5-54
5-85
5-87
3-10
3-17
Using groups
3-28
3-29
3-34
.....................
Creating and modifying groups . . . . . . . . .
Managing groups . . . . . . . . . . . . . . . . . .
Assiging a policy to a group . . . . . . . . . . .
6-1
6-2
6-8
6-9
iii
........................
How server-to-server replication works . . . .
Replicas
......
7-1
7-3
7-5
. . . . . . . . 7-6
. . . . . . . . . . 7-11
....
Scheduling server-to-server replication . . .
Customizing server-to-server replication . .
Specifying replication direction . . . . . . . .
Scheduling times for replication . . . . . . . .
Replicating only specific databases . . . . . .
Replicating databases by priority . . . . . . .
Limiting replication time . . . . . . . . . . . .
Using multiple replicators . . . . . . . . . . .
Refusing replication requests . . . . . . . . . .
Forcing immediate replication . . . . . . . . .
Disabling database replication . . . . . . . . .
Forcing a server database to replicate . . . .
Viewing replication schedules and
topology maps . . . . . . . . .
......
7-17
7-20
7-22
7-23
7-24
7-27
7-28
7-29
7-30
7-31
. . 8-20
9 Using Policies . . . . . . . . . . . . . . . 9-1
Policies . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Policy hierarchy and the effective policy . . . 9-3
Planning and assigning policies . . . . . . . . . 9-6
Creating policies . . . . . . . . . . . . . . . . . . 9-7
Mail archiving and policies . . . . . . . . . . . 9-22
Managing policies . . . . . . . . . . . . . . . . 9-35
Viewing policy relationships . . . . . . . . . . 9-37
10 Setting Up Domain Search . . . 10-1
Domain Search . . . . . . . . . . . . . . . . . . . 10-1
Planning the Domain Index . . . . . . . . . . 10-4
Creating and updating the Domain Index . 10-14
Customizing Domain Search forms . . . . . 10-18
Setting up Notes users for Domain Search . 10-19
Setting up Web users for Domain Search . 10-20
Using content maps with Domain Search . 10-21
NOTES.INI settings for Domain Search . . 10-23
7-32
7-33
7-34
7-31
............
...............
............
....
..
11-1
12-1
12-4
8-1
Setting up scheduling
8-5
8-7
......
. . . . . . . . 8-9
Editing and deleting Resource documents . . 8-13
Creating Holiday documents . . . . . . . . . . 8-17
iv Administering the Domino System, Volume 1
.........
12-16
13-1
13-2
...
.......
13-3
..
...
13-3
15 Setting Up the
Administration Process . . . . . . . . 15-1
13-4
. 13-5
Example of registering a hosted organization . . 13-8
Registering a hosted organization . . . . . 13-11
Using Internet and Web Site documents in
a hosted environment . . . . . . . . . 13-18
Global Web Settings documents and the
service provider environment . .
Configuring activity logging for billing
hosted organizations . . . . . . .
..
13-21
...
13-23
14 Managing a Hosted
Environment . . . . . . . . . . . . . . . . . 14-1
Maintaining hosted organizations
......
14-1
14-2
14-3
......
...
..
14-4
14-4
14-5
..
14-10
...
14-11
.....
14-12
.....
..
..
The Administration Requests database . .
Customizing the Administration Process .
Adminstration Process Statistics . . . . . . .
Administration request messages . . . . . .
.
Viewing hosted organizations . . . . . . . .
Managing users at a hosted organization .
Using the Web Administrator to manage
users at a hosted organization . . .
14-12
14-14
14-14
...........
Installing the Domino Administrator . . . .
Setting up the Domino Administrator . . . .
Starting the Domino Administrator . . . . .
Navigating Domino Administrator . . . . . .
14-15
15-5
15-7
15-8
15-13
15-19
15-29
15-35
15-36
16-1
16-1
16-2
16-2
16-3
. . . . . 16-4
Setting Domino Administration preferences . . 16-5
Domino Administrator tabs . . . . . . . . . 16-13
Web Administrator . . . . . . . . . . . . . . . 16-17
Setting up the Web Administrator . . . . . 16-17
Starting the Web Administrator . . . . . . . 16-22
Using the Web Administrator . . . . . . . . 16-23
The Server Controller and the Domino
Console . . . . . . . . . . . . . . .
...
16-28
15-1
....
........
..........
Setting up the Administration Process . . . .
...
17-1
..
17-6
Contents v
....
17-23
. . . . . 17-25
18 Planning Directory Services . . 18-1
Overview of Domino directory services . . . 18-1
Using directory servers in a Domino
domain . . . . . . . . . . . . . . .
.....
Planning LDAP features . . . . . . . . . . . . .
Planning directory access control . . . . . . .
Planning new entries in the Domino
Directory . . . . . . . . . . . . .
.....
18-1
18-3
18-7
18-7
18-9
....
18-10
18-12
...
.............
18-15
....
Planning directory customization . . . . . .
Directory services terms . . . . . . . . . . . .
18-18
18-19
18-20
..............
....
19-1
19-2
.....
19-16
. . . . 19-17
20 Setting Up the LDAP Service . . 20-1
The LDAP service . . . . . . . . . . . . . . . . . 20-1
How the LDAP service works . . . . . . . . . 20-2
Setting up the LDAP service . . . . . . . . . . 20-7
Starting and stopping the LDAP service . . . 20-8
Customizing the LDAP service
configuration . . . . . . .
. . . . . . . . . 20-9
Setting up clients to use the LDAP service . 20-34
Using LDAP to search a Domain index . . 20-36
Monitoring the LDAP service . . . . . . . . 20-37
NOTES.INI settings for the LDAP service . 20-41
RFCs supported by the LDAP service . . . 20-42
21 Managing the LDAP Schema . . 21-1
LDAP schema . . . . . . . . . . . . . . . . . . . 21-1
The Domino LDAP schema . . . . . . . . . . . 21-2
The schema daemon . . . . . . . . . . . . . . . 21-5
Domino LDAP Schema database . . . . . . . 21-7
Methods for extending the schema . . . . . 21-10
Extending the schema using the Schema
database . . . . . . . . . . . . . . . .
..
Schema-checking . . . . . . . . . . . . . . . .
Searching the root DSE and schema entry .
21-13
21-18
21-19
..
19-2
. 21-21
22 Using the ldapsearch Utility . . 22-1
..
19-5
. . . . . . . 19-9
. . . . . . . . . . . . . 19-13
19-15
.....
Table of ldapsearch parameters . . . . . . . .
Using search filters with ldapsearch . . . . .
22-1
22-2
22-4
22-5
22-6
....
.........
23 Setting Up Directory
Assistance . . . . . . . . . . . . . . . . . . . 23-1
. . . . . . . . . . . . . . . 23-1
How directory assistance works . . . . . . . . 23-2
Directory assistance services . . . . . . . . . . 23-3
Directory assistance concepts . . . . . . . . 23-12
Directory assistance and naming rules . . . 23-12
Directory assistance and domain names . . 23-18
Directory assistance and failover for a
directory . . . . . . . . . . . . . . .
Directory assistance
...
23-19
....
24-15
24-16
.
....
24-25
....
24-26
24-29
....
..........
24-33
24-34
23-22
24-45
23-24
.....
Number of directory assistance databases .
Setting up directory assistance . . . . . . . .
Directory assistance examples . . . . . . . .
Monitoring directory assistance . . . . . . .
23-26
23-29
23-29
23-51
23-60
24 Setting Up Directory
Catalogs . . . . . . . . . . . . . . . . . . . . . 24-1
.................
Condensed Directory Catalogs . . . . . . . .
Directory catalogs
..
Extended Directory Catalogs . . . . . . . . . .
Overview of directory catalog setup . . . . .
Planning directory catalogs . . . . . . . . . . .
Directory catalogs and client
authentication . . . . .
..........
......
Picking the server(s) to run the Dircat task .
24-1
24-2
24-4
24-5
24-8
24-9
24-9
24-14
24-14
.....
..................
. . . . . . . . 24-49
25 Setting Up Extended ACLs . . . 25-1
Extended ACL . . . . . . . . . . . . . . . . . . . 25-1
Monitoring directory catalogs
. . . . . 25-2
Elements of an extended ACL . . . . . . . . . 25-3
Extended ACL access settings . . . . . . . . . 25-3
Extended ACL subject . . . . . . . . . . . . . . 25-9
Extended ACL target . . . . . . . . . . . . . . 25-12
Extended ACL examples . . . . . . . . . . . 25-19
Extended ACL guidelines . . . . . . . . . . . 25-22
Setting up and managing an extended
ACL . . . . . . . . . . . . . . . . .
...
25-22
...............
....
The Domino mail server and mail routing . .
Overview of routing mail using Notes
routing . . . . . . . . . . . . . . . .
...
26-1
26-2
26-5
26-17
Contents vii
...
26-21
Mail journaling
. . . 26-25
27 Setting Up Mail Routing . . . . . 27-1
The Domino mail router . . . . . . . . . . . . . 27-1
Planning a mail routing topology . . . . . . . 27-2
Sample mail routing configurations . . . . . 27-9
Creating a Configuration Settings
document . . . . . . . . . . .
27-18
27-20
......
...........
27-37
27-42
...
Routing mail over transient connections .
27-58
27-59
. . . . . . . . . . . . . . . . . 28-1
Controlling messaging . . . . . . . . . . . . . . 28-1
Improving mail performance . . . . . . . . . . 28-2
Controlling message delivery . . . . . . . . . 28-8
Setting server mail rules . . . . . . . . . . . . 28-20
Customizing message transfer . . . . . . . . 28-26
Setting transfer limits . . . . . . . . . . . . . 28-33
Customizing mail
...
Customizing Notes routing . . . . . . . . . .
Customizing SMTP Routing . . . . . . . . .
Changing SMTP port settings . . . . . . . .
Restricting SMTP inbound routing . . . . .
Preventing unauthorized SMTP hosts
from using Domino as a relay
....
..
28-39
28-50
28-57
28-58
28-70
. . . . . 28-98
. . . . . . . . . . . . . . . . . 28-105
. 28-115
29 Setting Up Shared Mail . . . . . . 29-1
Shared mail overview . . . . . . . . . . . . . . 29-1
Setting up shared mail databases . . . . . . . 29-5
Managing a shared mail database . . . . . 29-11
Disabling shared mail . . . . . . . . . . . . . 29-25
30 Setting Up the POP3 Service . . 30-1
The POP3 service . . . . . . . . . . . . . . . . . 30-1
Setting up the POP3 service . . . . . . . . . . 30-2
Setting up POP3 users . . . . . . . . . . . . . . 30-7
31 Setting Up the IMAP Service . . 31-1
The IMAP service . . . . . . . . . . . . . . . . . 31-1
Setting up the IMAP service . . . . . . . . . . 31-4
Customizing the IMAP service . . . . . . . . 31-5
Setting up IMAP users . . . . . . . . . . . . . 31-22
IMAP settings in the server NOTES.INI
file . . . . . . . . . . . . . . . . . . . .
31-39
. . . . . . . . . . . . . . . . 32-1
iNotes Access for Microsoft Outlook . . . . 32-11
33 Monitoring Mail . . . . . . . . . . . . 33-1
Tools for mail monitoring . . . . . . . . . . . . 33-1
Setting up mail monitoring . . . . . . . . . . . 33-3
Viewing mail usage reports . . . . . . . . . 33-16
iNotes Web Access
.............
28-75
28-86
Setting up WebDAV
..
34-1
. . . . . 34-4
. . . . . . . . . . . . . . 34-15
................
Web Site rules and global Web settings . .
Custom Web server messages . . . . . . . .
Improving Web server performance . . . .
Hosting Web sites
Certificates
34-34
34-48
34-52
.....................
34-17
......
39-2
39-4
. . . . . . . 39-8
ID recovery . . . . . . . . . . . . . . . . . . . . 39-14
Public key security . . . . . . . . . . . . . . . 39-22
35-1
39-27
39-29
....
. . . . . . . . . . . . . . . . 36-1
Setting up a Web Navigator server . . . . . . 36-2
Customizing the Web Navigator . . . . . . . 36-6
The Web Navigator database . . . . . . . . . 36-10
Customizing the Web Navigator database . 36-11
The Web Navigator
Volume 2
37 Planning Security . . . . . . . . . . 37-1
. . . . . . . . . 37-1
. . . . . . . . . . 37-5
. . . . . . . . . . . 37-8
. . . . . . . . . 37-11
38 Controlling Access to
Domino Servers . . . . . . . . . . . . . . . 38-1
Validation and authentication for Notes
and Domino . . . . . . . . . . . . .
Server access for Notes users, Internet
users, and Domino servers . . .
...
38-1
....
38-2
. . . . 38-4
Customizing access to a Domino server . . . 38-7
Physically securing the Domino server . . 38-23
39 Protecting and Managing
Notes IDs . . . . . . . . . . . . . . . . . . . . 39-1
Domino server and Notes user IDs
......
39-1
. . . . . . . . 40-1
Default ACL entries . . . . . . . . . . . . . . . 40-2
Acceptable entries in the ACL . . . . . . . . . 40-4
Configuring a database ACL . . . . . . . . . 40-11
Access levels in the ACL . . . . . . . . . . . 40-13
Access level privileges in the ACL . . . . . 40-16
User types in the ACL . . . . . . . . . . . . . 40-19
Roles in the ACL . . . . . . . . . . . . . . . . 40-20
Managing database ACLs . . . . . . . . . . . 40-22
The database access control list
....
40-23
40-24
..
......
Enforcing a consistent access control list .
Setting up database access for Internet users .
40-24
40-25
..
40-28
40-30
40-30
............
41-1
Contents ix
.............
41-6
42 Setting Up
Name-and-Password and
Anonymous Access to Domino
Servers . . . . . . . . . . . . . . . . . . . . . . 42-1
46-14
.......
46-20
...
42-1
.....
42-6
Multi-server session-based
name-and-password authentication
for Web users (single sign-on) . . .
.
Managing Internet passwords . . . . . . . .
Anonymous Internet/intranet access . . .
Validation and authentication for
Internet/intranet clients . .
46-11
.....
.............
......
.....................
Mail encryption . . . . . . . . . . . . . . . . . .
Electronic signatures . . . . . . . . . . . . . . .
Encryption
43-1
43-4
43-9
44 Setting Up a Domino
Server-Based Certification
Authority . . . . . . . . . . . . . . . . . . . . 44-1
Domino server-based certification
authority . . . . . . . . . . .
.......
44-1
.......
44-5
45 Setting Up a Domino 5
Certificate Authority . . . . . . . . . . . 45-1
....
Setting up a Domino 5 certificate authority . .
Using a Domino 5 certificate authority
....
..........
46-25
47-1
. . . 47-3
Internet certificates for SSL and S/MIME . . 47-5
Setting up Notes clients for S/MIME . . . . 47-13
Dual Internet certificates for S/MIME
encryption and signatures . .
....
..
47-17
47-18
. . . 47-23
48 Rolling Out Databases . . . . . . 48-1
Database design, management, and
administration . . . . . . . . .
......
Rolling out a database . . . . . . . . . . . . . .
Copying a new database to a server . . . . .
Creating a Mail-In Database document for
a new database . . . . . . . . . . . . .
..
Adding a database to the Domain Index . .
Signing a database or template . . . . . . . .
48-1
48-1
48-4
48-5
48-7
48-7
45-1
49 Organizing Databases on a
Server . . . . . . . . . . . . . . . . . . . . . . . 49-1
45-1
.......
49-1
.....................
Setting up SSL on a Domino server . . . . . .
SSL security
46-1
46-2
....
50-1
51 Setting Up Database
Libraries and Catalogs . . . . . . . . . 51-1
Database libraries
.................
..
Publishing databases in a library . . . . . . .
Database catalogs . . . . . . . . . . . . . . . . .
Setting up a servers database catalog . . . .
51-1
51-2
51-3
51-4
51-5
. . . . . . . . 52-1
Monitoring events on the Domino system . . 52-2
Event generators . . . . . . . . . . . . . . . . . 52-3
Event handlers . . . . . . . . . . . . . . . . . . 52-14
Viewing an event report . . . . . . . . . . . . 52-20
Monitoring the Domino system
....
.
Statistics and the Domino system . . . . . .
Platform statistics . . . . . . . . . . . . . . . .
Using the Domino Administrator to
monitor statistics . . . . . . .
.....
Charting statistics . . . . . . . . . . . . . . . .
Domino server monitor . . . . . . . . . . . .
Profiles and the Domino server monitor .
....
Activity Trends . . . . . . . . . . . . . . . . .
Setting up Activity Trends . . . . . . . . . .
Activity Trends server and statistics
profiles . . . . . . . . . . . . . .
.....
Resource balancing in Activity Trends . . .
Setting up resource balancing in Activity
Trends . . . . . . . . . . . . . . . . . .
...........
Configuring the Domino SNMP Agent . . .
The Domino SNMP Agent
54-1
54-2
54-3
54-5
54-6
54-8
54-13
54-17
54-18
54-22
54-26
54-27
.....
54-34
52-24
Analyzing resource-balancing
distributions . . . . . . .
54-37
52-26
........
...........
54-48
52-31
54-51
52-36
Resource-balancing plans
54-53
52-40
52-20
52-21
52-43
...
Server Health Monitor . . . . . . . . . . . . . .
Table of Server Health Monitor statistics . .
Table of Server Health Monitor ratings . . .
Server Health Monitor configuration . . . . .
Using the Server Health Monitor . . . . . . .
IBM Tivoli Analyzer for Lotus Domino
Understanding resource-balancing
behavior . . . . . . . . . . . . .
53-1
53-8
53-21
.....
53-24
...
...........
..
54-61
...............
How transaction logging works . . . . . . . .
Planning for transaction logging . . . . . . .
Transaction logging
.........
Changing transaction logging settings . . . .
55-1
55-3
55-4
55-5
55-7
Contents xi
. . . . . . 55-8
View logging . . . . . . . . . . . . . . . . . . . . 55-9
Using transaction logging for recovery . . . 55-9
Fault recovery . . . . . . . . . . . . . . . . . . 55-10
56 Using Log Files . . . . . . . . . . . . 56-1
The Domino server log (LOG.NSF) . . . . . . 56-1
Controlling the size of the log file
(LOG.NSF) . . . . . . . . . .
.......
Logging Domino Web server requests . . . .
56-1
56-8
. . . . . . . . . . . 56-8
Domino Web server logging to text files . . 56-10
57 Setting Up Activity Logging . . 57-1
. . . . . . . . . . . . . . . . . . 57-1
The information in the log file . . . . . . . . . 57-1
Configuring activity logging . . . . . . . . . 57-12
Viewing activity logging data . . . . . . . . 57-13
58 Maintaining Databases . . . . . . 58-1
Database maintenance . . . . . . . . . . . . . . 58-1
The Files tab in the Domino Administrator . . 58-2
Monitoring replication of a database . . . . . 58-6
Replication or save conflicts . . . . . . . . . . 58-8
Monitoring database activity . . . . . . . . . 58-11
Updating database indexes and views . . . 58-14
Managing view indexes . . . . . . . . . . . . 58-23
Activity logging
....
Fixing corrupted databases . . . . . . . . . .
Using Fixup . . . . . . . . . . . . . . . . . . .
Moving databases . . . . . . . . . . . . . . . .
Deleting databases . . . . . . . . . . . . . . .
Database analysis . . . . . . . . . . . . . . . .
58-24
58-25
58-26
58-33
58-36
58-37
. . . . . . . . . . . . . . . . . 59-1
Decommissioning a Domain Search server . 59-12
Uninstalling a Domino partitioned server . 59-13
Managing servers
60 Improving Server
Performance . . . . . . . . . . . . . . . . . 60-1
Improving Domino server performance
Tools for measuring server performance
...
..
..
60-1
60-2
60-3
60-5
60-6
.
..
. . . . . . . 60-9
. . . . . . 60-11
60-13
60-14
..
...
61 Improving Database
Performance . . . . . . . . . . . . . . . . . 61-1
Setting advanced database properties
....
61-1
. . . . . . . 61-3
The database cache . . . . . . . . . . . . . . . . 61-9
Controlling database size . . . . . . . . . . . 61-12
Tools for monitoring database size . . . . . 61-13
Monitoring database size . . . . . . . . . . . 61-13
Compacting databases . . . . . . . . . . . . . 61-13
Ways to compact databases . . . . . . . . . . 61-16
Database size quotas . . . . . . . . . . . . . . 61-23
Deleting inactive documents . . . . . . . . . 61-25
Using an agent to delete and archive
documents . . . . . . . . . . . .
61-27
61-29
....
.....
.....................
Server.Load agents . . . . . . . . . . . . . . . .
Server.Load metrics . . . . . . . . . . . . . . .
Server.Load
62-1
62-4
62-7
. . . . . . . 62-12
Idle Workload script . . . . . . . . . . . . . . 62-14
R5 IMAP Workload test . . . . . . . . . . . . 62-15
R5 Simple Mail Routing test . . . . . . . . . 62-20
R5 Shared Database test . . . . . . . . . . . . 62-24
SMTP and POP3 Workload test . . . . . . . 62-26
Web Idle Workload test . . . . . . . . . . . . 62-30
Web Mail test . . . . . . . . . . . . . . . . . . 62-31
63 Troubleshooting . . . . . . . . . . . 63-1
Troubleshooting the Domino system . . . . . 63-1
Troubleshooting tools . . . . . . . . . . . . . . 63-2
Overview of server maintenance . . . . . . . 63-6
Server maintenance checklist . . . . . . . . . . 63-6
Backing up the Domino server . . . . . . . . . 63-7
Administration Process
Troubleshooting . .
............
........
Database performance Troubleshooting .
Directories Troubleshooting . . . . . . .
Mail routing Troubleshooting . . . . . .
Meeting and resource scheduling
Troubleshooting . . . . . . . . .
63-8
63-12
63-16
63-21
63-36
....
63-45
.....
Platform statistics Troubleshooting . . .
63-48
..
Passthru connections Troubleshooting .
Replication Troubleshooting . . . . . . .
Partitioned servers Troubleshooting
63-78
63-79
63-80
. . . . 63-89
Server access Troubleshooting . . . . . . 63-91
Server crashes Troubleshooting . . . . . 63-96
Transaction logging Troubleshooting . 63-102
Web server, Web Navigator, and the Web
Administrator Troubleshooting
. 63-104
Server.Load Troubleshooting . . . . . . . 63-110
Appendix A Server Commands . . A-1
Appendix B Server Tasks . . . . . . . B-1
Appendix C NOTES.INI File . . . . . C-1
Appendix D System and
Application Templates . . . . . . . . . D-1
Appendix E Customizing the
Domino Directory . . . . . . . . . . . . . . E-1
Appendix F Administration
Process Requests . . . . . . . . . . . . . . F-1
Appendix G Novell Directory
Service for the IPX/SPX Network . . G-1
Appendix H Accessibility and
Keyboard Shortcuts in Domino
Administrator . . . . . . . . . . . . . . . . . H-1
Appendix I Server.Load
Command Language . . . . . . . . . . . . I-1
Appendix J Server.Load Scripts . . . J-1
Index . . . . . . . . . . . . . . . . . . . . . . Index-1
63-52
....
63-55
........
63-74
Contents xiii
Preface
The documentation for IBM Lotus Notes, IBM Lotus Domino, and IBM
Lotus Domino Designer is available online in Help databases and, with the
exception of the Notes client documentation, in print format.
License information
Any information or reference related to license terms in this document is
provided to you for your information. However, your use of Notes and
Domino, and any other IBM program referenced in this document, is solely
subject to the terms and conditions of the IBM International Program
License Agreement (IPLA) and related License Information (LI) document
accompanying each such program. You may not rely on this document
should there be any questions concerning your right to use Notes and
Domino. Please refer to the IPLA and LI for Notes and Domino that is
located in the file LICENSE.TXT.
System requirements
Information about the system requirements for Lotus Notes and Domino is
listed in the Release Notes.
Related information
In addition to the documentation that is available with the product, other
information about Notes and Domino is available on the Web sites listed
here.
xv
Table of conventions
This table lists conventions used in the Notes and Domino documentation.
Convention
Description
italics
monospaced type
file names
Title
Description
Upgrade Guide
Installing Domino
Servers
Administering the
Domino System,
Volumes 1 and 2
Administering Domino
Clusters
Description
Title
Description
Installation
Chapter 1
Deploying Domino
This chapter outlines the steps required to deploy IBM Lotus
Domino 6 successfully and introduces important concepts that you
need to know before you install Domino servers.
1-1
10. If the Domino server is offering Internet services, set up Internet site
documents. There are some instances where Internet Site documents
are required.
11. Specify Administration Preferences.
12. Create additional certifier IDs to support the hierarchical name
scheme.
13. Set up recovery information for the certifier IDs.
14. Add the administrators ID to the recovery information for the
certifier IDs and then distribute the certifier IDs, as necessary, to
other administrators.
15. Register additional servers.
16. If you did not choose to do so during first server setup, Create a
group in the Domino Directory for all administrators, and give this
group Manager access to all databases on the first server.
17. Install and set up additional servers.
18. Complete network-related server setup for each additional server.
19. Build the Domino environment.
Domain Search servers that provide users with the ability to perform
searches across all servers in a Domino domain
Clustered servers that provide users with constant access to data and
provide load-balancing and failover
xSP servers that provide users with Internet access to a specific set of
Domino applications
Installation
A hierarchical name scheme uses a tree structure that reflects the actual
structure of a company. At the top of the tree is the organization name,
which is usually the company name. Below the organization name are
organizational units, which you create to suit the structure of the
company; you can organize the structure geographically, departmentally,
or both.
For example, the Acme company created this diagram for their servers
and users:
Acme
West
HR
Accounting
East
IS
Sales
Marketing
Development
Looking at Acmes diagram, you can see where they located their servers
in the tree. Acme decided to split the company geographically at the first
level and create certifier IDs for the East and West organizational units.
At the next level down, Acme made its division according to department.
For more information on certifier IDs, see the topic Certifier IDs and
certificates in this chapter.
Components of a hierarchical name
A hierarchical name reflects a users or servers place in the hierarchy
and controls whether users and servers in different organizations and
organizational units can communicate with each another. A hierarchical
name may include these components:
Julia Herlihy/Sales/East/Acme/US
Typically a name is entered and displayed in this abbreviated format, but
it is stored internally in canonical format, which contains the name and
its associated components, as shown below:
CN=Julia Herlihy/OU=Sales/OU=East/O=Acme/C=US.
Note You can use hierarchical naming with wildcards as a way to
isolate a group of servers that need to connect to a given Domino server
in order to route mail.
For more information, see the chapter Setting Up Mail Routing.
Domino domains
A Domino domain is a group of Domino servers that share the same
Domino Directory. As the control and administration center for Domino
servers in a domain, the Domino Directory contains, among other
documents, a Server document for each server and a Person document
for each Notes user.
Planning for Domino domains
There are four basic scenarios for setting up Domino domains. The first
scenario, which many small- and medium-size companies use, involves
creating only one Domino domain and registering all servers and users in
one Domino Directory. This scenario is the most common and the easiest
to manage.
The second scenario is common when a large company has multiple
independent business units. In this case, one organization spread across
multiple domains may be the best scenario. Then all servers and users
are members of the same organization, and each business unit
administers its own Domino Directory.
For more information on administering multiple Domino directories, see
the chapter Planning Directory Services.
A third scenario is common when multiple companies work closely
together yet want to retain individual corporate identities. Then one
domain and multiple organizations may work best.
Finally, the fourth scenario involves maintaining multiple domains and
multiple organizations. This scenario often occurs when one company
acquires another.
Sometimes the decision to create multiple Domino domains is not based
on organizational structure at all. For example, you may want to create
multiple Domino domains if you have slow or unreliable network
Deploying Domino 1-5
Installation
Partitioned servers
Using Domino server partitioning, you can run multiple instances of the
Domino server on a single computer. By doing so, you reduce hardware
expenses and minimize the number of computers to administer because,
instead of purchasing multiple small computers to run Domino servers
that might not take advantage of the resources available to them, you can
purchase a single, more powerful computer and run multiple instances
of the Domino server on that single machine.
On a Domino partitioned server, all partitions share the same Domino
program directory, and thus share one set of Domino executable files.
However, each partition has its own Domino data directory and
NOTES.INI file; thus each has its own copy of the Domino Directory and
other administrative databases.
If one partition shuts down, the others continue to run. If a partition
encounters a fatal error, Dominos fault recovery feature restarts only
that partition, not the entire computer.
For information on setting up fault recovery, see the chapter
Transaction Logging and Recovery.
Partitioned servers can provide the scalability you need while also
providing security. As your system grows, you can migrate users from a
partition to a separate server. A partitioned server can also be a member
of a cluster if you require high availability of databases. Security for a
partitioned server is the same as for a single server.
When you set up a partitioned server, you must run the same version of
Domino on each partition. However, if the server runs on UNIX, there
is an alternative means to run multiple instances of Domino on the
server: on UNIX, you can run different versions of Domino on a single
computer, each version with its own program directory. You can even
1-6 Administering the Domino System, Volume 1
Installation
in the organization. Servers and users who belong to the same name tree
can communicate with each other; servers and users who belong to
different name trees need a cross-certificate to communicate with each
other.
Note You can register servers and users without stamping each server
ID and user ID if you have migrated the certifier to a Domino
server-based certification authority (CA).
For more information about server-based CAs, see the chapter Setting
Up a Domino Server-based Certification Authority.
Each time you create a certifier ID, Domino creates a certifier ID file and
a Certifier document. The ID file contains the ID that you use to register
servers and users. The Certifier document serves as a record of the
certifier ID and stores, among other things, its hierarchical name, the
name of the certifier ID that issued it, and the names of certificates
associated with it.
There are two types of certifier IDs: organization and organizational unit.
Organization certifier ID
The organization certifier appears at the top of the name tree and is
usually the name of the company for example, Acme. During first
server setup, the Server Setup program creates the organization certifier
and stores the organization certifier ID file in the Domino data directory,
giving it the name CERT.ID. During first server setup, this organization
certifier ID automatically certifies the first Domino server ID and the
administrators user ID.
If your company is large and decentralized, you might want to use the
Domino Administrator after server setup to create a second organization
certifier ID to allow for further name differentiation for example, to
differentiate between company subsidiaries.
For more information on working with multiple organizations, see the
topic Domino domains earlier in this chapter.
Organizational unit certifier IDs
The organizational unit certifiers are at all the branches of the tree and
usually represent geographical or departmental names for example,
East/Acme or Sales/East/Acme. If you choose to, you can create a
first-level organizational unit certifier ID during server setup, with the
result that the server ID and administrators user ID are stamped with
the organizational unit certifier rather than with the organization
certifier. If you choose not to create this organizational unit certifier
For information on recertifying user IDs, see the chapter Setting Up and
Managing Notes Users. For information on recertifying server IDs, see
the chapter Maintaining Domino Servers.
You can create up to four levels of organizational unit certifiers. To create
first-level organizational unit certifier IDs, you use the organization
certifier ID. To create second-level organizational unit certifier IDs, you
use the first-level organizational unit certifier IDs, and so on.
Using organizational unit certifier IDs, you can decentralize certification
by distributing individual certifier IDs to administrators who manage
users and servers in specific branches of the company. For example, the
Acme company has two administrators. One administers servers and
users in West/Acme and has access to only the West/Acme certifier ID,
and the other administers servers and users in East/Acme and has access
to only the East/Acme certifier ID.
Certifier security
By default, the Server Setup program stores the certifier ID file in the
directory you specify as the Domino data directory. When you use the
Domino Administrator to create an additional organization certifier ID or
organizational unit certifier ID, you specify where you want the ID
stored. To ensure security, store certifiers in a secure location such as a
disk locked in a secure area.
User ID recovery
To provide ID and password recovery for Notes users, you need to set
up recovery information for each certifier ID. Before you can recover user
ID files, you need access to the certifier ID file to specify the recovery
information, and the user ID files themselves must be made recoverable.
There are three ways to do this:
Export recovery information from the certifier ID file and have the
user accept it.
For more information, see the chapter Protecting and Managing Notes
IDs.
Deploying Domino 1-9
Installation
during server setup, you can always use the Domino Administrator to do
it later just remember to recertify the server ID and administrators
user ID.
Acme
Certifier ID Names
West
East
West/Acme
IS
Marketing
Sales
Development
/A
cm
e
Accounting
ev
el
op
m
en
t/ E
as
t
Ea
st
le
s/
E
Sa
ar
ke
tin
g/
M
/A
cm
e
e
as
t/A
cm
e
cm
IS
/W
es
t/A
tin
co
un
Ac
R/
W
es
t/A
cm
g/
W
es
t/A
cm
HR
East/Acme
Database Replicator
Mail Router
Agent Manager
Administration Process
Calendar Connector
Schedule Manager
These are optional advanced Domino server services that you can enable:
Billing
HTTP Server
IMAP Server
ISpy
LDAP Server
POP3 Server
Installation
SMTP Server
Stats
Statistic Collector
Web Retriever
Note It is best to use activity logging instead of the billing service.
For more information on activity logging, see the chapter Planning
the Service Provider Environment.
Characters
Tips
Domino
domain
31 maximum
Notes named
network
31 maximum
Organization
Organizational 32 maximum*
unit
Characters
Tips
Server
79 maximum
User
79 maximum*
Alternate user
No minimum
Group
62 maximum
Port
No maximum
Country code
0 or 2
Optional
* This name may include alpha characters (A - Z), numbers (0 - 9), and
the ampersand (&), dash (-), period (.), space ( ) , and underscore (_).
For more information on network name requirements and the effect that
server name format has on network name-to-address resolution, see the
chapter Setting Up the Domino Network.
Installation
Name
Installation
Chapter 2
Setting Up the Domino Network
This chapter describes planning concepts and presents protocol-specific
procedures required to run Domino on a network. The chapter describes
using network protocols from a Domino perspective and does not
provide general network information.
2-1
NRPC communication
Domino servers offer many different services. The foundation for
communication between Notes workstations and Domino servers or
between two Domino servers is the Notes remote procedure call (NRPC)
service.
Network protocols for NRPC communication
To communicate, two computers must run the same network protocol
and software driver. For dialup connections, Lotus Domino uses its own
X.PC protocol natively; Notes and Domino also support PPP using either
Microsoft Dialup Networking (DUN) or Remote Access Service (RAS) for
network dialup. In addition, you can use any IETF-compliant PPP
communications server to dial into the network on which the Domino
server resides or though which the server can be accessed.
For more information on dialup connections, see the chapter Setting Up
Server-to-Server Connections.
On LANs, Lotus Domino is compatible with the TCP/IP and IPX/SPX
protocol suites, as well as NetBIOS over the lower transports IP, IPX, and
NetBEUI. For NetBIOS connections to work, both Notes workstations
and Domino servers must use the same lower transport.
For detailed information on which protocols are compatible with Lotus
Domino for each supported operating system, see the Release Notes.
Notes network ports
During the Server Setup program, Domino provides a list of Notes
network ports based on the current operating system configuration. If
these ports are not the ones you want to enable for use with the Domino
server, you can edit the list during setup.
2-2 Administering the Domino System, Volume 1
In TCP/IP and NetBIOS, you can install multiple network interface cards
(NICs) and enable additional Notes network ports for each protocol,
using the NOTES.INI file to bind each port to a separate IP address or
NetBIOS LANA number.
For more information, see the topic Adding a network port on a server
later in this chapter.
Notes named networks
Consider Notes named networks in your planning. A Notes named
network (NNN) is a group of servers that can connect to each other
directly through a common LAN protocol and network pathway for
example, servers running on TCP/IP in one location. Servers on the same
NNN route mail to each another automatically, whereas you need a
Connection document to route mail between servers on different NNNs.
When you set up Server documents, be sure to assign each server to the
correct NNN. Lotus Domino expects a continuous connection between
servers that are in the same NNN, and serious delays in routing can
occur if a server must dial up a remote LAN because the remote server is
inadvertently placed within the NNN. Also bear in mind that the Notes
Network field for each port can contain only one NNN name, and no two
NNN names can be the same.
NNNs affect Notes users when they use the Open Database dialog box.
When a user selects Other to display a list of servers, the servers
displayed are those on the NNN of the users home server for the port on
which the Notes workstation communicates with the home server. Also,
when users click on a database link or document link, if a server in their
home servers NNN has a replica of that database, they can connect to
the replica.
Note If a server is assigned to two NNNs in the same protocol, as in the
case where the server has two Notes network ports for TCP/IP, a Notes
workstation or Domino server connecting to that server uses the NNN
for the port listed first in the Server document.
Installation
Installation
Network security
Physical network security is beyond the scope of this book, but you must
set it up before you set up connection security. Physical network security
prevents unauthorized users from breaking through the network and
using one of the operating systems native services for example, file
sharing to access the server. Physical network security also comes into
play when any data is exposed, as the potential exists for malicious or
unauthorized users to eavesdrop both on the network where the Domino
system resides and on the system you are using to set up the server.
Network access is typically controlled using network hardware such
as filtering routers, firewalls, and proxy servers. Be sure to enable rules
and connection pathways for the services that you and others will access.
Newer firewall systems offer virtual-private-network (VPN) services,
which encapsulate the TCP/IP packet into another IP wrapper where the
inner TCP/IP packet and its data are encrypted. This is a popular way to
create virtual tunnels through the Internet between remote sites. If you
want to have the Domino server access both a private VPN and the
Internet for SMTP mail, make sure your solution is able to handle full
TCP data packets and that it allows dual connections. If not, the Domino
server system may require a second NIC to work around limitations of
the VPN solution.
For more information, see the chapter Controlling Access to Domino
Servers.
Installation
Because encryption adds additional load to the server, you may want to
limit the services for which the server uses encryption. Other ways to
minimize the load that encryption puts on the system include:
Hosts files must contain the fully qualified domain name of the
servers.
If you are using the Network Information Service (NIS), you must use the
fully qualified domain name and make sure NIS can coexist with DNS.
For information on configuring these settings, see the documentation for
your network operating system.
You must first connect the server to the untrusted network for
example, the Internet and then set up Notes workstations and Domino
servers to use the passthru server as a proxy when accessing services
outside the trusted network.
To set up a workstation or server to use the passthru server, you must
specify the passthru server in the Location document for a workstation
and in the Server document for a server.
For more information on connecting a server to the Internet and passthru
servers, see the chapter Setting Up Server-to-Server Connections.
Installation
Moving to IPv6
This topic provides the information you need if your company is
migrating to IPv6 standard:
Installation
Advanced configurations
Use these topics to plan how to integrate Lotus Domino with the TCP/IP
network when the Domino server has more than one IP address or is
partitioned:
Domino server requests this name, the TCP/IP resolver passes it to DNS,
and DNS resolves the name directly to the IP address of the destination
server, regardless of the DNS domain level of the requesting system.
If you do not want to enter the FQDN in the Net Address field, you can
change it to the simple IP host name for example, app01 either
during server setup or later by editing the Server document. For
example, you might use the simple IP host name if you are setting up
multiple TCP ports for NRPC, a configuration in which using the FQDN
for each network address can cause connection failures if the Notes
Name Service returns the FQDN for the wrong TCP port. In this case,
using the simple IP host name ensures that DNS does a lookup in all
domain levels within the scope of the domains defined in the requesting
systems TCP/IP stack settings.
Caution In a production environment, do not use IP addresses in Net
Address fields. Doing so can result in serious administrative
complications if IP addresses change or if Network Address Translation
(NAT) connections are used, as the values returned by the Notes Name
Service will not be correct.
Secondary name servers
To ensure that the Notes Name Service is always available over TCP/IP,
when you set up a Notes user, you can designate a Domino secondary
name server that stands in for the home server in these situations:
Place a hosts file, which is a table that pairs each system name with
its IP address, on every system that needs private access. Set up each
system so that it accesses the hosts file before accessing DNS.
Installation
from the passthru server, it may not be possible for the passthru server to
resolve the name of the destination server. In this case, do one of the
following:
Installation
Installation
For example, users inside a company access the Domino server based on
its assigned IP address, which is a private address (192.168.1.1). Internet
users must access the Domino server through a NAT router, which
converts the private address to one of its static public addresses
(130.20.2.2). Therefore, a Notes client accessing the server from the
Internet uses the public address.
You can never assign more than one IP address in DNS to the
Domino server.
If the FQDN changes, the Domino server name will not match the
FQDN, thus invalidating the DNS resolve. You will then need to
create a new server and migrate users to it.
You cannot use other network protocols, as many of them use flat
network name services, and those that use hierarchical name systems
will not function unless the name hierarchy is exactly the same.
Installation
Partition a Domino server so that more than one partition offers the
same Internet service (SMTP, POP3, IMAP, LDAP, or HTTP).
Allow access to the Domino server via a TCP/IP firewall system over
a different network segment, a configuration known as a
demilitarized zone (DMZ)
Isolating local versus WAN Notes named networks so local users can
see only local Domino servers
When the use of a different TCP/IP port map is needed for firewall
connections
For a configuration with multiple addresses and one NIC, you must
configure the TCP/IP stack and bind each listening port to an IP address.
Partitioned servers and IP addresses
When you set up a Domino partitioned server, it is usually best to assign
a separate IP address to each partition and use a separate NIC for each.
Using a separate NIC for each address can make the computers I/O
much faster.
Lotus Domino is designed to listen for TCP/IP connections on all NICs in
a computer system. If more than one partition is hosting the same service
(NRPC, SMTP, POP3, IMAP, LDAP, or HTTP), fine-tune which partitions
listen for which connections by associating each services TCP port with a
specific IP address.
For more information on associating services with IP addresses, see the
topics Binding an NRPC port to an IP address and Binding an
Internet service to an IP address later in this chapter.
As an alternative to using a separate NIC for each IP address, you can
use a single NIC and still assign a separate IP address to each partition.
For more information, see the topic Assigning separate IP addresses to
partitions on a system with a single NIC later in this chapter.
If you are unable to assign a separate IP address to each partition, you
can use port mapping.
For more information on port mapping, see the topic Configuring a
partitioned server for one IP address and port mapping later in this
chapter.
Note As an alternative to port mapping, you can use port address
translation (PAT), in which a firewall redirects the TCP port connection
to a different TCP port. Both port mapping and PAT require advanced
skills to implement correctly.
Installation
10.20.20.2
chicago
CNAME
chi-ethernet
10.10.10.1
chicago
CNAME
chi-tokenring
3. Change the name of the original Notes network port for TCP/IP to
TCPIP1, and name the second port TCPIP2.
4. Use the NOTES.INI file to bind TCPIP1 to the IP address for the
Ethernet network and to bind TCPIP2 to the IP address for the Token
Ring network.
5. In the Server documents Net Address field for each TCP/IP port,
enter chicago.
6. On the Ethernet users workstations, set the DNS name lookup scope
to east.acme.com, and on the Token Ring users workstations, set it to
west.acme.com.
User-to-server access and server-to-server access via different DNS
subdomains
If users need to access a Domino server over the LAN and other Domino
servers need to access the same server over the WAN, add a second NIC
to the server. Then use DNS to direct the users to the NIC for the LAN
and to direct other servers to the NIC for the WAN.
1. Assign an IP address to each NIC by creating an A record (or, for
IPv6, AAAA record) in DNS. Use the ping command and the IP
address to test the responsiveness of the NIC.
Note If the Domino server is running Windows and there is a route
between the two networks, prevent the NetBIOS broadcasts from
exiting from both adapters by using the Windows Control Panel to
disable one instance of the WINS client. Use the Bindings tab of the
Network dialog box, select All Adapters, and select the name of the
NIC for which you want to disable WINS.
Setting Up the Domino Network 2-23
Installation
Example
At the Acme company, some users connect to the Domino server
Chicago/Sales/Acme over an Ethernet network, others over a Token
Ring network. Register the Domino server with DNS as
chicago.east.acme.com for the users on the Ethernet network and as
chicago.west.acme.com for users on the Token Ring network.
2. Create two CNAME records in DNS for the Domino server, linking
the servers common name to each NIC name in the A records.
(Using CNAME records for the Domino server provides diagnostic
fidelity to test the network pathway independently of the servers
name resolve.)
3. Add a second Notes network port for TCP/IP in Domino.
For more information, see the topic Adding a network port on a
server later in this chapter.
4. Bind each TCP/IP port to the IP address of the appropriate NIC. On
the server console, verify that both TCP/IP ports are active and
linked to the correct IP address.
For more information on binding ports to IP addresses, see the topic
Binding an NRPC port to an IP address later in this chapter.
5. To direct the Domino servers first outbound connection to the
server-to-server network, edit the PORT setting in the NOTES.INI
file to read as follows:
PORT=serverportname, userportname
1. Create the following SOA table entries in DNS for the subdomain
boston.acme.com, as follows:
usr-bostonapp04
103.210.20.2
bostonapp04
CNAME
usr-bostonapp04
2. Create the following SOA table entries in DNS for the subdomain
domino.acme.com, as follows:
srv-bostonapp04
103.210.41.1
bostonapp04
CNAME
srv-bostonapp04
3. Change the name of the original Notes network port for TCP/IP to
TCPIP1, and name the second port TCPIP2.
4. Use the NOTES.INI file to bind TCPIP1 to the IP address for the user
network, to bind TCPIP2 to the IP address for the server-to-server
network, and to add the setting PORT=TCPIP2, TCPIP1.
5. In the Server documents Net Address field for port TCPIP1, enter
bostonapp04.boston.acme.com. For port TCPIP2, enter
bostonapp04.domino.acme.com.
6. On each users workstation, set the DNS name lookup scope to
boston.acme.com. In the TCP/IP stacks of the servers that need to
connect to this server, set the name lookup scope to
domino.acme.com.
Installation
Example
At the Acme company, users connect to the Domino server
BostonApp04/Sales/Acme over the LAN, and other Domino servers
access it privately over the WAN. You register the server with DNS as
bostonapp04.boston.acme.com for the LAN users and as
bostonapp04.domino.acme.com for the server-to-server network over the
WAN.
Server response
IPv4
IPv4 address mapped to IPv6 Attempts to make an IPv6 connection and waits
for the TCP/IP software to make either an IPv6
or IPv4 connection, depending on the remote
systems TCP/IP stack.
IPv6
Server name
The risks of using NetBIOS involve the security of the file system on
Domino servers. Depending on the access permissions of the operating
system and on the transport protocol being used, NetBIOS name and file
services might allow users to see or access the servers file system. When
a server provides NRPC services, mitigate this risk by disabling the
NetBIOS name and file services (SMB/CIFS) on the system so that the
systems name cannot be seen over the network. Other Notes/Domino
systems can still find the Domino server because Lotus Domino has its
own NetBIOS name service to propagate and register the Domino
servers NetBIOS name, but access is secure because it is controlled by
the authentication and certification features in NRPC.
If the system on which you run Domino requires NetBIOS name or
authentication services, mitigate the security risk by isolating the
NetBIOS services. Install an additional NIC on the system for NetBIOS
over a private administration network, and disable NetBIOS on the NIC
that the Domino server uses.
How to tell if NetBIOS is active on a system
The following are indications that NetBIOS is active:
Installation
For detailed system requirements for using NetBIOS with Lotus Domino,
see the Release Notes.
For NetBIOS over NetBEUI, the NICs 32-bit MAC address is used.
For NetBIOS over IPX, the IPX node number is used. In most cases,
this number is the same as the NICs 32-bit MAC address. For
information on how IPX node numbers are assigned and how to
change them, see the Novell documentation.
Note NetBIOS name space is flat, even with TCP/IP. If the client is not
within the same DNS domain level, access by name may not be possible.
Naming Domino servers on NetBIOS
NetBIOS names are limited to 15 characters. If the common name of the
Domino server is longer than 15 characters, NetBIOS truncates the name.
On NetBIOS over IPX, early versions of the resolver may confuse server
names if the first eight characters of the names are the same.
Caution The resolution of a Domino server name can be adversely
affected if the server name is the same as the NetBIOS name for a
Windows system.
To prevent this problem without making it difficult to manage system
files remotely, do the following:
On Windows NT, assign one name as the Domino server common
name and then alter that name slightly for the system name by
adding a preface such as NT-. In the Network dialog box on the
Windows NT Control Panel, specify the name in two places: the
Identification tab and the Protocols - TCP/IP properties - DNS tab.
On Windows 2000, add a preface such as W2K- to the system
name, using the Network Identification tab on the System
Properties dialog box.
For more information on the NetBIOS name service, see Microsofts
resource kit documentation for the Windows NT and 2000 operating
systems.
Installation
When you use the Novell Bindery Service with Lotus Domino, note the
following:
The NetWare server must not be more than one hop away from a
Domino server.
The NetWare server must not be more than one hop away from a
Notes workstation when the workstation connects to a Domino
server over a WAN.
While not required, it is best if the NetWare server is not more than a
few hops away from any Notes workstation.
If Lotus Domino and the NetWare server are on different LANs, make
sure that local routers are not filtering Bindery Service or NDS NetWare
Core Protocol (NCP) broadcasts.
The IPX protocol stack service (Novell or Microsoft) on a Domino server
or Notes workstation must point to the local NetWare server as its
preferred server and/or preferred tree. Other Domino servers or Notes
workstations do not need to access the same local NetWare server as
their preferred server or tree.
A Domino server can access only one NIC for the IPX protocol and only
one instance of the SPX port driver. Make sure you have not bound the
IPX protocol to more than one NIC or frame type on the system that is
running the Domino server.
Note The use of TCP/IP tunneling of NRPC-IPX/SPX connections is not
supported.
Note NDS access is supported only over the IPX/NCP protocol.
For detailed system requirements for using Lotus Domino on IPX/SPX,
see the Release Notes.
Both NDS and Bindery Service If both services are installed, the
Notes workstation or Domino server tries an NDS lookup first. If the
NDS lookup fails, the workstation or server tries a Bindery lookup.
After you install and set up a Domino server, you use the Domino
Administrator to select which NetWare service you want the Domino
server to use.
For background information on how the Notes Name Service works with
name-resolver services such those for NetWare, see the topic Resolving
server names to network addresses in NRPC earlier in this chapter.
For information on setting up NDS to work with Lotus Domino, see the
appendix Novell Directory Service for the IPX/SPX Network.
Naming Domino servers on a Netware Bindery Service network
The NetWare Bindery Service uses the common name of the Domino
server as the server name in the Bindery. For example, the Domino
server name Chicago/Midwest/Acme becomes CHICAGO in the
NetWare Bindery. To name a Domino server that uses the Bindery
Service, choose a common name that is unique within the Bindery and
contains no more than 48 characters. In addition, do not use any of these
characters: slash (/), backslash (\), colon (:), semicolon (;), plus (+),
comma (,), asterisk (*), question mark (?).
When a the common name of a Domino server is added to the Bindery,
the Bindery converts multibyte characters to hexadecimal characters,
Setting Up the Domino Network 2-31
Installation
Installed any network software required for the protocols. For more
information, see the vendors documentation.
After you install the server, you use the Domino Server Setup program to
accept network defaults or customize network settings.
After you run the setup program, you may need to complete one or more
of these tasks to finish setting up Lotus Domino on the network:
Installation
For more information, see the chapter Installing and Setting Up Domino
Servers.
6. In the Notes Network field for each port, enter a new name for the
servers Notes named network. The name can include space
characters.
7. Click Save and Close.
Note On a Notes workstation, you use the User Preferences dialog box
to change port setup.
For more information on changing port preferences on a workstation, see
Lotus Notes 6 Help.
Disabling a network port on a server
Even after you disable a port, it still appears in the list of available ports
so that you can later enable it.
1. From the Domino Administrator or Web Administrator, click the
server on which you want to disable a port.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrators Tools pane, choose Server Setup Ports.
From the Web Administrators Port tool, choose Setup.
2-34 Administering the Domino System, Volume 1
5. Click OK.
6. Click the Server - Status tab.
7. Do one of these so that the change takes effect:
From the Domino Administrators Tools pane, choose Restart Port.
(If you cant see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrators Ports tool, choose Restart.
8. In the Server document, on the Ports - Notes Network Ports tab,
specify Disabled next to the name of the port you are disabling.
9. Save the Server document.
Enabling a network port on a server
If the server port you want to enable will be the Notes workstations only
means of connecting with the server, do not use this procedure. Instead,
use the Ports setting in the servers NOTES.INI file.
For more information, see the appendix NOTES.INI File.
For information on creating a Connection document on a Notes
workstation, see Lotus Notes 6 Help.
To enable a network port
1. From the Domino Administrator or Web Administrator, click the
server on which you want to enable a port.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrators Tools pane, choose Server Setup Ports.
From the Web Administrators Port tool, choose Setup.
4. Select the port you want to enable, and then select Port enabled.
5. Click TCP/IP Options, LANx Options, SPX Options, or COMx
Options, and specify information as appropriate.
For more information on TCP/IP, LANx, and SPX options, see the
topics Changing the TCP/IP connection time-out interval,
Defining a NetBIOS LANA number for a Notes network port, and
Defining a servers NetWare name service in Lotus Domino later
in this chapter.
For more information on COMx options, see the chapter Setting Up
Server-to-Server Connections.
6. Click OK.
Setting Up the Domino Network 2-35
Installation
4. Select the port you want to disable, and then deselect Port enabled.
In the Server document, click the Ports - Notes Network Ports tab,
and edit these fields as necessary:
Field
Action
Port
Notes Network
Net Address
Action
Port
Notes Network
Installation
Field
Action
Net Address
Installation
Installation
From the Domino Administrators Tools pane, choose Server Setup Ports.
From the Web Administrators Port tool, choose Setup.
4. Select the port for which you want to turn on compression.
Note Make sure Port enabled is selected for that port.
5. Select Compress network data.
6. Click OK.
7. Click the Server - Status tab.
8. Do one of these so that the change takes effect:
From the Domino Administrators Tools pane, choose Restart Port.
(If you cant see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrators Ports tool, choose Restart.
Installation
3. Do one of these:
The name of the users home server cannot be resolved over TCP/IP.
Installation
Server-to-server communication
If you add a second Notes network port for TCP/IP in order to isolate
server-to-server communication for example, a private network for
cluster replication list this port first in the NOTES.INI file so that
server-to-server traffic will tend to occur over this connection, thus
decreasing the data flow on the port for the user network. To change the
port order in the NOTES.INI file, use the Port Setup dialog box.
For more information, see the topic Reordering network ports on a
server earlier in this chapter.
Note If you are setting up a private cluster network and do not list the
server port first, you must add the setting Server_Cluster_Default_Port
to the NOTES.INI file. The disadvantage of adding this setting is that if
the server encounters a problem connecting over this port, it will not try
another port, and replication will not occur.
For more information on the Server_Cluster_Default_Port setting, see the
appendix NOTES.INI File.
Workstation-to-server communication
If a Domino server has a port for workstations to connect on for
example, over a LAN and another port for servers to connect on for
example, over a WAN list the workstation port first in the Server
document so that users see only servers on the LAN when they choose
File - Database - Open.
To reorder the ports in the Server document, click the Ports - Notes
Network Ports tab, and edit the fields in the table.
Ports=TCPIPportname
TCPIPportname=TCP, 0, 15, 0
4. (Optional) To help you later remember the function of each port, add
the default TCP port number for NRPC to the end of the line you
entered in Step 3, as follows:
:1352
Caution Do not change the assigned TCP port number unless you
have a way to redirect the inbound connection with Domino port
mapping or a firewall that has port address translation (PAT).
In a situation where you must change the default NRPC port
number, see the topic Changing a TCP or SSL port number later in
this chapter.
Installation
2. In the NOTES.INI file, confirm that these lines appear for each port
that you added:
Action
POP3
IMAP
SMTP
LDAP
ICM
Example
The following example shows the lines (in bold) to add to the Ports
section of the NOTES.INI file to bind two NRPC ports to their IP
addresses and to specify the second NRPC port for the SMTP service.
Ports=TCPIP, TCP1P2
TCPIP=TCP, 0, 15, 0
TCPIP_TCPIPAddress=0,10.33.52.1
TCPIP2=TCP, 0, 15, 0
TCPIP2_TCPIPAddress=0, 209.98.76.10
SMPTNotesPort=TCPIP2
Note Domino adds the lines that are not bold when you use either
the Domino Server Setup program or the Domino Administrators
Setup Ports dialog box to enable a port.
where 9.88.43.113 is the IP address for both the partition and the Web
site sales.acme.com and 9.88.46.110 is the IP address for the Web site
accounting.acme.com.
Example 2 Server partition with virtual servers
The partitions host name is app01 and there are two virtual servers
(9.88.46.114 and 9.88.46.115) and one virtual host configured for it. Enter
the following in the Host name(s) field:
9.88.43.113;9.88.46.114;9.88.46.115
where 9.88.43.113 is the IP address for both the partition and the
virtual host sales.acme.com, 9.88.46.114 is the IP address for virtual
server 1 (accounting.acme.com), and 9.88.46.115 is the IP address for
virtual server 2 (northeastsales.acme.com).
For information on Web sites and Internet Site documents, see the
chapter Installing and Setting Up Domino Servers.
Installation
where device is the device name of the NIC, and n is a number that
increments for each file name. The /etc/hostname.hme0 file should
already exist and contain the computer host name.
For example, if /etc/hostname.hme0 contains the name Server1,
create:
/etc/hostname.hme0:1
where n is the number you created in Step 2 for each file name, and
IP_address is the address assigned to the corresponding server in Step
1. For example:
/sbin/ifconfig hme0 plumb
/sbin/ifconfig hme0:1 111.123.11.96
/sbin/ifconfig hme0:2 111.123.11.22
where n is the number assigned to the file that contains the server
name. For example:
/sbin/ifconfig hme0:1 up
/sbin/ifconfig hme0:2 up
Setting Up the Domino Network 2-51
Installation
Sun Solaris
This procedure is for Sun Solaris 2.6. You must have superuser privileges
to configure the NIC.
where n is the number assigned to the file that contains the server
name. For example:
/sbin/ifconfig hme0:1 down
To configure server partitions to share the same IP address and the same
NIC, you use port mapping. With port mapping, you assign a unique
TCP port number to each server partition and designate one partition to
perform port mapping. The port-mapping partition listens on port 1352
and redirects Notes and Domino connection requests to the other
partitions.
If the port-mapping partition fails, existing sessions on the other
partitions remain connected. In most cases, Notes clients will not be able
to open new sessions on any of the partitions. However, because each
Notes client maintains information in memory about recent connections,
including those redirected by the port-mapping partition, a client may be
able to connect to a partition even when the port-mapping partition is not
running. A client or remote server that has a Connection document
containing both the IP address and the assigned port can always access
the port-mapping partition.
Because the port-mapping partition requires extra system resources,
consider dedicating the partition to this task only. To do this, remove all
other server tasks, such as mail routing and replication, from the
partitions NOTES.INI file.
Port mapping works for NRPC communication only. However, you can
use the Server document in the Domino Directory to configure IMAP,
LDAP, and POP3 services and Domino Web servers to use unique ports
for communication. When you do, you must make the port number
available to users when they try to connect to the servers.
Note Because Internet protocols carry a large amount of data, you may
encounter I/O bottlenecks if you use a single NIC with too many server
partitions. Consider adding additional NICs and isolating the data by
protocol.
To configure for one IP address and port mapping
When you set up port mapping, the port-mapping partition
automatically routes NRPC communication requests to the other server
partitions.
1. Decide which server partition will perform port mapping.
2. Choose a unique TCP/IP port number for each server partition on
the computer. The port-mapping partition uses the assigned port,
1352. It is best to use port numbers 13520, 13521, 13522, 13523, or
13524 for the additional server partitions.
Installation
where TCPIP is the port name, and IPAddress is the IP address of the
port-mapping partition.
For each of the other partitions, enter:
TCPIP_PortMappingNN=CN=server_name/O=org,IPaddress:TCP/I
P port number
Partition 2
TCPIP_TcpIpAddress=0,192.94.222.169:13520
Partition 3
TCPIP_TcpIpAddress=0,192.94.222.169:13521
Partition 4
TCPIP_TcpIpAddress=0,192.94.222.169:13522
Partition 5
TCPIP_TcpIpAddress=0,192.94.222.169:13523
Partition 6
TCPIP_TcpIpAddress=0,192.94.222.169:13524
Installation
Example
This example shows the lines you add to the NOTES.INI files of the
server partitions to set up port mapping for six partitions.
POP3
110
995
IMAP
143
993
LDAP
389
636
SMTP inbound
25
465
SMTP outbound
25
465
HTTP
80
443
IIOP
63148
63149
Server Controller
N/A
2050
Note Make sure that your IP host names do not contain illegal
characters such as spaces, underscores, or ampersands.
5. If you use the Network Information Service (NIS), make sure that
you have properly configured the UNIX system for NIS. Make sure
that the NIS hosts map contains the server name and IP address of
every Domino server with which you want to communicate.
6. Depending on your name-resolution practices, do one of the
following:
If your Domino server names are the same as the DNS host names,
make sure you have followed the instructions in the topics
Ensuring DNS resolves on Windows systems All TCP
protocols, Ensuring DNS resolves in NRPC Best practices, and
Ensuring DNS resolves in advanced TCP/IP configurations.
If your Domino server names are different from the DNS host
names, use the ping command to verify that all of the DNS names
which represent the Domino server are responding from the
correct network areas, as well as the Domino server name, if
needed.
If you are using IP addresses in Connection documents, use the
ping command to verify the IP address itself.
If you are using network address translation (NAT), verify that
access is possible from both the internal network and external
Internet using the appropriate IP addresses. If you are using
name-resolver services, make sure that the external DNS offers out
the public address and the internal DNS offers out the private
address.
For more information on the last three practices in Step 6, see the topic
Ensuring DNS resolves in NRPC Alternative practices earlier in this
chapter.
Installation
4. If you use DNS, make sure that you have properly configured the
TCP/IP software on this system to query the correct DNS server.
Make sure that your DNS records include the server name and IP
address of every Domino server with which you want to
communicate.
Protocol
NwlnkNb
Novell NetBIOS
Nbf
NetBEUI
NetBT
Some protocols can be associated with multiple LANA numbers, one for
each network card or dialup network interface. For example, the
Network Route entry Nbf->Elnk3 is NetBEUI on a 3Com Etherlink III
card, and Nbf->NdisWan5 is NetBEUI on a Microsoft Remote Access
Service (RAS) connection.
To find the LANA number for a NetBIOS protocol on a Windows
95/98, XP, or 2000 system
Unlike a Windows NT system, a Windows 95/98, XP, or 2000 system
does not have a direct means to see the LANA associations. For
Windows 95/98, XP, or 2000 systems you can either review the systems
registry bindings or use a Microsoft tool called LANACFG to see and
change the LANA number assignments.
The following is an example of the tools output from a Windows 2000
server. Note that the network route linkages shown are the same as in
Windows NT.
lanacfg [options]
showlanapaths - Show bind paths and component
descriptions for each exported lana
setlananumber - Change the lana number of a bind path
Installation
4. Select the Portname port, where Portname is the name of the NetBIOS
port for which you are defining a LANA number.
-->NWLink NetBIOS
Lana:
Make sure that all Domino servers that will access each other have an
interface that uses a common transport protocol. It is best if they are
also in the same Notes named network.
Make sure that the network segments to which the server systems
NICs are attached do not have a pathway in common. The NetBIOS
name service (NetBIOS over IP) can fail if it detects the same system
name or Domino name echoing back between the pathways. If you
are using both the NetBIOS name service and DNS or a hosts file for
name resolution, make sure that the server name in DNS or the hosts
file is different from the system name.
After you run the Domino Server Setup program, complete these
procedures:
1. Use the Domino Administrator to define a NetWare name service for
the server.
2. If the name service you use is NDS, record the servers NDS
distinguished name in the Server document.
3. (Optional) Control which IPX/SPX address (socket number) the
server uses.
Installation
Note NDS names are case-sensitive. Make sure that the NDS tree
object for the Domino server has exactly the same distinguished
name as the one you enter here.
7. Click Save and Close.
Enter SHOW PORT SPX at the console, where SPX is the SPX port
driver name.
Installation
If for some reason this saved socket number is in use for example, if
another application using dynamic sockets allocated the socket the
Domino SPX server allocates a new socket number and saves it for future
invocations.
Description
portname_MaxSessions
Ports
Description
ICMNotesPort
IMAPNotesPort
LDAPNotesPort
POP3NotesPort
SMTPNotesPort
TCP_EnableIPV6
TCP/IPportname_PortMappingNN
TCP/IPportname_TCPIPAddress
Setting
Description
NetWareSocket
NetWareSpxSettings
NWNDSPassword
NWNDSUserID
Installation
Installation
Chapter 3
Installing and Setting Up Domino Servers
This chapter describes how to plan a hierarchical name tree and how to
install, set up, and register Domino servers.
The server portion of the path is a script that initializes a UNIX shell
so that Domino programs can run on UNIX.
Server installation
The first step in deploying a Domino server is installation, or copying the
program files to the systems hard drive.
To install Domino, see the following procedures:
Installing Domino on Windows systems
Installing Domino on UNIX systems
For information on installing servers for hosted environments, see the
chapter Setting Up the Service Provider Environment.
Installation
Make sure that the required hardware and software components are
in place and working.
Read the Release Notes for operating system and network protocol
requirements and for any last-minute changes or additions to the
documentation.
Make sure that all other applications are closed. Otherwise, you may
corrupt any shared files, and the Install program may not run
properly.
Press the spacebar to change the setting until you get the one you
want
Installation
1. Make sure the Domino server kit is available from your network or
CD ROM drive.
2. Log in to the root account for Domino Server installation.
3. Change to the directory containing the install script.
4. Enter the following at the root command prompt to run the script:
./install
Action
Choose one:
Program directory
Create /opt/lotus
soft link
Choose one:
Data directory
Where filename is the name you want to give to the local script file
that will contain the installation settings.
3. Open the local script file, filename.dat, and set the parameters as
needed. It is usually best to use the default settings, as follows:
Install target host name parameter = target_hosts
Domino server installation type Choose the server type that you
acquired.
Install template files template_install_option = 1
Add data directories only add_data_directories_only = 0
Install xSP server asp_install_option = 0
Program directory Use the directory where Domino stores
program files.
Create /opt/lotus soft link opt_lotus_softlink = 0
Data directory Use the directory where Domino stores data
files.
UNIX User name Person who will own the server configuration
data
UNIX Group name The group to which the UNIX User belongs
4. Save the local file, filename.dat.
5. Log in to the root account from your local system.
6. Switch back to the kits install directory (CD-ROM or network).
7. To install using the local script file, enter this command at the UNIX
console prompt:
install -script filename.dat
Installing and Setting Up Domino Servers 3-7
Installation
Gives the administrator and the server Manager access in the ACL of
the Domino Directory.
Creates the log file, names it LOG.NSF, and saves it in the Domino
data directory.
Updates the Access Control List in all databases and templates in the
Domino data directory tree to remove Anonymous access and/or
add LocalDomainAdmin access, depending on the selections made
during the setup program.
Copies the servers ID from the location specified during the setup
program, either from a file, a copy of the directory, or the existing
Domino servers directory; names it SERVER.ID; and saves it in the
Domino data directory.
Retrieves the Domain name and Administrator name from the Server
document in the Domino Directory.
Creates the log file, names it LOG.NSF, and saves it in the Domino
data directory.
Installation
If DOLS Domino Off Line Services was selected during the setup
program, creates the Off-Line Services file, names it
DOLADMIN.NSF, and saves it in the Domino data directory.
Updates the Access Control List in all databases and templates in the
Domino data directory tree to remove Anonymous access and/or
add LocalDomainAdmin access, depending on the selections made
during the setup program.
Installation
3. In the DSAPI filter file names field, enter the DSAPI filter file name
that corresponds to the operating system that the server is running,
and then restart the server:
Win32 - ndolextn
Linux - libdolextn
AIX - libdolextn
Solaris/Sparc - libdolextn
S390 - libdolextn
iSeries - libdolextn
Note On the iSeries platform, the Server document is updated when
a new server is configured or an existing server is modified using the
CFGDOMSVR or CHGDOMSVR CL command with DOLS(*YES)
specified.
For more information on configuring an iSeries server with DOLS,
see the Lotus Domino 6 for iSeries Release Notes.
4. Create a DOLADMIN.NSF database from the template
DOLADMIN.NTF.
5. After the database is created, restart the Domino administrator and
click the Configuration tab. The name of the DOLADMIN.NSF is an
option in the Navigation pane.
To set up DOLS on clustered servers
Before using DOLS on a clustered Domino 6 server, make sure that:
The Domino server is either a Domino Utility Server or Domino
Enterprise Server.
All servers in the cluster run the same release of Domino with
DOLS
Clustered server management is running to handle both failover
of replication and HTTP
Internet Cluster Manager is running
Subscription directories must have the same name on every
clustered server. For example, if a subscription is under
\data\Webmail user\7CD5957CB669AE2285256BDF00567AD8\,
this name cannot be different on a different server in the cluster.
To configure DOLS on a server that uses Web Site documents
If you create a Web Site Document (a type of Internet Site document) on
the Domino server, you must add the appropriate DOLS DSAPI filter
filename to the DSAPI field in the Web Site document for DOLS to be
enabled.
3-12 Administering the Domino System, Volume 1
The servers TCP/IP name, which appears on the DNS tab of the
Network properties - TCP/IP properties box.
The servers common name, which appears on the Basics tab of the
Server document
The machine name of the fully qualified Internet host name, which
appears on the Basics tab of the Server document.
Installation
If there are several Web Site documents, you must add the DSAPI filter
filename to each one. To add the DOLS DSAPI filter filename to a Web
Site document:
CN=Sametime/OU=Sales/O=Acme/C=US
where: CN is the common name, OU is the organizational unit, O is
the organization, and C is the country code
6. Click Save & Close.
7. Repeat Steps 3 though 6 for each person.
Part 4 - Set up the Sametime server
Follow the instructions in the Sametime Installation Guide for installing
Sametime in a Domino domain on a dedicated server. Make sure that the
installation uses the same Domino domain in which the iNotes Web
Access server resides.
Part 5 - Create a Connection Document on the Sametime server
1. From the Domino Administrator, click the Configuration tab.
2. Select the Sametime servers Domino Directory in the Use Directory
on field.
3. Click Server, and then click Connections.
4. Click Add Connection.
5. Select Local Area Network in the Connection type field.
6. Enter the iNotes Web Access servers name in the Destination
server field.
7. Enter the source domain of the Sametime server and the destination
domain of the iNotes Web Access server.
8. Click Save & Close.
Part 6 - Create a one-time replica of the Tokens database on the iNotes
Web Access server
The Sametime server implements a security policy to ensure Sametime
clients that establish connections to the Sametime services are
authenticated. This security policy involves the Secrets (stauths.nsf)
database on the Sametime server.
1. Using a Notes client, choose File - Database - Open.
2. Enter the name of the Sametime server (for example,
Sametime/Acme).
3. Enter the Secrets database filename: stauths.nsf
4. Click Open.
5. Choose File -Replication - New Replica.
Installing and Setting Up Domino Servers 3-15
Installation
6. Enter the name of the iNotes Web Access server (for example,
iNotes/Acme)
7. Ensure that the database is replicated to the data directory:
...\domino\data\stauths.nsf.
8. Click OK to create the replica.
Part 7 - Push replication changes from the iNotes Web Access server to
the Sametime server
1. From the Domino Administrator, click the Server tab.
2. Click the Server Console.
3. Enter a push command to replicate the Domino directory to the
Sametime server.
For example: push Sametime/Acme names.nsf
4. Click Send.
5. Enter a push command to replicate the Secrets database to the
Sametime server.
For example: push Sametime/Acme stauths.nsf
6. Click Send.
Part 8 - Copy the Sametime applets to the Sametime server
1. Copy the contents from the Sametime applets folder on the iNotes
Web Access server to the Sametime server. On the iNotes Web
Access server, the applets are located in the sametime directory:
<data directory>\domino\html\sametime
2. Create a folder on the Sametime server in which to copy the iNotes
Web Access Sametime applet files. At a DOS prompt on the
Sametime server, create the folder:
>mkdir <data directory>\domino\html\SametimeApplet
Note The folder name is case-sensitive and must be named
SametimeApplet.
Part 9 - Verify that Sametime works with iNotes Web Access
1. Make sure that replication is complete and the Person documents
exist on the Sametime server.
2. Following the instructions in the Sametime Installation Guide for
logging into the Sametime server using the Sametime Connect Client.
Sametime must be functioning properly before you can test whether
it is working with iNotes Web Access clients.
3. Launch iNotes Web Access in a browser and click Chat to test the
Sametime connection.
Use the Server Setup program on the server you are setting up
Use the Server Setup program from a client system or from another
server
Use a setup profile without viewing the setup screens (silent setup)
Installation
Note If the chat link does not appear in iNotes Web Access, check the
users Person document in the Domino directory. Verify that the name of
the Sametime server in the Sametime server field is correct.
Installation
A server setup profile is a file that you use to quickly configure servers.
To create a server setup profile, you run the Server Setup program in
record mode, either at the server you are setting up or from a Windows
client. Creating a server setup profile from a Windows client is easier if
the client has Domino Administrator installed to create a profile from
a client without Domino Administrator, you need the Java runtime
environment plus some files from the program directory of an installed
Domino server.
For more information, see the topic Entering system commands
correctly earlier in this chapter.
To create a setup profile at a server
1. Install the Domino server program files on the server system, but do
not run the Domino Server Setup program.
2. At the command prompt on the server, from the Domino program
directory, do one of the following:
On a Windows server, enter nserver -record
On a UNIX server, enter server -record
Tip Entering nserver -help or server -help displays the
parameters available for working with server setup profiles.
3. Enter a name and description for the profile.
4. Continue through the setup program.
Domino saves your selections in a file with the name you specified in
Step 3. By default this file is created in the Domino program directory.
To create a setup profile from a Windows client with Domino
Administrator
1. Make sure that you selected Remote Server Setup when you
installed Domino Administrator on the client system.
2. Install the Domino server program files on the server system, but do
not run the Domino Server Setup program.
3. At the command prompt on the client system, from the Notes
program directory, enter
serversetup -record
Installation
Installation
When you use a setup profile, you choose whether or not to view the
setup screens as you run the profile. Running a profile without viewing
the screens is sometimes referred to as a silent setup.
Installation
10. Choose the profile to use. If you dont see the profile you want in the
list, click Browse to locate the directory that contains the profile. To
change the existing profile, select Modify selected profile.
Where myprofile is the name you gave the setup profile and
serveraddress is the host name or network address of the server you
are setting up.
Note If the profile file is not in the root directory, use the profiles
full path in the command.
5. If the profile uses existing server, certifier, or administrator IDs that
require passwords, do the following:
a. Create a text file that contains the passwords for the existing IDs.
The keywords in this are:
Server=
AddServer=
Certifier=
OUCertifier=
Administrator=
3-26 Administering the Domino System, Volume 1
Installation
Where myprofile is the name you gave the setup profile and
serveraddress is the host name or network address of the server you
are setting up.
Note If the profile file is not in the root directory, use the profiles
full path in the command.
7. If the profile uses existing server, certifier, or administrator IDs that
require passwords, do the following:
a. Create a text file that contains the passwords for the existing IDs.
The keywords in this are:
Server=
AddServer=
Certifier=
OUCertifier=
Administrator=
b. Add a parameter in the command line for the name of the
password file. For example, on Windows enter:
remotesetup -silent c:\myprofile.pds c:\passwd.txt -remote
serveraddress
8. If this is a partitioned server setup, add the = parameter to the
command line to specify the NOTES.INI file in this partitions
Domino data directory. For example, on Windows enter:
remotesetup -silent c:\myprofile.pds -remote
serveraddress =c:\lotus\domino\data2\notes.ini
Server registration
Before you install and set up additional servers, you must register them.
In effect, registering a server adds the server to the system. The server
registration process creates a Server document for the server in the
Domino Directory and creates a server ID. After registering and
installing a server, you use the Server Setup program to obtain a copy of
the Domino Directory for the new server and to set up the server to run
particular services and tasks for example, the HTTP service, the Mail
Router, and so on.
Note When setting up an additional server, obtaining the Domino
Directory from the registration server via dialup over a modem is
possible for Windows systems only. For other operating systems, the
additional server must be on the network in order to communicate with
the registration server.
Before you register servers, plan and understand your companys
hierarchical name scheme. The name scheme defines which certifier ID to
use when you register each new server. In addition, make sure that you
have access to each certifier ID, know its password, and have created ID
recovery information for it.
If you have decided to use the Domino server-based certification
authority (CA), you can register servers without access to the certifier ID
file and its password.
Installation
For more information on the hierarchical name scheme, see the chapter
Deploying Domino. For information on ID recovery, see the chapter
Protecting and Managing Notes IDs. For more information on using
the Domino server-based CA, see the chapter Setting Up a Domino
Server-based Certification Authority.
The registration server, which is the server that initially stores changes to
documents in the Domino Directory until the Domino Directory
replicates with other servers, must be up and running on the network. To
register servers from your workstation, you must have access to the
registration server and have at least Author access with the Server
Creator and Group Modifier roles in the ACL of the Domino Directory.
When you register a server, Domino does the following:
Creates a server ID for the new server and certifies it with the
certifier ID
Once you set up and start the new server and the create SSL
keying request has replicated to it, the create SSL key ring request
creates the server key ring file and an enable SSL ports request for
the administration server of the Domino Directory
The enable SSL ports request enables all the SSL ports on the new
server and creates a monitor SSL status request for the new server
The monitor SSL status request restarts all of the Internet tasks
currently running on the new server so that the tasks will accept SSL
connections
Registering a server
Note If you have not specified a registration server in Administration
Preferences, this server is by default:
1. If you are supplying the certifier ID, make sure that you have access
to it and that you know its password.
2. If you are using the Domino Administrator and would like the new
server to support SSL, make sure that you have an Internet CA
configured.
3. From the Domino Administrator or Web Administrator, click the
Configuration tab.
4. From the Tools pane, click Registration - Server.
5. If you are using the Domino Administrator, do the following:
a. If you are using the CA process, click Server and select a server
that includes the Domino Directory that contains the Certificate
Authority records, and the copy of the Administration Requests
database (ADMIN4.NSF) that will be updated with the request
for the new certificate. Then click Use the CA Process, select a
CA-configured certifier from the list, and click OK.
b. If you are supplying the certifier ID, select the registration server.
Then click Certifier ID and locate the certifier ID file. Click OK,
enter the password for the certifier ID, and click OK.
c. In the Register Servers dialog box, click Continue if you want to
apply the current settings to all servers registered in this
registration session; otherwise, complete these fields:
Field
Action
Registration
Server
Certifier
Installation
Note You must use the Domino Administrator if you want to use this
server registration process to configure a new server for SSL.
Field
Action
Internet
Certificate
Authority
d. Click Continue.
6. If you are using the Web Administrator, do the following:
a. Select a registration server that includes the Domino Directory
that contains the Certificate Authority records, and the copy of
the Administration Requests database (ADMIN4.NSF) that will
be updated with the request for the new certificate.
b. Select a CA-configured certifier from the list, and click OK.
7. In the Register New Server(s) dialog box, complete these fields for
each server that you want to register:
Field
Action
Server name
Server title
Domino domain
name
Server
administrator
name
ID file password
Action
Location for
Select In Domino Directory to store the server ID in
the Domino Directory.
storing server ID
Select In File to store the server ID file in a file.
Then click Set ID File, select the name and path for
the file, and click Save.
Note You dont see this field from the Web
Administrator, as the server ID is stored in the Domino
Directory.
Installation
Field
Field
Action
Organization
name
Country code
Certifier
password
Comment
6. Click Register.
Installation
Field
Action
Organizational
Unit
Certifier
password
Mail certification
requests to
(Administrator)
Location
Comment
Web Site documents. You create a Web site document for each Web
site hosted on the Domino server.
Installation
Accessing the server such as who can access the server and how.
Installation
Service providers need to consider the following when using Internet Site
documents:
Each hosted organization has one Web Site document that can be
created during hosted organization registration. You must create this
initial Web Site document to activate the HTTP protocol. If you have
multiple Web sites, you need one individual Web Site document for
each additional Web site for each organization. If the hosted
organization supports DOLS, the Web Site document must contain
the name of the DSAPI filter file name. For more information, see the
topic To configure DOLS on a server that uses Web Site documents
in this chapter.
You must create one mail protocol Site document (IMAP, POP3, or
SMTP) for each protocol used by each organization.
To enable SSL for a hosted organization, you must enter the server IP
address in the field Host names or addresses mapped to this site
on the Basics tab of the Internet Site document.
Field
Action
Organization
Host names or
(Required for all Internet Site documents) Enter the
addresses mapped to target host names or IP addresses that trigger a
this site
connections use of this Internet Site document.
If the site is set up for SSL, you must specify IP
addresses.
Domino servers that
host this site
Installation
4. For all Internet Site documents, complete the settings on the Security
tab.
5. Some Internet Sites require additional configuration. The table below
indicates the Internet Site documents that require additional
configuration, and the locations for settings in those documents for
enabling additional configuration information unique to those
protocols.
Document
Complete
Web Site
Configuration tab
Domino Web Engine tab
IMAP Site
IIOP Site
Configuration tab
For more information about SSL authentication, see the chapter Setting
Up SSL on a Domino Server.
For more information about name-and-password authentication and
anonymous access, see the chapter Setting Up Name-and-Password
Authentication and Anonymous Access on a Domino Server.
To set up security for Internet Site documents
Note In Domino 6, it is possible to effectively prohibit access to an
Internet Site by selecting no for all authentication options in an Internet
Site Document. These options include TCP authentication, SSL
authentication, and TCP anonymous access.
1. From the Domino Administrator, click Configuration - Web - Internet
Sites.
2. Choose the Internet Site document to modify, and click Edit
Document.
3. Click Security, and complete these fields:
Field
Enter
TCP Authentication
Anonymous
Choose one:
Yes To require a user to authenticate with the
users name and Internet password to access the
site
No To not require name and password
authentication
Installation
Field
Enter
SSL Authentication
Anonymous
Choose one:
Yes To require a user to authenticate with
user name and Internet password in order to
access this site using SSL
No To not require a name and password
Client certificate
SSL Options
Key file name
Protocol version
Choose one:
V2.0 only Allows only SSL 2.0 connections.
V3.0 handshake Attempts an SSL 3.0
connection. If this fails and the requester detects
SSL 2.0, attempts to connect using SSL 2.0.
V3.0 only Allows only SSL 3.0 connections.
V3.0 with V2.0 handshake Attempts an SSL
handshake, which displays relevant error
messages. Makes an SSL 3.0 connection if possible.
Negotiated (default) Attempts an SSL 3.0
connection. If this fails, attempts to use SSL 2.0.
Use this setting unless you are having
connection problems caused by incompatible
protocol versions.
Choose one:
Yes To accept the certificate and use SSL ,
even if the server does not have a certificate in
common with the protocol server
No (default) To prohibit the acceptance of SSL
site certificates for access
continued
Enter
Choose one:
Yes To allow clients access, even if the client
certificate is expired
No To prohibit client access using expired SSL
certificates
Choose one:
Yes To check the certifiers Certificate
Revocation List (CRL) for the user certificate you
are attempting to validate. If a valid CRL is
found and the user certificate is on the list, the
user certificate is rejected.
No To not use Certificate Revocation Lists
Choose one:
Yes To use expired but otherwise valid
Certificate Revocation Lists when attempting to
validate user certificates
No To reject expired Certificate Revocation Lists
Enable SSL V2
Installation
Field
You can only use the Internet Sites view for Domino 6 servers. Servers
running Domino 5.0x or earlier do not have the option for enabling the
Internet Sites view.
Note Each time you start or restart HTTP, a console message indicates
whether the HTTP task is using Internet Sites or the Server document
(Web Server Configurations view) to obtain Internet protocol
configuration information.
To enable Internet Sites on a server
1. Open the Server document you want to edit, and click Edit Server.
2. Click the Basics tab.
3. In the Basics section, enable Loads Internet configurations from
Server/Internet Sites documents.
4. Save the document.
5. Restart the server.
Note The HTTP task is backward-compatible with the Web Server
Configurations view.
Action
UNIX
Chapter 4
Setting Up Server-to-Server Connections
4-1
Configuration
Function of the server What is the primary role of the server? For
example, is it an application server, Web server, or Directory server?
Does the server provide passthru or dialup access to connect remote
or disparate networks?
Does the planned connection topology make the best use of the
available network infrastructure? It the server hardware adequate to
support its role in replication or routing? For example, if a server is
to be used as a replication hub, does it have a fast processor,
sufficient memory, and enough disk space? Does the server require
multiple NICs? Is there enough bandwidth between servers to
support the anticipated traffic?
Hub-E
Hub-E
Configuration
Hub-W
Because users who connect to a remote server over a Notes Direct Dialup
connection typically have only one modem on their workstations, by
default, they can connect to that one server only. Creating replicas of
frequently used databases on that server enables remote users to access
multiple databases over a single dialup connection.
Setting up a passthru server enables remote workstations or servers that
connect to one Domino server to access additional Domino servers also.
Using a passthru server consolidates modem resources on a few Domino
servers and centralizes administration and troubleshooting.
Configuration
Hub-and-spoke
Peer-to-peer
Ring
Configuration
establish tiers of hubs. If a hub goes down, replication for that hub
and its spokes is disabled until the hub is repaired or replaced.
Note Do not use hub-and-spoke replication for databases larger than
100MB that have replicas on less than four servers. Instead, schedule
replication for these databases to occur separately from other
replications.
Using a peer-to-peer topology to manage replication
In a peer-to-peer topology, replication is less centralized than in a
hub-and-spoke configuration, with every server being connected to every
other server. Because peer-to-peer replication quickly disseminates
changes to all servers, it is often the best choice for use in small
organizations, or for sharing databases locally among a few servers.
However, it can be inefficient when a database resides on more than a
few servers.
In a peer-to-peer topology, the potential for replication problems
decreases, because only two servers communicate for each replication
and no hub or intermediary servers are involved. However, peer-to-peer
replication requires many Connection documents, increases
administration since you must avoid overlap in replication schedules,
and prevents you from standardizing ACL requirements.
Other topology strategies
Another method of managing replication is to use Cluster replication.
This ensures constant access to data, because data on one server is
duplicated on one or more cluster mates. If the primary server becomes
unavailable, data can be obtained from other servers in the cluster.
For more information on using clusters, see the book Administering
Domino Clusters.
Other replication topologies include:
Unlike mail routing, which works in one direction and requires a pair of
Connection documents to enable two-way routing, replication between
servers works in both directions, and requires only one Connection
document between each pair of servers. Because the server that initiates
replication takes on the larger share of the replication workload, if decide
to add replication to one of the Connection documents already used for
mail routing between two servers, add the replication task to the
document on the more powerful server in the pair.
Hub-and-spoke topology
Hub-W/West/Acme Firewall-W/West/Acme
Firewall-E/East/Acme
Hub-E/East/Acme
Configuration
HR-W/West/Acme
Hub-E/East/Acme
HR-E/East/Acme
HR-S/South/Acme
Hub_E/East/Acme
Hub-W/West/Acme
Webstage-W/West/Acme
HR_E/East/Acme
Directory-W/West/Acme
Webstage_E/East/Acme
Directory_E/East/Acme
Hub-W/West/Acme Firewall-W/West/Acme
Firewall-E/East/Acme
Hub-E/East/Acme
Web/East/Acme
Webstage-W/West/Acme
HR-W/West/Acme
(Benefits
application)
HR-E/East/Acme
(Benefits
Webstage-E/East/Acme
application)
Firewall
Configuration
HR-W/West/Acme
Hub-W/West/Acme Firewall-W/West/Acme
Firewall-E/East/Acme
Mail-W/West/Acme
Hub-E/East/Acme
Mail-E/East/Acme
Mail clients
Mail clients
The Acme Corporation uses two mail servers one for each geographic
location. All users send mail using a mail database located on either
Mail-E/East/Acme or Mail-W/West/Acme. The mail databases are
accessible to all mail client software Notes workstations, IMAP, POP3,
and browsers.
Routing mail messages is similar to replicating changes made in
databases. In this example, the mail servers route messages through the
hub servers to the mail server in the other location. For example, when
4-12 Administering the Domino System, Volume 1
Configuration
Directory servers provide users and servers with information about other
users and servers for example, information needed to address or send
mail. Directories contain information about how to communicate with all
Notes and Internet users and Domino servers. In many cases, you can set
up a mail server as a directory server.
Webstage-E/East/Acme
Mail-E/East/Acme
Modems on a
hunt group of
telephone lines
HR-E/East/Acme
Local Area Network
Passthru/East/Acme
Notes Clients
Remote
Server
Remote Notes
Clients
The Acme company chose this remote server topology so that remote
users and servers have access to the entire system by connecting to one
server (the passthru server). Acme uses the passthru to function only as a
bridge between the remote user or server and the rest of the system. To
keep the load on the passthru to a minimum, the server does not contain
application or mail databases.
Users who work remotely dial in through the passthru server and can
access any server in the system. As most of Acmes users who dial in
remotely have only one modem on their system, using the passthru
server allows them to access multiple servers with one connection. To
reduce traffic on the passthru server, Acme recommends that its remote
users replicate databases and then work on the local replicas. Then users
can work in their local replicas and dial in and replicate occasionally with
the server replicas.
Acme dedicated five modems to the passthru server. The remote server
also dials into one of these modems for replication. Because this server
makes its connection in the early morning hours, the connection does not
conflict with users trying to access the system.
Acme uses a hunt group configuration for its modems so that users have
only one phone number to dial when connecting. Acmes phone
infrastructure is set up so that multiple modems can have one phone
number. For this type of hunt group (all modems are on one server),
Acme does not need to create a Connection document to set up the hunt
group.
Description
Source domain
Configuration
Field
Description
Usage priority
Choose one:
Normal (default) - Select this option if this document
defines the primary path to a server.
Low - Select this option to define a backup path to a
server.
For more information about the effect of specifying the
usage priority for a connection, see the topic Forcing a
server connection to use a specific protocol later in this
chapter.
Destination
server
Destination
domain
Configuration
For example, suppose that both SPX and TCP/IP are enabled on Server
A, the source server, and Server B, the destination server. You create a
Connection document from Server A to Server B specifying that Server A
uses the port TCP/IP to contact Server B and set the usage priority in this
document to Normal. When determining how to connect to Server B,
Server A first checks the Domino Directory for a normal-priority
Connection document governing the connection. After locating the
document, Server A learns that the TCP/IP port is specified, and
proceeds to use that port to attempt a connection to Server B. Setting the
usage priority works for all types of Connection documents: LAN, Notes
Direct Dialup, Network Dialup, Passthru, and so forth.
Enter
Usage priority
Choose one:
Normal - This Connection document defines a primary
path to the destination server. The connecting server
attempts to use this Connection document to make the
connection to the destination server.
Low - This Connection document defines a backup path
to the destination server. The connecting server uses this
Connection document only as a last resort when trying to
connect to the destination server.
Configuration
Description
Requesting
server
Information
server
Internet connections
ISP
Leased-line
Corporate LAN
Firewall/router
Webstage-E
A firewall filters traffic passing between the internal network and the
Internet and is usually part of a TCP/IP router. Most firewalls work by
hiding the IP addresses of computers on your internal network from the
Internet, thus breaking the connection between the internal and external
networks, so that while there is a connection between the internal LAN
and the firewall, and from the firewall to the Internet, theres no direct
connection between the Internet and the local network.
To connect a Domino server to an Internet server over a direct
connection, create a LAN Connection document to the target server.
Configuration
For more on how to create a LAN Connection document, see the topic
Creating a LAN connection earlier in this chapter.
Proxy connections
A proxy is a server that provides indirect access to the Internet. A proxy
server usually runs in conjunction with firewall software to pass
incoming and outgoing requests between servers on either side of a
firewall. If your organization uses a proxy server for its Internet
connection, a Domino server on the internal LAN connects to the Internet
through the proxy and firewall servers, which, in turn, connect to your
ISP. Because the proxy server establishes the connection with the ISP, the
Domino server does not connect to the Internet directly.
Corporate LAN
ISP
Leased-line
Firewall/router
Proxy server
Webstage-E
A Domino proxy server is one type of proxy server. You set up a Domino
passthru server as a proxy for the Internet the same way that you set up a
passthru server for internal Domino communication. You do not need to
configure the server differently for Internet connections. The proxy
server does not have to be a Domino server.
3. Click the Ports - Proxies tab, and then do one of the following:
To connect through an HTTP proxy, in the HTTP Tunnel proxy
field, enter the proxys fully-qualified domain name or IP address
and specify the port to use for the connection. For example, enter
httpproxy.company.com:8080 or 192.168.77.34:8080.
Note If you enter values for both fields, Domino uses the HTTP
Tunnel proxy.
4. Click Save & Close.
Note By default, if the server is configured to use a proxy, it uses the
proxy for all connections. To prevent use of the proxy for connections to
certain servers, enter the server names in the No Proxy for these hosts or
domains field on the Ports - Proxies tab on the Server document.
When two servers connect directly When a client (in this case,
either a Notes client or a Domino server) does not share a common
protocol with a destination server, you can set up an intermediary
server that runs both protocols as a passthru server to enable the
client to connect to the destination. For example, suppose that Server
A, which runs only NetBIOS, needs to connect to Server C, which
runs only TCP/IP. If Server B runs both NetBIOS and TCP/IP,
Server B can act as a passthru server to allow communication
between Server A and Server C.
Configuration
Hunt groups
If your telecommunications infrastructure supports a hunt group that
is, a pool of modems that are connected to different phone lines but that
use a single phone number you can configure Domino servers and
Notes client users to connect to a hunt group on a passthru server.
Whenever a call is made to the hunt group number, the incoming call is
routed to the first available modem in the group.
You can use a hunt group with one or more passthru servers. If more
than one passthru server is used in the hunt group, to allow any passthru
server in the hunt group to receive a call and route it to the destination
server, the calling server or user must use a Hunt Group Connection
document.
For more information about configuring Lotus Notes clients to use a
passthru server, see Lotus Notes 6 Help.
Configuration
2. List the destination servers that the workstations and servers need to
access. Also list the protocols that the destination servers run.
SPX
Webstage-E
Mail-E
HR-E
TCP SPX XPC
TCP
Remote Notes
Clients
XPC TCP
Remote
Server
TCP
Remote Notes
Client
XPC
Remote Notes
Clients
The Acme company has a dedicated passthru server that functions only
to provide workstations and servers with access to destination servers.
This server does not contain any databases. The passthru runs all the
protocols that the destination servers run so that users and servers that
connect to it have access to the entire system.
Note that passthru can benefit users and servers on the same network as
the passthru server as well as remote users and servers. For example,
some of the Notes clients in the above diagram are on the same LAN as
Webstage-E and HR-E, but because they do not share any protocols, they
cannot access these servers without using passthru.
The above topology requires the following configuration:
Description
Access this
server
Route through
Configuration
Field
Description
Cause calling
Destinations
allowed
4. Click the Security tab, enter values in this Passthru Use field, and
then save the document:
Description
Access this
server
Configuration
Field
Description
Connection type
Source server
Source domain
Use passthru server The name of the passthru server or hunt group that
or hunt group
this connection uses to reach the destination server
Usage priority
Choose one:
Normal (default) - Select this option if this
document defines the primary path to a server.
Low - Select this option to define a backup path to
a server.
For more information about the effect of specifying
the usage priority for a connection, see the topic
Forcing a server connection to use a specific
protocol earlier in this chapter.
Destination server
Description
Source domain
Always use area Specifies when the modem on the source server includes
the area code to dial a number. Choose one:
code
Yes - The server always includes the area code to dial,
even when dialing numbers in the local exchange.
No - (default) The server includes the area code only
when dialing numbers outside the local area code.
continued
Configuration
Field
Description
Usage priority
Choose one:
Normal (default) - Select this option if this document
defines the primary path to a server.
Low - Select this option to define a backup path to a
server.
For more information about the effect of specifying the
usage priority for a connection, see the topic Forcing a
server connection to use a specific protocol earlier in this
chapter.
Hunt group
Destination
country code
Destination area The area code to use when dialing the number of the
code
hunt group modem.
Destination
phone number
Login script
name
Login script
arguments
Installing modems
The number of modems that you can use on a server is dependent on the
operating system and system resources for example, the number of
available communication ports. Each modem needs its own
communication port.
If you expect heavy dialup use, install additional modems or install a
multiple-port communication board to connect multiple modems to
multiple communication ports on a single board.
Use these questions to help you determine the number of modems:
1. How many users and servers do you want to be able to use the
server simultaneously?
The number of modems that you install on a remote server
determines the number of users and servers that can access it
simultaneously. Consider the expense of purchasing more modems
against server accessibility.
2. Do users take advantage of workstation-to-server replication when
accessing the server?
To reduce server demand, encourage users to keep local replicas of
databases on their workstations, work on them without a dialup
modem connection, then connect to the central server to exchange
new and updated documents with the central servers database.
3. What types of users connect to this server?
If the server supports a high number of users who connect
exclusively over dialup connections for example, when a servers
primary users are field personnel who are always on the road
Setting Up Server-to-Server Connections 4-33
Configuration
dialup demand for the server is higher than on a server where users
only occasionally use modem connections.
If you cannot obtain a modem file that works with your modem from
IBM support
When using Notes Direct Dialup connections, Domino uses the X.PC
protocol driver. The X.PC protocol driver is installed automatically when
you install a Domino server. It links Domino to a computers operating
system and the hardware devices that handle the communication.
Notes Direct Dialup connections use Domino security and thus offer
tighter security than Network Dialup connections to a remote access
server.
Description
Source server
Source domain
Always use area Specifies whether the source server always uses the area
code when dialing. Choose one:
code
Yes - The server always includes the area code to dial,
even when dialing numbers in the area code defined
in the source servers Server document. Use this
option if your phone system requires an area code for
local calls.
No - (default) The server includes the area code only
when dialing numbers outside the local area code.
Usage priority
Choose one:
Normal (default) - Select this option if this document
defines the primary path to a server.
Low - Select this option to define a backup path to a
server.
For more information about the effect of specifying the
usage priority for a connection, see the topic Forcing a
server connection to use a specific protocol earlier in
this chapter.
continued
Configuration
1. Make sure that you already installed a modem and that one exists on
the destination server.
Field
Description
Destination
server
Destination
domain
Destination
country code
Destination area The remote servers area/city code. Enter this number
code
only if its required to complete the call.
Destination
phone number
Login script
arguments
Description
Source domain
Use LAN port(s) Specifies the port that the server uses to establish the
network dialup connection using the remote access
service.
continued
Configuration
Field
Description
Usage priority
Choose one:
Normal (default) - Select this option if this document
defines the primary path to a server.
Low - Select this option to define a backup path to a
server.
For more information about the effect of specifying the
usage priority for a connection, see the topic Forcing a
server connection to use a specific protocol earlier in this
chapter.
Destination
server
Destination
domain
Optional
Provide an optional network address to facilitate
network address attempts to locate the destination server over a TCP/IP
connection. If the field contains no entry, Domino
attempts to obtain the destination servers IP address
from the IP protocol stack.
Enter a fully-qualified host name or IP address for
example, HR-E.Acme.com or 192.22.256.36. Because IP
addresses are subject to change, for ease of management,
its best to use host names in Connection documents.
When a host name is used, if the IP address changes, the
connecting server obtains the updated IP address from
the DNS.
7. Click the Network Dialup tab and complete the following fields:
Field
Description
Choose a
Select Microsoft Dial-up Networking
service type
Configure
service
The remaining fields on this tab are read-only and display information
only if you completed the corresponding field in the previous step.
Configuration
Lets you specify the Dial-up Networking entry that the server
uses when connecting to this destination. Click Edit
Configuration, and complete this field in the Microsoft Dial-up
Networking dialog box:
Dial-up Networking name - Name of the Microsoft Dial-up
Networking phonebook entry on the source server
containing the information on how to dialup the remote
server.
Optionally, you can complete the following additional
fields in the dialog box. If you complete these fields, the
settings override those configured in the specified Dial-up
Networking entry on the server. These settings are used by
the remote access service, not by Domino. Complete the
fields and then click OK
Login name - The name that the server uses to log in to the
remote access server.
Password - The password the server uses to log in to the
remote access server. For security reasons, when you enter
the password, it appears as a series of asterisks. After you
save the Connection document, before storing the
document Domino encrypts the password with the public
keys of the source server and the users and servers listed in
the Owners and Administrators fields of the document.
Configuration
Description
Description
Basics
Optional
Enter the IP address of the destination
network address server.
Replication/
Routing
Schedule
Schedule
Select Enabled
Days of week
Configuration
Tab
Description
Connect remote
server to
network
Field
Replication/
Routing
Description
AutoDialer
The AutoDialer connection name
connection name specified in the Notes Direct Dialup
Connection document in Step 2, for
example, AutoDialReplication.
Schedule
Schedule
Select Enabled
Days of week
Configuration
Description
Modem
type
Configuration
Field
Description
Maximum
port speed
Speaker
volume
Dial mode
Choose one:
Tone - For touch-tone phone lines.
Pulse - For rotary phone lines or modems that do not
support touch-tone dialing.
Field
Description
Wait for
dialtone
before
dialing
Hangup if
idle
Port number Specifies the port number for the current port type. Domino
automatically sets the port number to the number specified
in the port name for example, if COM7 is the port name,
the port number is 7. On UNIX systems, specify a port
number N that matches the /dev/cuaN device file that you
linked to the asynchronous port.
11. To specify an acquire script for this port, click Acquire Script, select
the script in the Acquire Script dialog box, and then click OK.
For more information on acquire scripts, see the topic Writing and
editing acquire and login scripts later in this chapter.
12. If necessary, you can edit acquire scripts and modem command files.
For information about editing modem command files and acquire
scripts, see the topic Modifying modem command files and acquire
scripts later in this chapter.
Configuration
Dial timeout Specifies the time, in seconds, that the source server
continues attempting to connect to the destination server
before it cancels the attempt. Increase the dial time-out
period when using pulse dialing or when calling overseas.
The default value is 60.
Steps
Acquire script
Login script
Configuration
Similarly, mobile users who use login scripts when configuring dialup
communications from a Notes client, see the value of the DESC keyword
in the login script.
TYPE
Tells whether the script is an acquire or connect script. For example:
TYPE CONNECT
ARG...ARG4
For connect scripts only, these optional keywords precede a description
of each of the four script arguments. You may write scripts using from 0
through 4 arguments. For example, you might use the following script
arguments and descriptors in a connect script file:
ARG1 1. REMOTE DTE ADDRESS:
ARG2 2. None entered:
ARG3 3. None entered:
ARG4 4. None entered:
Configuration
Description
Syntax
BREAK
BREAK [time]
DTR_HIGH
DTR_LOW
ERROR
FAIL
GOTO
DTR_LOW
continued
Command
Description
Syntax
LOG OFF
LOG OFF
LOG ON
LOG ON
PROMPTUSERDialog box
title
[Title1[initializer]
Title2[initializer]
Title3[initializer]
Title4[initializer]]
REPLY
WAIT
WATCH
Notes user ID
Name of a server
containing a Domino
Directory
Name and port number
of proxy server, if any
Notes user ID
Name of a server
containing a Domino
Directory
Dialup phone number
Modem and COM port
information
continued
Configuration
E-mail address
Incoming and outgoing
mail server addresses
Proxy server
information
Chapter 5
Setting Up and Managing Notes Users
Configuration
After setting up and configuring the first Lotus Domino 6 server, you can
set up Lotus Notes 6 users.
To set up Notes users, you can register them in Notes or migrate them
from an external mail system or directory. Before you begin to add users,
it is best to specify default settings that Notes applies during registration.
To add users, you register them and use the Lotus Domino 6
server-based certification authority which issues the appropriate
certificate or use the appropriate certifier ID and password, which
generates a user ID and certificates that allow users appropriate system
access. After registering Notes users, you need to prepare the installation
files so users can install Notes on their workstations.
User registration
You need to register users before they can install Notes on their
workstations. For each user, the registration process creates:
Notes offers different options for registering users. For example, using
Basic user registration is fast and easy because it automatically assigns
many default settings to users. If you use Advanced user registration,
you can assign more advanced settings, such as adding a user to a
Windows NT or an Active Directory group. You can also register users
by importing them from a text file or migrating them from a foreign
directory.
If you use the Register Person dialog box to register users, you can sort,
view, and modify user settings in the view of the User Registration
Queue (USERREG.NSF) that appears in the dialog box. This database
contains information on users pending registration. When you exit the
Register Person dialog box, you can save all users pending registration
and register them later. When you access the dialog box again, the User
Registration Queue automatically opens to display all users pending
registration.
Before you register users, review your organizations hierarchical name
scheme and decide where each user fits into that scheme. Based on the
name scheme, you know which certifier ID to use to register users, which
server to use as the registration server, and on which server to store the
users mail files. When you register users, you must have the appropriate
access to each server that you use, and you must know the password for
each certifier ID that you use. If you intend to implement policies in your
organization, create policies and settings documents before you register
users so that you can assign policies during registration.
5-2 Administering the Domino System, Volume 1
West
HR
Accounting
East
IS
Robin Rutherford
Registered with HR/West/Acme certifier ID
Hierarchical name:
Robin Rutherford/HR/West/Acme
Sales
Marketing
Development
Alan Jones
Registered with Sales/East/Acme certifier ID
Hierarchical name:
Alan Jones/Sales/East/Acme
Alan Jones works in the Sales department in Acmes East Coast division.
To give Alan appropriate access within the system and to place him
appropriately in the hierarchy, the administrator uses the
Sales/East/Acme certifier ID to register him. Alan Jones full hierarchical
name then becomes Alan Jones/Sales/East/Acme.
Setting Up and Managing Notes Users 5-3
Configuration
Note While registering a user, you can specify whether you want to
register the user with the server-based CA, or with a certifier ID and
password. This selection is made on the ID Info panel in advanced
user registration.
6. Click the Options button, and then choose any of these options:
Option
Purpose
Keep successfully
registered users in
the queue
Try to register
Tries to register queued users, even if their
queued people with registration status contains errors. For example, if you
error status
choose this option, a user whose password is
insufficiently complex will be registered. The default
is not to register queued users who have error status.
Allow registration
of previously
registered people
Search all
directories for
duplicate names
Enforce short name Forces all short names to be different from one
uniqueness
another.
Dont prompt for a
duplicate person
Configuration
Option
Purpose
Generate random
user passwords
User Registration
Database Access
7. Click OK.
Registering users
You can use any of these methods to register Notes users:
Registration settings
Basic registration
For fast and easy registration, use the Basic user registration options.
Basic registration requires you to define user-specific settings, such as
user name and password, but also offers you the convenience of
applying some default settings to users. You can define default settings
in the Registration preferences (found in the Administration Preferences
dialog); you can define settings in the Register Person dialog; or you can
use Notes default settings. Some of the non-default settings you define in
Basic registration include the user name and password. You can also
assign users to specific groups.
All settings available in Basic registration are also available in Advanced
registration. You can choose to view and perform Advanced registration
at any time by clicking the Advanced check box in the Register Person
dialog.
Advanced registration
Advanced registration offers all the settings included in Basic registration
and also allows you to change default settings and define advanced or
specific settings for example, assign an alternate name to a user or add
the user to a Windows NT or Active Directory group.
Text file registration
To register users from a text file that is, a file that contains information
on one or more users import them into the registration queue from the
Register Person dialog box. This action creates an entry for each user in
the User Registration Queue and allows you to modify user settings
individually.
Configuration
Web registration
User registration can now be done using the Domino Web Administrator.
You register users via the Web in a manner that is very similar to user
registration done with the Domino Administrator.
For more information on registering users with the Web Administrator,
see the topic Using the Domino Web Administrator to register users in
this chapter.
If you are a service provider, for more information on registering users
from the hosted organization site, see the chapter Managing a Hosted
Environment.
Registration Settings
To simplify the process of registering users, you can create policies and
Registration Settings documents to preset registration settings for
different types of users. For example, users who work in Human
Resources may have different registration settings than users who work
in Sales. You can create Registration settings for both groups of users,
and use them to register everyone with the proper settings. In addition,
when you add new users to either group later, the same registration
settings apply.
Note Registration settings do not apply to user registration done with
the Web Administrator.
Migration from external mail system or directory
You can migrate users who use an external mail system or directory into
Notes. You register them using migration tools accessed through the
Migrate People button in the Register Person dialog box. After migrating
them, you can modify their settings.
The following list details the types of users you can migrate into Notes:
Lotus cc:Mail
Microsoft Exchange
LDAP
Microsoft Mail
Active Directory
Roaming users
Configuration
Users who access Notes from more than one Notes client can access their
customized settings and personal information automatically from any
Notes client in the domain. Data for these users, known as roaming users,
replicates between the users machine and a roaming user server, where
these files are stored. When a roaming user logs on from a different
Notes client, it automatically retrieves the users ID file, Personal
Address Book, bookmarks, and journal from the roaming user server.
Any changes the user makes in these files replicate to the roaming user
server. This enables the roaming user to have a consistent experience
from any Notes client.
Previous values have not been set in the Register Person dialog box
User registration fields that do not appear in this table do not have
default values.
Field
Default
Registration Server
Password Quality
Scale
Internet Domain
Mail(R6)
On
Mail system
Lotus Notes
mail\<firstinitial><first7charactersoflastname>.nsf
Off
Off
Off
continued
Default
Certifier ID
Security type
In Domino Directory
Local administrator
None
roaming\
FirstName LastName
Selected
Clean-up action
Do not clean up
Configuration
Field
Naming conventions
When adding users, user names can consist of multiple-byte characters,
uppercase and lowercase alpha characters (A - Z), numbers (0 - 9), and
the ampersand (&), dash (-), dot (.), space ( ) , and underscore (_).
Hosted Environments
If you are working in a hosted environment, when registering users,
ensure that you are using a certifier that was created for the hosted
organization into which you are registering the users. This applies
regardless of whether you are using a certifier and password or the
server-based CA.
Configuration
8. Enter the password for the user ID. Criteria for this password is
based on the level set in the Password Quality Scale in the Password
Options dialog box. The default level is 8. The password you specify
must correspond with the password quality that you select in
Password Options.
users at once by selecting the users in the queue and making changes.
You can cancel user registration and clear all fields at any time by
clicking the red X.
Hosted Environments
If you are working in a hosted environment, when registering users,
ensure that you are using a certifier that was created for the hosted
organization into which you are registering the users. This applies
regardless of whether you are using a certifier and password or the
server-based CA.
To use Advanced registration with the Domino Administrator
1. Make sure you have the following access before you begin
registration:
Access to the certifier ID and its password, if you are not using the
Lotus Domino 6 server-based certification authority (CA).
Access to the Domino Directory from the machine you work on.
Editor access or Author access with Create Documents role and
the UserCreator privilege in the Domino Directory on the
registration server.
Create new databases access on the mail server if you plan to
create user mail files during registration.
Create explicit policies and settings documents if you plan to use
policy-based system administration.
Access to the certification log (CERTLOG.NSF) on the registration
server.
2. From the Domino Administrator, click the People & Groups tab.
3. From the Servers pane, choose the server to work from.
4. Select Domino Directories, and then select People.
5. From the Tools pane, click People - Register.
6. Enter the certifier password and click OK.
Note The Certifier Information Recovery Warning dialog box appears.
Review the information in the dialog box, select the check box and click OK.
7. Click Advanced.
Registration Server
Short name
Password
Password options
Mail system
Configuration
Field
Field
Enter
Explicit policy
Policy synopsis
9. Click the Mail tab and complete any of these fields. Domino uses
default values (if available) for any fields you do not modify.
Field
Enter
Mail system
Enter
Mail server
Create file
now/Create file in
background
Choose one:
Mail file owner access Select the level of access in the access control list to
assign to the user of the mail database from the
Mail file owner access list. By default, mail users
have Editor with Delete documents access to their
own mail files; all other users have no access. This
option can be used to prevent mail users and/or
owners from deleting their own mail file. If the
mail owner access is Designer or Editor, the
administrator ID currently being used is added to
the mail file ACL as Manager.
Set database quota
Set warning threshold Click to generate a warning when the users mail
database reaches a certain size, and then enter the
warning size (maximum of 10GB).
Configuration
Field
10. Click the Address tab, and enter values in any of these fields.
Domino uses default values (if available) for any fields you do not
modify.
Field
Enter
Internet address
Internet Domain
Address name
format
Separator
11. Click the ID Info tab, and enter values in any of these fields. Domino
uses default values (if available) for any fields you do not modify.
Field
Enter
Use CA process
Enter
Certifier ID
Security type
Certification
expiration date
Location for
storing user ID
Choose one:
In Domino Directory (default). The ID file is stored
as an attachment to the users Person document.
In file (default location:
<datadirectory>\ids\people\user.id). Click Set ID file
to change path.
In mail file. This option is only available with iNotes
Web Access and allows Notes users to read their
encrypted mail while using iNotes Web Access.
This field appears if the check box Create a Notes ID
for this person is selected.
Configuration
Field
13. (Optional) If you have enabled roaming capabilities for the user, click
the Roaming tab, and complete any of these fields. The fields do not
appear if you did not click Let this person roam on the Basic tab
and Create a Notes ID for this person. Domino uses default values
(if available) for fields you do not modify.
Field
Enter
Put roaming user files Click to store the users roaming information on
on mail server
the same server used for mail.
Roaming Server
Personal roaming
folder
Sub-folder format
Field
Enter
Clean-up option
14. Click the Other tab, and complete any of these fields. Domino uses
default values (if available) for fields you do not modify.
Field
Enter
Setup profile
Location
Configuration
Field
Enter
Local administrator
Comment
Alternate name
language
Alternate name
Preferred language
Windows User
Options
15. Click the green check mark. The user name appears in the
Registration status view (the user registration queue).
16. Click Register and then click Done.
You can also define a separator for the text file by adding
BatchRegSeparator = character to the NOTES.INI file. The separator
character cannot be a character used in any of the user parameter settings
in the text file. If you do not specify a BatchRegSeparator, a semicolon (;)
separator is used.
For more information on this NOTES.INI variable, see the appendix
NOTES.INI File.
Registration Server
Internet address
Internet Domain
Format
Mail server
Mail system
Certifier ID
Security type
Local administrator
Configuration
For example, this line in a text file specifies only a last name and
password:
Alexis;;;;password1
This line in a text file specifies a complete name, home server, and User
Setup policies:
Alexis;Catherine;R.;;password1;;;Marketing /
Acme;;;;;;Marketing Profile
Note that only the last name and password parameters are required.
Order Parameter
Enter
Last name
First name
Middle initial
Password
ID file directory The directory in which you want to store the users ID.
You can store the ID in this directory in addition to or
instead of as an attachment in the Domino Directory.
You must create the directory before registration. For
this parameter to take effect, select the In File option on
the ID Info panel for storing the user ID. This
parameter overrides the default ID directory shown in
the Register Person - New Entry dialog box.
ID file name
Mail server
name
Mail file
directory
10
The name for the users mail file. If you do not use this
parameter, the name is based on the persons name if
the person uses Notes mail.
continued
Enter
11
Location
12
Comment
13
Forwarding
address
14
Profile
15
Local
administrator
16
Internet
address
17
Short name
18
Alternate name The alternate name of the user. Note that the certifier
ID used to register this user must contain the alternate
name language.
19
Alternate org
unit
20
Mail template
file
Configuration
Order Parameter
For more information on the settings you can modify, see the topic
Using Advanced Notes user registration earlier in this chapter.
Configuration
Action
First name, Middle name, Enter a first name, middle name (if necessary),
Last name
and last name.
Short name
Password
Password quality
Configuration
2. From the Web Administrator click the People & Groups tab.
Field
Action
Mail System
Explicit policy
9. Click the green check mark. The user name appears in the
Registration status view (the user registration queue). Or, click the
red X to clear all fields and start over.
10. Click Register, and then click OK.
When using the Web Administrator client, you need to have set up a
server-based certification authority (CA) to register Notes users. The
Web administrator, as well as the server on which the Web
Administrator database resides, must be listed as a registration authority
(RA) for that certifier. You must assign the RA role in the Domino
Administrator client, not in the Web Administrator. To assign the RA
role, use the Modify Certifier tool on the Configuration panel.
Note The Registration Preferences (from File - Preferences Administration Preferences) that can be set in user registration with the
Domino Administrator do not apply to user registration with the Web
Administrator. During user registration on the Web, only registration
settings set through policies or through the server-based CA apply. Other
settings are entered manually or are defaults.
To use Advanced user registration with the Web Administrator
1. Make sure you have the following before you begin registration:
The [UserCreator] role in the Domino Directory.
The registration authority (RA) designation for whatever CA
(Certificate Authority) that is selected for user registration.
The Domino Web Administrator requires the user of the
server-based CA.
2. From the Web Administrator, click the People & Groups tab.
3. From the Servers pane, select Domino Directories, and then click
People.
4. From the Tools pane, click People - Register.
5. Choose a CA-configured certifier.
6. (Optional) Choose an Explicit policy.
7. (Optional) If you would like the selections for CA Certifier and
Explicit policy to be set as the default, click the check box Save
as default.
Setting Up and Managing Notes Users 5-31
Configuration
Advanced user registration from the Web Administrator offers all of the
registration settings that are included in Basic user registration from the
Web Administrator, and also allows you to change default settings and
apply advanced settings to users.
8. Click OK.
Field
Action
First name, Middle Enter a first name, middle name (if necessary), and
name, Last name
last name.
Short name
Password
Enter the password for the user ID. Criteria for this
password is based on the level set in the Password
Quality Scale in the Password Options dialog box.
Password quality
Mail System
Action
Set Internet
password
Synch Internet
password with
Notes ID
Create a Notes ID
for this person
Explicit policy
Action
Mail System
Configuration
Field
Fields
Action
Mail Server
The file name of the mail file. By default, the path and
the file name are
mail\<firstinitial><first7charactersoflastname>.nsf.
Mail template
Set database quota Click to enable, and then specify a size limit
(maximum 10GB) for a users mail database.
Set warning
threshold
11. Click the Address tab, and enter values in any of these fields.
Field
Action
Internet address
Internet Domain
Address name
format
Separator
12. Click the ID Info tab, and enter values in any of these fields.
Action
CA-configured certifier
Certificate expiration
Choose one:
Months Enter the number of months
during which the certifier is valid.
Date Specify the date on which the
certificate expires. The default is two years
from the current date.
This field is only visible if you select the check
box Create a Notes ID for this person.
Security type
Location for storing user Non-modifiable field that displays the location in
which the users ID will be stored.
ID
This field is only visible if you select the check
box Create a Notes ID for this person.
13. (Optional) Click the Groups tab, and complete these options as
desired:
Enter a group name, or click Search to locate the group name, to
which you want to add this user as a member.
Select the group or groups to which you want to add the user and
click Add.
For more information on adding users to groups, see the chapter
Setting Up and Managing Groups.
Configuration
Field
14. Click the Replica tab and enter values in any of these fields.
Field
Actions
Create replica(s) of
mail database.
15. Click the Roaming tab and enter values in any of these fields.
Field
Action
Roaming user
Personal roaming
folder
Sub-folder format
Action
Clean-up options
Configuration
Field
A user ID may contain only one alternate name. The language specifier
associated with the alternate name must correspond to a language
specifier in the parent certifier ID. When you assign an alternate name to
a user, the alternate name and language specifiers are added to the user
ID, to the Notes certificates issued to the user, and to the users Person
document.
Configuration
6. Select the ID you want to recertify and then enter the password and
click OK. To add an alternate language and name to the organization
(root) certifier, select the same ID that you chose in the previous step.
7. Click Add.
8. Choose the alternate language in the Language field. If you are
recertifying an organizational unit certifier, the available languages
include all languages associated with the organization (root)
certifier ID.
9. (Optional) Enter a country code for the organization. This option is
available only for organization certifier IDs.
10. Enter a name for the organization/organization unit in the
Organization/OrgUnit field.
11. Click OK.
12. (Optional) To add another alternate language, click the Add button
and repeat Steps 7 through 11.
13. Click Certify.
Configuration
For more information on advanced user registration, see the topic Using
Advanced Notes user registration earlier in this chapter.
Windows NT, 2000, and XP users should log onto their computers
with administrative rights to install Lotus Notes 6. For cases in which
administrative rights are not available, enable the setting Always
install with elevated privileges. Refer to the Release Notes for the
most current information on permissions required when installing as
a non-administrator.
Review options for customizing the Notes client installing and set up.
Installation methods
Domino offers several methods or types of installation that you can make
available to the Domino Notes users in your enterprise.
1. Before you install the client program files on a Win32 system, do the
following:
Make sure that the required hardware and software components
are in place and working.
Read the Release Notes for disk-space requirements and for any
last-minute changes or additions to the documentation.
Temporarily disable any screen savers and turn off any
virus-detection software.
Make sure that all other applications are closed. Otherwise, you
may corrupt shared files, and the Install program may not run
properly.
If you are upgrading to Domino from a previous release, see the
Upgrade Guide.
2. Run the client install program (SETUP.EXE), which is on the
installation CD.
Configuration
created. Users can run the install program directly from this
directory structure that you provide using the Lotus Notes 6.msi file
created in the root of the directory structure.
6. Create a transform file for the installation of the end users local data
files.
For more information on creating a transform file, see the topic Creating
a transform file in this chapter.
Make sure that the required hardware and software components are
in place and working.
Read the Release Notes for disk-space requirements and for any
last-minute changes or additions to the documentation.
Make sure that all other applications are closed. Otherwise, you may
corrupt shared files, and the Install program may not run properly.
Configuration
Multi-user installations
Multi-user installation applies to Microsoft Windows (Win 32) users
only. The multi-user installation is only supported for the Notes client
installations; it is not supported for installing the Domino Administrator
client or the Domino Designer. Therefore, the multi-user option is only
available in the Notes installation kit.
Use the multi-user installation if your enterprise has multiple users who
share a single workstation. Then when users log onto the system, they
run the Lotus Notes 6 client setup and their own personal data files
that is, BOOKMARK.NSF, NAMES.NSF, and other files are created.
The multi-user installation differs from a shared installation in that
Program files are located on the local system in a multi-user install,
which can be an advantage. This allows for access to the Notes client
regardless of which network drives are available. In a shared installation,
users are dependent on the availability of shared network drives.
In a multi-user installation, install the Domino Program files to a central
location on the local system. Each user has their own data directory
located in the systems application data directory for the current user.
The actual location varies as follows according to operating system:
Example 3 c:\Bin\Win95\Profiles\user\Local
Settings\Application Data\Lotus\Notes Data
Each users individual data files are created when the user logs on to the
workstation, launches the Lotus Notes 6 client, and completes the client
setup. The multi-user option is only visible to those users with
administrative privileges on the local system. This installation option is
not enabled for other users.
Note Individual Location documents are no longer needed for each user
that utilizes the Notes client on the same workstation, as compared to
previous releases where individual Location documents had to be
created for each user when multiple users attempted to use the same
Notes client installation on a workstation.
TRANSFORMS="custom.mst"
Transform install
Silent install
setup.exe /s /v/qn
Verbose logging
Configuration
Type of install
Note The version of InstallShield Tuner for Lotus Notes that is included
with Domino works only with Lotus Domino 6, not with other products.
You can use transform files to set up shared and customized installations.
Access their Web site at http://www.installshield.com for further
information.
Configuration
Use this procedure to specify a location other than the default location in
which to store the installation directories. When specifying directory
names, use names that contain eight or fewer characters.
3. In the top pane, click Browse and locate the source directory, which
is the directory from which you are copying the custom files.
4. In the bottom pane, select the destination directory, for example,
ProgramFiles\Lotus\notes\Data\modems.
5. Drag and drop the custom file from the source directory to the
destination directory.
To apply a transform
This section contains two sets of instructions. The first set explains how
to apply a transform file for a user interface (UI) installation that is, an
installation that presents a user interface. The second set explains how to
apply a transform file for a silent install that is, an installation that
does not present a user interface and therefore does not require any user
interaction. There is also a section on using a batch file to launch the
command.
For installations using the transform file (and for silent installations)
using the msiexec commands, the network installation should not be the
first installation of Notes that you perform unless you are certain that all
of the client workstations contain the Windows Installer Service.
Note The command line path is the default installation path or the path
for the transform file.
User interface (UI) installation
In this example, the installdir parameter and the datadir parameter
are used to overwrite the default settings designated by the transform
file.
1. Change to the install directory that contains both the Lotus Notes
6.msi and the transform, *.mst, files.
2. Do one of these:
To install to the default Program and Data directories, enter this
command from the command line:
msiexec /i "Lotus Notes 6.msi"
TRANSFORMS="custom.mst"
Silent install
1. Change directory to the install directory that contains both the Lotus
Notes 6.msi and the transform, *.mst, files.
2. Do one of these:
If you want to install to the default Program and Data directories,
enter this command from the command line:
msiexec /i "Lotus Notes 6.msi" /qn
TRANSFORMS="custom.mst"
TRANSFORMS="custom.mst"
Using the SETUP.INI file setting to apply one transform file to all
client installs
Use a setting in the SETUP.INI file in the install directory to apply one
transform file to all installs. Using this method prevents the end user
from having to enter a command line parameter or from using a batch
file.
Configuration
Description
Username
KeyfileName
Domino.Name
Domino.Address
Domino.Port
Domino.Server
AdditionalServices
Description
Mail.Incoming.Server
Mail.Incoming.Protocol
Mail.Incoming.Username
Mail.Incoming.Password
Mail.Incoming.SSL
Mail.Outgoing.Name
Mail.Outgoing.Server
Mail.Outgoing.Address
Mail.InternetDomain
Directory.Name
Directory.Server
News.Name
News.Server
NetworkDial.EntryName
NetworkDial.Phonenumber
Dial-in number
NetworkDial.Username
NetworkDial.Password
NetworkDial.Domain
DirectDial.Phonenumber
DirectDial.Prefix
DirectDial.Port
DirectDial.Modem
Proxy.HTTP
Proxy.FTP
Proxy.Gopher
Configuration
Setting
Setting
Description
Proxy.SSL
Proxy.HTTPTunnel
Proxy.SOCKS
Proxy.None
Proxy.UseHTTP
Proxy.Username
Proxy.Password
User password
Replication.Threshold
Replication.Schedule
Managing users
The Administration Process helps you manage users by automating
many of the associated administrative tasks. For example, if you rename
a user, the Administration Process automates changing the name
throughout databases in the Notes domain by generating and carrying
out a series of requests, which are posted in the Administration Requests
database (ADMIN4.NSF). Changes are made, for example, in the Person
document, in databases, in ACLs and extended ACLs. However, the
Administration Process can be used only if the database is assigned an
administration server.
Rename a user
There are several ways in which you rename a user. Usually they
involve changing a users common or alternate name. However, in
Domino Notes, the name hierarchy becomes part of the users name. So if
a user is moved and certified by a new hierarchy, then that too is
considered renaming. The rename tasks are:
Moving a users mail file and roaming files from the Domino
Administrator or the Web Administrator
User maintenance
In addition to the tasks listed above, there may be times when you need
to locate a user, recertify a users ID, or another user-related task. Use the
following procedures:
While managing users, you may also need to recertify a certifier ID.
Recertifying a user ID
Recertifying a certifier ID
Configuration
Note The AdminP Mail Notification agent runs only on Domino Release
5.05 or more recent servers and sends e-mail to Notes Release 5.05 or
more recent clients.
1. From the Domino Administrator, click Server - Analyses.
2. Click Administration Requests (6).
3. Locate the administration request to rename the user and then open
the request.
4. Choose Actions - Enable/Disable User Notification. The agent is
enabled and automatically sends to the user an e-mail message
containing links to databases in which the user created or modified
design elements such as a folder or view.
5. Click OK.
Troubleshooting name changes
The public key in the Person document must match the one on the user
ID. If a public key has been changed or corrupted in some way, you see
this message in the Administration Requests database: The name to act
on was not found in the Address Book.
For more information on correcting this problem, see the chapter Setting
Up the Administration Process.
Configuration
You can enable an agent that sends to the user an e-mail message
notifying the user of a name change and containing links to databases in
which the user created or modified design elements such as a folder or
view. To update the private design elements with the users new name,
the user must then open the database via the database links in the e-mail
notification. This update to the user name allows the user to maintain
access to their own private design elements. Enable the Mail Notification
agent from within the administration requests database (ADMIN4.NSF).
Action
Server
Do one of these:
If you are using the Lotus Domino 6 server-based
CA, choose the server that is used to access the
Domino Directory to look up the list of certifiers.
Supply certifier ID
and password
Action
Configuration
Field
Action
Qualifying Org.
Unit
Short Name
Internet Address
10. Complete this step only if the user has an alternate name or if you
are assigning alternate names. If you are not working with alternate
names, skip this step and go to Step 11.
Available only if you are renaming a user whose
New Alternate
Name Information certifying organization has alternate names assigned.
Common Name
Qualifying Org.
Unit
Original Language
New Language
Configuration
Action
Server
Do one of these:
If you are using the Lotus Domino 6 server-based
CA, choose the server that is used to access the
Domino Directory to look up the list of certifiers.
If you are supplying a certifier ID, select the server
that is used to locate the list of certifiers so that the
Certifier ID file can be updated with the latest set of
certificates for itself and all of its ancestors. This is
also the server on which CERTLOG.NSF is updated.
continued
Field
Action
Action
Old Certifier
New Certifier
Configuration
Action
Server
Do one of these:
If you are using the Lotus Domino 6 server-based
CA, choose the server that is used to access the
Domino Directory to look up the list of certifiers.
If you are supplying a certifier ID, select the
server that is used to locate the list of certifiers so
that the Certifier ID file can be updated with the
latest set of certificates for itself and all of its
ancestors. This is also the server on which
CERTLOG.NSF is updated.
Supply certifier ID
and password
Certifier
7. In the Rename Person dialog box, make changes to the primary name
as needed.
Field
Action
Short Name
Internet Address
Rename Windows NT
User Account
Configuration
Field
New Language
4. In the Honor old names for up to <21> days field, either accept the
default or enter a value between 14 and 60 days.
5. Click Next.
6. Select each name whose common name components you want to
change, and then change the name as desired. Repeat for each name
you are changing.
8. Click Finish.
For information on creating a non-Notes, Internet user, see the topic
Registering non-Notes, Internet users in this chapter.
Configuration
Action
Server
Do one of these:
If you are using the Lotus Domino 6 server-based
CA, choose the server that is used to access the
Domino Directory to look up the list of certifiers.
If you are supplying a certifier ID, select the
server that is used to locate the list of certifiers so
that the Certifier ID file can be updated with the
latest set of certificates for itself and all of its
ancestors. This is also the server on which
CERTLOG.NSF is updated.
Supply certifier ID
and password
1. From the Domino Administrator, click the People & Groups tab.
2. Choose People and select one or more roaming user name(s) you are
changing to nonroaming.
3. From the tools pane, click People - Roaming.
Note If you selected a mixed group of roaming and nonroaming
users, the Mixed Roaming Profile dialog box appears and prompts
you to select either roaming or non-roaming. Click the check box
Remove roaming profiles from <n> selected users. In this case, <n>
is the number of roaming users selected.
4. Click the check box Perform updates in background to process
each user in the background.
Tip Run the process in the background so that you can use the
Administrator client while requests are processed.
To verify the change
The procedure changes the users status in their Person document from
roaming to nonroaming. To verify that the change has been made:
1. From the Domino Administrator, click the People & Groups tab.
2. Click People and then select the user you changed to nonroaming.
3. Click Edit Person to open the users Person document.
4. Click the Roaming tab. The User Can Roam field should display No.
To approve the mail file deletion
If you chose to change a roaming user to nonroaming, you must approve
the deletion requests in the Administration Requests (ADMIN4.NSF)
database. Changing a roaming user to nonroaming, requires that the
users roaming files and replicas are deleted.
1. From the Domino Administrator, choose Server - Analysis Administration Requests (R6).
2. Select the Pending Administrator Approval view.
Setting Up and Managing Notes Users 5-69
Configuration
Action
Choose one:
Base folder Name of the folder in which to store
the users roaming files. By default the users base
folder is located in the Domino\data directory. For
example, if you want the base folder to be called
Roaming for all your roaming users, enter Roaming
to create the Domino\data\Roaming directory.
Sub-folder format The format to use when
naming the roaming users personal subfolder. By
default this is the users short name format. You can
change this format if desired and you can optionally
choose a separator character. A personal folder
(subfolder) is created in the Base folder for each user
you upgrade to roaming user.
If folder exists
Choose one:
Skip person if a folder already exists.
Generate folder name to create a new folder.
continued
Configuration
Field
Action
Roaming user
client clean up
options
Choose one:
Do not cleanup No cleanup is performed on
roaming user files.
Cleanup every <number> days Specify a number
between 0 and 365.
Cleanup at Notes shutdown Cleans up files when
Notes is shut down.
Prompt user The user is prompted on exiting the
client as to whether they want to clean up their
personal files. If the user chooses Yes, the data
directory on that client workstation is deleted. If the
user chooses No, the user is prompted as to whether
they want to be asked again on that client. If the user
chooses No, the user is not prompted again. If the
user chooses Yes, the user is prompted again the
next time the user exits the client on that
workstation.
Perform updates
in background
6. Click OK.
A message displays indicating the number of users successfully
upgraded from nonroaming to roaming.
To verify the change
The procedure changes the users status in their Person document from
nonroaming to roaming. To verify that the change has been made:
1. From the Domino Administrator, click the People & Groups tab.
2. Select the user you promoted to roaming.
3. Click Edit Person to open the users Person document.
4. Click the Roaming tab. The User Can Roam field should display
In Progress or Yes. The In Progress status displays until
replication has occurred and all replicas of the users files are
updated.
Configuration
3. On the Mail tab, modify the name in the Internet Address field as
necessary.
Enter
Delete users
Windows NT/2000
account, if existing
Delete user from this Select this option to remove the account from the
Domino Directory
Domino Directory immediately, while initiating
immediately
Administration Process requests to remove the
users name from ACLs, Names fields, etc.
Note If you choose to delete a users mail file, you must have at least
Editor with delete documents access to the Administration Requests
database and delete documents access to the Domino Directory.
6. Click OK.
For more information on shared mail databases, see the chapter Setting
Up Shared Mail.
1. From the Domino Administrator, choose Server - Analysis Administration Requests (R6).
2. Select the Pending Administrator Approval view.
3. Depending on your choices when you deleted the user name, do one
of the following:
If you are certain that you want to approve one or more requests
without looking at detail information for those requests, select the
request, and click Approve Selected Requests and then click OK.
If you would like to see detail on one or more requests before
approving the deletion, select and open the request, click Edit
Request, review the detail information, then choose Approve
Replica Deletion, or choose Reject Replica Deletion.
4. Click Save and Close.
Configuration
Enter
Delete users
Windows domain
account
Delete user from this Select this option to remove the account from the
Domino Directory
Domino Directory immediately, while initiating
immediately
Administration Process requests to remove the
users name from ACLs, Names fields, etc.
Moving a users mail file and roaming files from the Domino
Administrator or the Web Administrator
Configuration
You may need to move mail files when you need more space on a server
or when users change jobs. When a mail file is moved, the
Administration Process first moves it to a new server, then issues a
request to delete the old mail file from its original mail server. You must
approve this mail file deletion. The Administration Process also changes
the information in the Mail file name and Mail server fields in the
users Location document.
Action
Destination
Enter the name of the server to which you are moving the
users mail and/or roaming files. If the destination server
you choose is a clustered server, it appears checked in
the Additional mail server field on this dialog box.
Move roaming Select this check box if you are moving a users roaming
files into this
files. This check box is not active if you are moving a
folder
nonroaming user.
Accept the directory that is displayed or click the folder
icon to choose another directory.
Move mail files Select this check box if you are moving a users mail files.
into this folder Accept the directory that is displayed or click the folder
on <server>
icon to choose another directory.
Link to Object
Store
Remove all
mail replicas
when moving
off cluster
6. If you are working with clustered servers, you can select additional
servers in the cluster to which the mail database can be moved. To
select additional servers, click the check box next to the server name
in the Additional mail server field.
7. Click OK.
Setting Up and Managing Notes Users 5-79
Configuration
Recertifying a user ID
Before a user ID reaches its expiration date, recertify the user ID using the
original certifier ID. The user ID is recertified without renaming the user.
Use the Certificate expiration view to determine which certifiers need to
be recertified. Access this view from Files - Certlog.nsf - By Expiration
date. All certifiers are listed by expiration date.
For more information on certifiers and certification, see the chapter
Deploying Domino.
Note To recertify a user ID using a certifier other than the certifier used
to create the user ID, see Moving a user name in the name hierarchy in
this chapter.
To recertify a user ID
Follow these steps to use the Administration Process to recertify a
hierarchical ID that is about to expire.
1. To recertify a user ID, you must have:
Author with Create documents access and the UserModifier role,
or Editor access to the Domino Directory
At least Author with Create documents access to the Certification
Log (CERTLOG.NSF)
2. From the Domino Administrator, click the People & Groups tab.
3. Select the user to be recertified with the same certifier.
Action
Server
Do one of these:
Action
Configuration
7. If you selected the option to view each entry prior to its being
submitted, the Recertify Person dialog box appears with
non-modifiable information in the primary and common name fields.
Review the information that displays, then select one of the
following:
OK - to submit the name change.
Skip - if you are recertifying more than one user ID and you want
to continue to the next without submitting a recertification for the
current name.
Cancel Remaining Entries - to cancel this recertification, as well as
those for any other names you selected and have not yet
submitted.
8. When the Processing Statistics dialog box appears, review the
information to verify that all name changes have succeeded. Click
OK. If any fail, check the Certifier Log (CERTLOG.NSF) to determine
the reason for the failure.
Server
User
Action
Server
Do one of these:
If you are using the Lotus Domino 6 server-based CA,
choose the server that is used to access the Domino
Directory to look up the list of certifiers.
If you are supplying a certifier ID, select the server that is
used to locate the list of certifiers so that the Certifier ID
file can be updated with the latest set of certificates for
itself and all of its ancestors. This is also the server on
which CERTLOG.NSF is updated.
Supply
certifier ID
and
password
Configuration
Enter
Current Server
Current certifier
Expiration date
Primary key
International key
Add
Rename
Remove
Password quality
7. Click Certify.
For more information on alternate names, see the chapter Setting Up
and Managing Notes Users.
2. Select one or more user name(s) that you want to locate in the
domain.
3. From the tools pane, click People - Find Users.
4. Click Yes to initiate the Administration Request to locate all the
occurrences of the selected name(s) in the enterprise.
To find references to a user's name with the Web Administrator
1. From the Web Administrator, click the People & Groups tab.
2. Enter the name of the user whose name you are trying to find.
3. Click Send.
4. (Optional) Continue adding user names that you want to search for.
5. Click Done.
To view the results of the name search
To view the log of locations where the user name(s) are located:
1. From the Domino Administrator or the Web Administrator, click
Server - Analysis - Administration Request (6).
2. Select the All Requests by Action view and locate the Find Name in
Domain request.
3. Double-click the report to access the Administration Process - Log
document.
License Tracking
License Tracking allows you to monitor the number of active Notes users
within a Notes domain. You can use License Tracking to determine how
many client licenses you have, whether you need to purchase additional
licenses, and when you need to purchase them.
Note License Tracking cannot be used in a hosted environment.
Configuration
Configuration
Chapter 6
Setting Up and Managing Groups
Using groups
Groups are lists of users, groups, and servers that have common traits.
They are useful for mailing lists and access control lists. Using groups
can simplify administration tasks. For example, if you create a group
called Terminations that lists all former employees, you can enter the
Terminations group name in the Not access field in the Server Access
section of the Security tab on each Server document. When an employee
leaves the company, you add the employees name to the Terminations
group and then force replication of the Domino Directory to prevent the
employee from having access to all servers in the domain. Using a
Terminations group saves you the time and effort of manually adding
individual employee names to each Server document when employees
leave the company.
To create a group, you create a Group document in the Domino
Directory. You can add registered users to the group as you create the
Group document and you can add new users to a group as you register
them. There is no limit to the number of names that you can add to a
group. However, the total number of characters used for names in the
group cannot exceed 15KB. To keep groups manageable, split a large list
of users into two or more groups.
By default, the Domino Directory contains two groups:
LocalDomainServers and OtherDomainServers. LocalDomainServers
includes all servers in the current domain. Domino automatically adds
servers that you register in the current domain to the
LocalDomainServers group. OtherDomainServers includes all servers
that are not in the current domain. For example, OtherDomainServers
might include the names of servers in other companies with which your
company communicates. If you set up a connection to a server in another
company or domain, add the server name to the OtherDomainServers
group.
6-1
Configuration
Action
Group name
Action
Group type
Category
Description
Mail Domain
Internet address
Members
Configuration
Field
Action
Owners
Administrators
Allow foreign
directory
synchronization
Choose one:
Yes To allow synchronization between a post
office directory, such as the cc:Mail post office
directory or a Microsoft Exchange Address Book,
and the Domino Directory
No To prevent synchronization between a post
office directory, such as the cc:Mail post office
directory or a Microsoft Exchange Address Book,
and the Domino Directory
Last modified
Group name
Group type
Category
Description
Configuration
Field
Field
Action
Mail Domain
Internet address
Members
Action
Owners
Administrators
Allow foreign
directory
synchronization
Choose one:
Yes To allow synchronization between a post
office directory, such as the cc:Mail post office
directory or a Microsoft Exchange Address Book,
and the Domino Directory
No To prevent synchronization between a post
office directory, such as the cc:Mail post office
directory or a Microsoft Exchange Address Book,
and the Domino Directory
Last modified
3. From the Domino Administrator, from the Servers pane, choose the
server to work from. Omit this step if you are using the Web
Administrator.
4. Select Domino Directories, and then select Groups.
5. Select the group to which you are adding members, and click Edit
Group.
6. Do one of these:
From the Domino Administrator, click Members and then select
users, servers, or groups to add.
From the Web Administrator, select the users, servers, or groups
to add.
7. Click Add, and then click OK.
8. Click Save and Close.
Configuration
Managing groups
To manage groups, you can do the following tasks:
Edit a group
Use the Manage Groups tool to add and remove group members
While managing groups, you may also need to recertify a certifier ID. To
do so, see Recertifying a certifier ID or a user ID.
To apply policy settings to an entire group, you can assign a policy to the
group. Assign an Explicit policy or assign both an Explicit policy and an
Organizational policy. An Explicit policy combined with an
Organizational policy creates an effective policy for the group. You can
use the Policy Synopsis tool to view how an effective policy affects the
members of a group.
Prior to assigning policies to groups, familiarize yourself with all aspects
of policies and how they are applied.
For more information on policies, see the topic Policies.
For more information on applying policy settings, see the topic Planning
and assigning policies.
For more information on policies and policy settings, see the chapter
Using Policies.
To assign a policy to a group
1. From the Domino Administrator, click People & Groups tab.
2. Choose Groups and select the group to which you are assigning a
policy.
3. Choose Tools - Groups - Assign Policy.
4. Complete these fields:
Field
Action
Selected
For:
Configuration
Field
Action
Users with an
existing policy
Policy
Allow
replacement of
policies
View Policy
Synopsis
Perform updates
in background
5. Click OK.
Editing a group
Use this procedure to edit any of the group attributes that are listed on
the Group document in the Domino Directory. You can modify the group
name, group type, description, group membership, group owner,
administrator, and specify whether foreign directory synchronization is
allowed. Foreign directory synchronization allows synchronization
between a post office directory, such as the cc:Mail post office directory
or a Microsoft Exchange Address Book, and the Domino Directory.
With group renaming, there isnt any tolerance for simultaneous
occurrences of the new and old names while the name change makes its
way across databases in the domain. For example, if a group name
changes in the Domino Directory before it has a chance to change in a
database ACL, the old group name in the database ACL is invalid. (This
6-10 Administering the Domino System, Volume 1
Action
Group name Enter a name for the group, using any of these characters: A
- Z, 0 - 9, & - . _ (ampersand, dash, period, space,
underscore, and apostrophe) for the name. A group name
can be a maximum of 62 characters in length. For easier
administration, use a name without spaces. Do not use a
name that is in use as the name of an organizational unit in
the hierarchical name scheme.
Note Do not create group names containing a / (slash).
Using the / in group name causes confusion with
hierarchical naming.
Group type
Configuration
Field
Action
Category
Description
Mail Domain Enter the name of the mail domain for the group. This is
especially useful for enterprises that have more than one
mail domain.
Internet
Address
Members
6. Click the Administration tab and make changes to any of these fields:
Field
Action
Owners
Administrators
7. (Optional) To sort the list of group members before saving the Group
document, click Sort Member List.
8. Click Save and Close.
To immediately change the name of a group throughout the domain
1. To process the Rename Group in Address Book request
immediately, choose the group rename action from the
administration server for the Domino Directory and then enter this
server command:
tell adminp process new
Configuration
Choose one:
Foreign
directory
Yes To allow synchronization between a post office
synchronization
directory, such as the cc:Mail post office directory or a
allowed
Microsoft Exchange Address Book, and the Domino
Directory
Action
6. Click OK.
7. Click Close.
Configuration
Enter
Group Hierarchies
Look in
Field
Enter
Show me
Choose one:
All group hierarchies - To display all of the
group hierarchies in the selected directory.
Only member hierarchies - To display all of the
groups in which the selected user is a member.
Lists alphabetically, all people and groups in the
selected directory.
List by organization
Configuration
List alphabetically
Chapter 7
Creating Replicas and Scheduling Replication
Replicas
To make a database available to users in different locations, on different
networks, or in different time zones, you create replicas. All replicas share
a replica ID which is assigned when the database is first created. The file
names of two replicas can be different, and each replica can contain
different documents or have a different database design; however, if their
replica IDs are identical, replication can occur between them.
As users add, edit, and delete documents in different replicas of a
database, the content in the replicas is no longer identical. To ensure that
the content in all replicas remains synchronized, you use Connection
documents to schedule replication between the servers that store the
replicas. Then multiple sites, teams, and users can make changes to a
database and share those changes with everyone else who has access to
that database. In addition, using replicas and scheduling replication
reduces network traffic. Users never need to connect to a single central
server that stores the only replica of a particular database. Instead, they
can access a replica of that database on one or more local servers.
These distributed replicas can also be Web sites that are hosted on
different Lotus Domino 6 servers. Then users arent dependent on one
server when they attempt to access critical applications over the Internet.
If one server is unavailable, users can access another replica of the
database on another server. You can also use replicas to help manage
ongoing Web site design. On one server, you can set up a Web staging
area where you design and test new pages. When the design changes are
tested and ready to be released, you can replicate this server with the
server storing the replica of the Web site that is available to users. By
using replicas and replication this way, you prevent Web users from
seeing your work-in-progress.
7-1
Configuration
Keep in mind that two replicas will contain slightly different content
between replications. If users need access to the most up-to-date
information in a database, you can create replicas on clustered servers
and then set up replication in clusters. In a cluster, all replicas are always
identical because each change immediately replicates to other servers in
the cluster.
For more information on setting up individual databases for replication,
see the topic Creating replicas using the Administration Process in this
chapter.
7-2 Administering the Domino System, Volume 1
Replication, step-by-step
To fully-understand replication, you need to be familiar with the
information in the topics Guidelines for setting server access to
databases and with Setting up a database ACL for server-to-server
replication in this chapter. You also need to fully familiarize yourself
with the information on replication in the appendix Server Commands.
1. Replication is initiated by a server or a workstation in one of the
following ways:
Replication schedule settings in a Connection document take
effect.
A replication command to replicate immediately is issued at the
server console. The server console commands include replicate,
pull, push, and load replica.
Settings in a Program document. The Program document starts a
new task on the server rather than sending work to an existing
task.
Configuration
Configuration
Create documents
Delete documents
In general, for servers, enable all the privileges that the selected access
level allows. This ensures that the server has access that is as high as
users might have and can replicate all user changes. However, to prevent
certain changes from replicating without deselecting privileges for each
user, you can deselect a particular privilege for a server entry in the ACL.
For example, to prevent all document deletions made in a database on a
particular server from replicating, deselect Delete documents in the
ACL entry for the server. Then when users who have Delete
documents access in the ACL delete documents, the deletions dont
replicate.
For more information on setting up database ACLs, see the chapter
Controlling User Access to Domino Databases.
Configuration
Assign to
Manager
ACL settings
Database encryption settings
Replication settings
All elements allowed by lower
access levels
Designer
Design elements
All elements allowed by lower
access levels
Editor
Author
New documents
Reader
Depositor
Note A database that doesnt replicate should have at least one server in
its ACL to serve as the administration server for the database. This
allows the Administration Process on a server to update names in the
ACL when names in the organization change.
For more information on administration servers, see the chapter Setting
Up the Administration Process.
Configuration
Controls
Panel option
Space Savers
Other
Space Savers
Replicate a subset of
documents
Which documents a
replica receives
Space Savers
Advanced
Replicate
Which non-document
elements this replica
receives
Advanced
continued
Configuration
By default, two replicas exchange all edits, additions, and deletions if the
servers the replicas are on have the necessary access. However, you can
customize replication. For example, to save disk space, you can prevent
the transfer of documents that are not pertinent to your site.
Setting
Controls
Panel option
Send
Temporarily disable
replication
Other
Other
You can manage these settings for multiple replicas from a central source
replica.
For more information, see the topic Specifying replications settings for
multiple replicas from one source replica in this chapter.
removes any deletion stubs that are at least 90 days old. The Updall task,
which runs by default at 2:00 AM, also removes deletion stubs.
You can shorten the purge interval, if you want, but be sure to replicate
more frequently than the purge interval; otherwise, deleted documents
can be replicated back to the replica.
Configuration
Optionally, you can select the check box to remove documents in the
replica that havent changed within the purge interval. If you select the
check box, when Domino removes deletion stubs it also removes
documents that havent changed within the specified number of days.
These documents are purged, meaning no deletion stubs remain for the
documents, so the documents arent deleted in other replicas. The Only
Replicate Incoming Documents Saved or Modified After: date setting
prevents the purged documents from reappearing through replication. If
the other replicas have this check box selected, similar document purging
occurs in them.
Replicate
Use this setting to control which non-document elements a replica
receives. This table describes the options:
Default
Description
Forms, views,
and so on
Selected
Agents
Selected
Replication
formula
Deletions
Selected
Fields
Configuration
Replicate
Configuration
Configuration
5. Click the connection you want to work with, and then click Edit
Connection.
6. On the Basics tab, complete these fields:
Enter
Usage priority
Source server
Source domain
Destination
server
Destination
domain
Enter
Replication task
Choose Enabled.
Replicate
databases of
Priority
Choose one:
High
Medium & High
Low & Medium & High (default)
Pull Pull
Pull Push (default)
Pull Only
Push Only
continued
Creating Replicas and Scheduling Replication 7-21
Configuration
Field
Field
Enter
Enter
Schedule
Choose Enabled.
Call at times
Repeat interval
of
Days of week
Configuration
Configuration
The server calls and attempts to connect at the exact time you specified. If
unsuccessful, the server tries to connect for an hour. Whether or not the
connection succeeds, the next call does not occur until 8 AM the next
morning.
For example, you could create two Connection documents one that
schedules replication for Monday to Friday, and another that schedules
replication for Saturday and Sunday.
Staggering schedules
You can use staggered schedules on hub-and-spoke topology. For
example, you could schedule the first server to replicate from 8 AM to 10
AM, the second server from 8:05 AM to 10:05 AM, and so on. You can
create a simple round-robin schedule for a hub server and its spokes,
repeating as often as is practical. This process spreads all data within a
hubs sphere of influence quickly.
Configuration
If two replicas are assigned different priorities, Domino uses the priority
assigned to the replica on the server that initiates the replication. If you
schedule databases to replicate by priority and a particular database isnt
replicating often enough, ask the database manager to increase the
priority level of that database.
Limiting the time a server has to replicate with another server prevents
extensive replication sessions and allows you to control the cost of
replication with servers in remote sites. For example, if replication
depends on a long-distance phone call and the database takes time to
replicate, you can limit how long the replication period lasts.
To limit the time a server has to replicate:
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting servers Domino Directory in the Use
Directory on field.
3. Click Server, and then click Connections.
4. Click the connection you want to work with, and then click Edit
Connection.
5. Click the Replication/Routing tab.
6. In the Replication Time Limit field, enter the maximum connection
time in minutes.
7. Click Save and Close.
If the Replication Time Limit field has a value in it and the replication
isnt complete at the end of the specified time or if the server crashes,
then replication will begin where it left off once it restarts. When the field
is blank, Domino uses as much time as it needs to complete the
replication session.
Caution If you specify an inappropriately low value and the databases
do not have time to replicate completely, replication terminates upon
reaching the time limit, regardless of how little progress, if any, occurred.
The log file (LOG.NSF) records a message indicating that termination has
occurred but that the replication was successful. The replication history
isnt updated so that the next replication takes place after the last
complete replication event.
To limit replication time for all servers, edit the NOTES.INI file to
include the ReplicationTimeLimit setting.
Configuration
For more information on settings in the NOTES.INI file, see the appendix
NOTES.INI File. For more information on entering server commands,
see the appendix Server Commands.
Configuration
Method
Command
Result
Replicate
Pull
Push
Configuration
Configuration
Chapter 8
Setting Up Calendars and Scheduling
Configuration
You can set up the calendar and scheduling features to allow users to
schedule meetings and reserve resources.
If the Free Time system does not find any information on Bob, it
converts Bobs name into a fully qualified name.
If Bobs mail server is unavailable and his Free Time database is
not clustered, a message appears indicating that the server is
unavailable, and the Find Time dialog box indicates that Bobs
information is unavailable.
4. Kathys Domino Directory is checked for Bobs Person document.
When the Person document is found, the Calendar Connector sends
the request to Bobs mail server, the name of which is listed in Bobs
Person document.
5. The Free Time system on Bobs mail server looks in its Free Time
database and returns the information to Kathy via the Calendar
Connector. If the Free Time system doesnt find any information, the
query fails, and the Find Time dialog box indicates that Bobs
information is unavailable.
Users in different domains
1. Kathy creates a meeting invitation and chooses to search for Robins
free time. In addressing the invitation, Kathy specifies Robins
domain.
2. A query is sent to Kathys mail server.
3. The Free Time system looks for Robins name in the Free Time
database on Kathys mail server. It determines Robins mail server is
in a different domain.
4. Kathys Domino Directory is searched for a document that matches
Robins domain.
If the Free Time system finds an Adjacent Domain document, it
looks at the Calendar server name field of the document for the
name of a server that accepts calendar queries for Robins domain.
The Free Time system then forwards the query to this server for
processing.
Setting Up Calendars and Scheduling 8-3
Configuration
If Bob and Kathy have the same mail server or if Bobs and
Kathys mail servers are part of a cluster, the Free Time system
finds the information and returns Bobs free time to Kathy.
If the Free Time system doesnt find a Foreign Domain document, the
query fails; and the Find Time dialog box indicates that Susans
information is unavailable.
Setting up scheduling
Enter
Calendar server
name
Configuration
How you set up scheduling depends on where users are located that
is, in the same Domino domain or in different Domino domains and
whether users use alternate scheduling applications, such as Lotus
Organizer and IBM OfficeVision.
Enter
Route requests
through calendar
server
Calendar server
name
Calendar system
Configuration
Field
Action
Server
Title
File Name
Template server
Other Resources that are not rooms or online meetings, but that
you want to make available for users to reserve
After you set up resources, users can search for the free time of a
resource and schedule the resource for a meeting while searching for free
time and inviting users to the meeting. For each Resource document you
create, the Administration Process creates a corresponding Resource
document in the Domino Directory. During a free-time query, the Free
Time system searches the Free Time database to find the location of these
resources and returns information on the availability of both the resource
and the invitees.
When setting up rooms as resources, enter the room information in a
consistent format, either by name or by number. Doing so will limit the
number of errors caused when a room cannot be located in the database.
When a user reserves a conference room with type-ahead enabled, Lotus
Domino 6 searches for the conference room by room number or by room
name, but not by both. Lotus Domino 6 looks up rooms according to how
they have been added to the Resource Reservations database either by
name or by number. If a user enters a room name and the room resource
is set up by room number, an error is generated and the room is not
located. Setting up all room resources by room name or by room number
helps eliminate this type of error.
Configuration
When you create a Resource document, you define the resource name,
type, and availability; and you specify who can reserve the resource.
There are three types of resources:
When you create a Site Profile or Resource document, the new resource is
not available for users to schedule until the Administration Process adds
the resource to the Domino Directory and the addition replicates to all
replicas that are on servers used for scheduling resources of the Domino
Directory.
Enter
Site name
Domain name
Name
Site
Category
(Appears when you
select Other as
Resource Type)
Capacity
(Appears when you
select Room as
Resource Type)
Description
Internet address
Configuration
Field
Enter
Choose one:
Owner
restrictions None Click if no owner is assigned to the resource and
anyone can reserve the resource.
Owner only Click to assign a Resource owner. Only the
Resource owner can process Resource requests without
special approval. Enter the name of the resource owner in
the Owners name field. The owner is the person or group
to whom requests from other users (those not listed in the
List of names field) are forwarded for approval and
processing.
Specific people Click to allow only specified users access
to the resource. Enter the names of users allowed to
reserve this resource in the List of names field.
Autoprocessing Click to allow only specified users and
groups access to the resource and to assign a resource
owner. Enter the name of the resource owner in the
Owners name field. The owner is the person or group to
whom requests from other users (those not listed in List of
names field) are forwarded for approval and processing.
Enter the names of users allowed to reserve this resource
in the List of names field.
Disable reservations Click to prevent users from
reserving a resource from a meeting notice and directly
from the Resource Reservations database.
Availability Choose one of these:
settings
24 hours everyday The resource is available 24 hours
each day. When you select this availability setting, other
availability settings are disabled.
Time zone Specify the time zone for the resource. The
default is Local Time, but you can specify others as
applicable, such as Eastern Time.
Days of week and hours of days Select the days of the
week that the resource is available. Specify availability
start time and end time for each available day selected.
Other
comments
Enter
Online meeting
database
Choose one:
Audio Voice only
Audio and Video support Voice and video display
Configuration
Enter
Description
Capacity (for Rooms The capacity of the resource, if it has one for
only)
example, the seating capacity of a room.
Category (for Other
only)
Owner restrictions
Choose one:
None Click if no owner is assigned to the
resource and anyone can reserve the resource.
Owner only Click to assign a Resource owner.
Only the Resource owner can process Resource
requests. Enter the name of the resource owner in
the Owners name field.
Specific people Click to allow only specified
users access to the resource. Enter the names of
users allowed to reserve this resource in the List
of names field.
Autoprocessing Click to allow only specified
users access to the resource and to assign a resource
owner. Enter the name of the resource owner in the
Owners name field. The owner is the person to
whom requests from other users (those not listed in
List of names field) are forwarded for approval and
processing. Enter the names of users allowed to
reserve this resource in the List of names field.
Disable reservations Prevent users from
reserving a resource from their mail file.
continued
Field
Enter
Internet address
Enter
Description
Online Meeting
Database
External address
Sametime server
Audio Video
Support
Choose one:
Other comments
Configuration
To delete a resource
When you delete a resource, an administration request that requires
the administrators approval is also generated. After deleting the
resource in the user interface, open the Administration Requests
database and approve the deletion there. Instructions for both
procedures are included here.
1. Make sure that you have the [CreateResource] role in the ACL of the
Resource Reservations database.
2. From the Domino Administrator, click the Files tab.
3. From the Servers pane, select the server from which you want to
work.
4. Open the Resource Reservations database, and then click Resources.
5. Open the Resource document that you are deleting, and click Delete
Resource.
6. Click Yes and click OK.
Configuration
Action
Group
Do one of these:
Select a group from the list
Add a new group in the New keyword field and
then click OK
Title
Repeat
Monthly by Date
Monthly by Day
Yearly
Custom If you choose Custom, enter one or more
dates on which the holiday repeats.
Action
Start date
Enter the date when the holiday first occurs. This date
may be the actual date of the holiday (such as New
Years day) or it may be the date from which to start
the holiday. For example, if your organization gives
employees every other Friday off from June through
August, enter June 1 as the Start Date and select For
from the Continuing field to specify an end date of
August 31.
Continuing
Choose one:
Until Click Until and then enter a specific date in
the Repeat Until field.
For Click For and then specify the number of
months or years during which the holiday repeats in
the Repeat For field.
Repeat until
(Displays if you
select Until in the
Continuing field.)
continued
8-18 Administering the Domino System, Volume 1
Field
Action
Repeat For
Enter the number of months or years during which the
holiday should repeat.
(Displays if you
select For in the
Continuing field.)
Choose one:
Dont Move
Move to Friday
Move to Monday
Move to Nearest Weekday
7. Complete this step only if you chose Custom in the Repeat field in
Step 5.
Field
Enter
Repeat Dates
(Applies only to
Custom.)
Action
Mark time as
Detailed
description
Configuration
Repeat Interval
Choose how often the holiday repeats by month and
day.
(Applies to
Monthly by
Date and by Day)
Configuration
4. On the Basics tab, click the check box Extract calendar details. The
feature is enabled.
Chapter 9
Using Policies
Configuration
Policies
Using a policy, you control how users work with Notes. A policy is a
document that identifies a collection of individual policy settings
documents. Each of these policy settings documents defines a set of
defaults that apply to the users and groups to which the policy is
assigned. Once a policy is in place, you can easily change a setting, and it
will automatically apply to those users to whom the policy is assigned.
Policy settings documents cover these administrative areas:
Desktop Use desktop policy settings control and update the users
desktop environment or to reinforce setup policy settings. For
example, if a change is made to any of the policy settings, the next
time users authenticate with their home server, the desktop policy
settings restore the default settings or distribute new settings
specified in the desktop policy settings document.
9-1
Organizational policies
An organizational policy automatically applies to all users registered in a
particular organizational unit. For example, to distribute default settings
to all users registered in Sales/Acme, create an organizational policy
named */Sales/Acme. Then when you use the Sales/Acme certifier ID to
register a user, that user automatically receives the settings in the
corresponding organizational policy.
If you move a user within the hierarchical structure for example,
because the user transfers from the Sales department to the Marketing
department the organizational policy for the corresponding certifier
ID is automatically assigned to the user. For example, if you move the
user from Sales/Acme to Marketing/Acme, all settings defined in the
desktop, archiving, and security policy settings documents associated
with the */Marketing/Acme organizational policy are assigned to the
user. The new policy settings become effective the first time users
authenticate with their home server.
Explicit policies
An explicit policy assigns default settings to individual users or groups.
For example, to set a six-month certification period for contract workers
in all departments, create an explicit policy and then assign it to each
contract employee or to the group that includes all contract employees.
There are three ways to assign an explicit policy: during user registration,
by editing the users Person document, or by using the Assign Policy
tool.
For information on assigning an explicit policy, see the topic Assigning
an explicit policy, later in this chapter.
Using Exceptions
You can assign an exception attribute to either an organizational or
explicit policy. You use an exception to allow the user to override a
policy setting that is otherwise enforced throughout an organization.
When you create an exception policy, you specify only the settings that
will not be enforced. Then when you assign the exception policy, it
exempts users from enforcement of those settings only.
Configuration
There are two tools that help you determine the effective policy
governing each user. The Policy Viewer shows the policy hierarchy and
associated settings documents, and a Policy Synopsis report shows the
policy from which each of the effective settings was derived.
*/Acme
*/Sales/Acme
*/NE/Sales/Acme
Joe User/NE/Sales/Acme
PQ=6
9-4 Administering the Domino System, Volume 1
RegSetting
PQ =8
Reg
Reg
Reg
PQ=8
=8
PQ
PQ
=7
Policy
*/Sales/Acme
Reg
RegSetting
PQ=8
=8
PQ
Policy
*/NE/Sales/Acme
Reg
RegSetting
PQ=8
=8
PQ
Reg
Reg
Reg
PQ=8
=8
PQ
PQ
=6
In the following figure, Joe User inherits a password quality setting from
a parent policy. Inheriting a setting occurs in the child policy at the field
level in a policy settings document.
*/Acme
Policy
*/Acme
*/NE/Sales/Acme
Joe User/NE/Sales/Acme
PQ=9
PQ =8
Reg
Reg
Reg
PQ=8
=8
PQ
PQ
=9
Policy
*/Sales/Acme
Reg
RegSetting
PQ=8
=8
PQ
Policy
*/NE/Sales/Acme
Reg
RegSetting
PQ=8
=8
PQ
Reg
Reg
Reg
PQ=8
=8
PQ
PQ
=8
RegSetting
PQ =9
Enforce
Inherit
Policy
*/Acme
*/Sales/Acme
Reg
Reg
Reg
PQ
=8
PQ=8
=8
PQ
Reg
RegSetting
PQ=8
=8
PQ
RegSetting
PQ =8
Enforce
*/NE/Sales/Acme
Enforce
Joe User/NE/Sales/Acme
PQ=8
Policy
*/Sales/Acme
RegSetting
PQ =8
Policy
*/NE/Sales/Acme
Reg
Reg
Reg
PQ=8
=8
PQ
PQ
=9
Reg
RegSetting
PQ=8
=8
PQ
Configuration
*/Sales/Acme
RegSetting
Creating policies
Creating a policy is a two-step process. If you create an organizational
policy, it automatically applieswhen you register users. If you create
an explicit policy, you assign it manually during user registration, in the
Person document or by using the Policy Assignment tool.
For more information on assigning explicit policies, see the topic
Assigning an explicit policy, later in this chapter.
1. Create one or more of the following policy settings documents to
define default settings that you want to assign to users:
Registration policy settings
Setup policy settings
Desktop policy settings
Security policy settings
Archive policy settings
2. Create a Policy document, which identifies specific policy settings.
Configuration
Action
Name
Description
Choose a registration server Select the registration server from the list.
Choose a password quality Select a password quality level.
If you are a service provider, you must select
a minimum password quality of Any
Password or, if specifying a number, level 2.
After users authenticate with their home
servers, password quality is governed by
security settings.
Set Internet password
Action
Use mail
server for
roaming
server
Do one:
Create
roaming files
options
Choose one:
Cleanup
options
Choose one:
Do not clean up to not clean up roaming user files.
Clean up every N days and enter a number between
0 an 365.
Clean up at Notes shutdown to clean up files when
Notes shuts down.
Action
Mail system
Mail server
Configuration
Field
Action
Create mail
file
Choose one:
Create mail file now to create the mail file immediately.
Create mail file in the background to use the
Administration Process to create the mail file. Choose
this option if you are creating many mail files at once.
Action
Internet
Domain
Choose an
Choose the address format for Internet mail.
Internet
address format
Choose an
Internet
address
separator
Action
Mail file
owner access
Create full text (Optional) Check this option to allow users to perform a
index
full-text search on their mail files. The default is
unchecked.
Full-text indexing is supported for Lotus Notes, POP3,
IMAP, and iNotes Web Access. If you are a service
provider, full-text indexing is supported for only IMAP
and iNotes Web Access.
Set database
quota
Set warning
threshold
Security Type
Certificate Expiration
Date
Choose one:
Static date and then enter an expiration
date. The default static date is 24 months
from the creation.
Months from user creation and then
enter the number of months. The default is
24 months.
Action
Group assignments
Local administrator
Configuration
Field
Proxy servers
Name
Description
Catalog/Domain
Search server
Directory server
Sametime server
Local mailfile
Internet browser
Retrieve/open
pages
Action
Default databases Create a link for each database to add to the user
added to
workspace.
bookmarks
If the server that stores a database is down during
setup, a bookmark will not be created.
Create As new
Create a link for each database to add as a new replica
replicas on users to the user workspace.
machine
Mobile directory
catalogs
Configuration
Field
Action
Trusted hosts
Choose one:
Disable Java
No access allowed
Allow access only to originating host
Allow access to any trusted host
Allow access to any host
Choose one:
Choose one:
Disable Java
No access allowed
Allow access only to originating host
Yes
No
10. On the Proxies tab, enter the default proxies to assign to users.
11. On the Mail tab, choose the format to use for messages to Internet
addresses.
12. On the Preferences tab, choose user preferences.
13. Save the document.
For information on user preferences, see Lotus Notes 6 Help.
You also use a desktop policy settings document to manage and update
bookmarks. You can, for example, set up a bookmark hierarchy for Notes
users by creating an outline of bookmarks that includes folders and links
such as database links, document links, and URL links. You can create
folders that have links within the folders. All of the folders and
bookmarks in the outline are then placed on the Bookmark Bar of the
Notes client. To add bookmarks to an existing folder on the users
desktop, such as More Bookmarks, include the folder in the bookmark
outline. Any links included in that folder are merged with the
corresponding folder in the Notes client. You can also create a folder
called Startup that includes links that open automatically every time
the user logs in to Notes.
You can also set user preferences, usually set by Notes users. If you set
user preferences, Notes users will still be able to change their
preferences, but the changes will be only temporary. The next time the
desktop policy is enforced, their preferences will be reset to the original
policy settings.
For more information on seamless mail upgrades, see the Upgrade Guide.
To create Desktop settings
1. Make sure that you have Editor access to the Domino Directory and
one of these roles:
PolicyCreator role to create a settings document
PolicyModifier role to modify a settings document
2. From the Domino Administrator, select the People & Groups tab,
and open the Settings view.
3. Click Add Settings, and then choose Desktop.
Configuration
Action
Catalog/Domain
Search server
Domino Directory Enter the name of the server whose Domino Directory
server
you want users to use.
Sametime server
Local mailfile
Deploy version
Action
Field
Action
Ignore 200
category limit
Prompt before
upgrading folder
design
Do one:
Check yes to inform users before upgrading their
mail folder design. Allows users to defer upgrade.
Uncheck (default) to upgrade folder design without
notifying users.
Notify these
administrators of
mail upgrade
status
Configuration
Action
Corporate Welcome
Pages database
Default Welcome
page
Do one:
Select the welcome page users see when they start
Notes.
Select No default Welcome Page if there is no
default welcome page. (default)
Homepage selection For the field Do not allow users to change their
home page do one:
Check to prohibit users from choosing their own
home page.
Uncheck (default) to allow users to change their
home page.
Enter
Mobile directory
catalogs
Bookmarks to merge
with users bookmarks
10. On the Dial-up Connections tab, enter information about the default
passthru and other remote servers.
9-18 Administering the Domino System, Volume 1
11. On the Accounts tab, enter the default account information for
Internet servers.
12. On the Name Servers tab, enter the names and addresses of
secondary TCP/IP and NDS Notes name servers.
13. On the Applet Security tab, complete these fields:
Action
Trusted hosts
Choose one:
Choose one:
Choose one:
Disable Java
No access allowed
Allow access only to originating host
Allow access to any trusted host
Allow access to any host
Disable Java
No access allowed
Allow access only to originating host
Yes
No
14. On the Proxies tab, enter the default proxies to assign to users.
15. On the Mail tab, choose the format to use for messages to Internet
addresses.
16. On the Preferences tab, choose user preferences.
17. Save the document.
For information on user preferences, see Lotus Notes 6 Help.
Configuration
Field
Action
Name
Description
Action
Choose one:
Allow users to
change Internet
Yes (default) to allow users to use a Web
password over HTTP
browser to change their Internet passwords.
No
Synchronize Internet Choose one:
password with Notes No (default)
password
Yes to allow users to use the same password to
log in to both Notes and the Internet.
Check Notes
password
Choose one:
No (default)
Yes to require a password for Notes
authentication.
Required change
interval
Allowed grace
period
Password history
(Notes only)
Action
Admin ECL
Update Mode
Choose one:
Refresh to update workstation ECLs with
changes made to the Administration ECL. If a
setting appears in both the administration and
workstation ECL, the administration ECL setting
overrides the workstation ECL setting.
Replace to overwrite the workstation ECL with
the Administration ECL. This option overwrites all
workstation ECL settings.
continued
Configuration
Field
Field
Action
Update Frequency
Choose one:
Once Daily to update the workstation ECL when
the client authenticates with the home server and
either it has been a day since the last ECL update or
the administration ECL has changed.
When Admin ECL Changes to update the
workstation ECL when the client authenticates
with the home server and the administration ECL
has changed since the last update.
Never to prevent the update of the workstation
ECL during authentication.
Mail file clean up reducing the size of the source mail file by
deleting archived documents or reducing them in size. You can
reduce the size of the document by first removing attachments, and
then leaving only the header information or leaving the header
information and a portion of the mail document.
Configuration
If you allow archiving, use the archive policy settings document to define
whether archiving is server-based or client-based, to specify source and
destination archive servers, and to set the archive schedule. You can also
change the name and location of the default archive log file if you choose.
Each archive policy settings document requires at least one archive
criteria policy settings document, which specifies the criteria for
document selection and defines how to clean up the mail file.
To create archive policy settings
1. Make sure that you have Editor access to the Domino Directory and
one of these roles:
PolicyCreator role to create a settings document
PolicyModifier role to modify a settings document
2. From the Domino Administrator, select the People & Groups tab,
and then open the Settings view.
3. Click Add Settings, and then select Archive.
4. On the Basics tab, complete these fields:
Name Enter a name that identifies the users (and, if you are a
service provider, the hosted organization) that use these settings.
Description Enter a description of the settings.
5. (Optional) Under Archiving options, choose one of the following if
you want to prohibit archiving. The default is to allow both.
Prohibit archiving to prohibit all archiving. Then save the
document.
Configuration
To set up mail file archiving, you use both archive and archive criteria
policy settings documents. The archive policy settings document
specifies whether or not to allow archiving either centrally by
administrators or privately by Notes users. If you prevent all archiving,
then that is your archive policy setting, and you must include it in your
policy. If you prevent private archiving, then the Archive Settings policy
document determines how documents in the users mail file are archived
and users cannot change these settings or create private archive settings.
Field
Action
Log Directory
Log Prefix
Log Suffix
Number of
characters from
original filename
Configuration
11. (Optional) Change any of these fields if you want to change the
location of the log directory and log file name.
Action
Do one:
Check to allow users to modify the archive
schedule. You can enable this setting even though
private archive settings are prohibited.
Uncheck (default) to prohibit users from
modifying the archive schedule.
Frequency
Choose one:
Daily and then select the days of the week on
which to archive.
Weekly (default), and then choose the day of the
week on which to archive.
Run at
15. Under Location, specify the locations from which to archive. For
example, if you are using client-based archiving, you may want to
archive only from a users office workstation, not from an island or if
the user has dialed in. Choose one:
Any location to archive from any location.
Specific location and then specify one or more locations.
16. On the Advanced tab, the field Dont delete documents that have
responses do one:
Check (default) to archive but not delete documents that have
responses.
Uncheck to archive and then delete documents that have
responses.
17. Save the document.
Configuration
Action
Name
Description
Archiving is enabled
Do one:
Check to enable this archive criteria.
Uncheck if you are creating archive criteria to
use later.
Action
Archive Directory
Archive Prefix
Archive suffix
Number of characters
from original filename
Configuration
Action
Policy name
Enter one:
A unique name, for an explicit policy.
The name of the organization or organizational unit,
such as Acme or Sales/Acme
Policy type
Choose one:
Explicit to create a policy to assign to specific users
and groups.
Organizational to create a policy that is automatically
assigned to all users in the part of the organization
specified in the Policy name field.
Description
Configuration
Managing policies
To manage policies, you can do any of the following:
Edit policies
Delete policies
Editing policies
Use this procedure to edit existing policy and policy settings documents.
Although you can delete a policy from the Domino Directory, you must
use the Policy - Delete tool on the Configuration tab to remove all
occurrences of the policy and its settings.
1. Make sure that you have at least Editor access to the Domino
Directory and the PolicyModifier role.
2. From the Domino Administrator, click the People & Groups tab.
3. Open the Domino Directory, and choose one of these views:
Policies to edit a policy document.
Settings to edit a policy settings document.
4. Open, edit, and then save the document.
Deleting policies
Use this procedure to delete policy and policy settings documents. This
table describes the result of each type of deletion:
Deletion
Result
Explicit policy
Organizational policy
Settings document
Configuration
To delete a policy
1. From the Domino Administrator, click the Configuration tab, and
then open the Policies - Hierarchy view.
2. Select the policy or settings document you want to delete.
3. Click Tools - Policies - Delete.
The policy tools are not available in the Web Administrator client. For
more information on deleting policies in the Web Administrator, see the
chapter Setting up and Using Domino Administration Tools.
Configuration
The policy viewer is a convenient tool you can use to view each policy,
the settings associated with each policy, and how they relate to each
other. The policy viewer is also versatile because of the number of ways
in which you can view policy documents. For example, you can view the
settings for each policy, the settings by functional area, or the settings
assigned to a specific users. You can also view effective policies on
different levels in the policy hierarchy, which helps you to understand
the impact of changing a policy setting. You can view policy documents
using one of two views, By Hierarchy and By Settings.
Action
1.
2.
By hierarchy view
1. From the Domino Administrator, click the Configuration tab.
2. Open the Policies view, and then select the By Hierarchy view.
3. Choose any of the following tasks:
Task
Action
1.
1.
2.
2.
View the settings
1.
documents used by each 2.
policy
Configuration
Task
Action
1.
2.
viewing the way the policy assignment change impacts the effective
policy for that user or group.
From the Person document
1. Make sure that you have at least Editor access to the Domino
Directory or that you have Author access with the UserModifer role.
3. Select the name of the person whose policy assignment you want to
change, and click Edit Person.
4. In the Person document, click the Administration tab.
5. Under Policy Management, in the Assigned policy field, do one:
To assign or change an explicit policy assignment, select a policy
from the list.
To remove an explicit policy assignment, select the name of the
explicit policy and delete it.
6. Save the document.
From the Assign Policy tool
1. Make sure that you have at least Editor access to the Domino
Directory and the ObjectModifier role.
2. From the Domino Administrator, click the People & Groups tab.
3. Do one:
Open the People view, select one or more users, and then from the
Tools pane, click People.
Open the Groups view, select one or more groups, and then from
the Tools pane, click Groups.
4. Choose Assign Policy.
5. For the field Allow replacement of an existing policy, do one:
Check this option to replace an existing explicit policy with a new
one.
This option is not available if the selected user or if no users in the
selected group have an explicit policy currently assigned.
6. In the Policy field, select the explicit policy you want to assign from
the list.
7. Check the Perform updates in background option when you are
assigning policies to a large number of users.
Configuration
2. From the Domino Administrator, click the People & Groups tab, and
then open the People view.
Chapter 10
Setting Up Domain Search
Domain Search
Notes and Web users can use Domain Search to search an entire Domino
domain for database documents, files, and attachments that match a
search query.
To support Domain Search, you need to designate a Domino server as
the indexing server, which builds a domain wide index that all Domain
Search queries run against. In order for the indexing server to build the
index, you must first create a Domain Catalog on the server a database
that controls which databases and file systems get indexed. The indexing
server then spiders, or crawls, the servers that contain the content to be
indexed.
When a user submits a query, the results that the indexing server returns
contain only database documents to which that user has appropriate
access.
If the indexing server is set up as a Domino Web server, it can support
searches from both Lotus Notes and Web browsers.
10-1
Configuration
This chapter describes how to set up Domain Search, which Lotus Notes
or Web users can use to search an entire Domino domain for documents,
files, and attachments from a centralized server.
256MB RAM
If your organization has more than six Domino servers, dedicating one
server as the indexing server provides optimal performance.
Consider clustering indexing servers to ensure greater reliability and
fault-tolerance and to balance the load from user queries. If you use
clustered indexing servers, create a replica of the Domain Catalog on
each of those clustered servers.
For more information, see the book Administering Domino Clusters.
Domain Search over a WAN
If your organization is geographically dispersed, cataloging databases
over a WAN is the only way that different locations can share a single
Domain Index. The cataloging server should access the WAN directly
rather than through a hub server, because cataloging uses large amounts
of processing resources.
To index data in different locations, you can choose to replicate all
databases to be indexed to servers in the same location as the indexing
server, thus eliminating the need for the indexing server to spider over
the WAN. The servers containing the databases to be indexed should be
ones with fast LAN connections. Even within the same location,
databases on servers with slow LAN connections should be replicated to
ones with fast connections.
Tip You can use replication events in the Notes Log as a guide for
determining which servers have fast connections by looking at the
information for the Domain Catalog database (CATALOG.NSF).
Configuration
Determine which servers the Catalog was able to do pull replication with
in an average time of less than 1 minute.
Reset the Include in multi database index database property for each
replica on the servers to be indexed, because this setting does not always
replicate.
When you create the Domain Index, use the Limit domain wide
indexing to the following servers field to limit indexing to these servers.
Configuration
You create the Domain Catalog by enabling the Catalog task on the
server that will index the Domino domain.
Displays
Content
Databases
Domain Indexer
Status
File Systems
Hidden views
You can display hidden views in the Domain Catalog by holding down
CTRL-SHIFT as you open the Catalog. Server tasks use hidden views to
access information quickly. The hidden views $MultiDbIndex and
$FileSystem are the work queues for the Domain Indexer task. These
views show which databases and file systems will be spidered to create
the Domain Index. The $MultiDbIndex view is sorted by replica ID,
number of documents in the replica, and server to ensure that the most
recent replica (the one containing the greatest number of documents) is
the one included in the Domain Index.
Creating the Domain Catalog
You create the Domain Catalog by enabling the Catalog task on the
server that hosts the Catalog for the Domino domain. The Catalog task
uses pull replication to create the Domain Catalog from the individual
catalogs you have created on servers throughout the Domino domain.
You can replicate the Domain Catalog to other Domain Catalog servers
(such as those in a cluster).
1. From the Domino Administrator, select the server that you want to
contain the Domain Catalog.
2. Click the Configuration tab.
3. Expand the Server section in the view pane.
4. Click Current Server Document.
5. Click Edit Server, and then click the Server Tasks - Domain Catalog
tab.
6. In the Domain Catalog field, select Enabled.
7. Click OK.
Tip Use this field to limit the scope of the Domain Catalog to
regional locations or to expand its scope to multiple Domino
domains by cataloging multiple Domain Catalog servers.
9. Click Save and Close.
10. Make sure the Catalog task is included in the ServerTasksAt1 setting in
the servers NOTES.INI file, or use another method (start the Catalog
task at the console or create a Program document) to run the task.
When the Catalog task starts for the first time, Domino creates the
Domain Catalog database based on the CATALOG.NTF template and
adds entries to the ACL so the database replicates properly within the
domain. The Administration Process creates the group
LocalDomainCatalogServers in the Domino Directory and adds the
server that contains the Domain Catalog to that group.
Selecting which databases to include in the Domain Index
The indexing server spiders databases that have the option Include in
multi database indexing selected on the Design tab of the Database
Properties box.
Begin by using the hidden view $MultiDbIndex in the Domain Catalog to
see which databases have already been selected to be included in the
Index by database managers. If you see databases in the view that should
not be in your Domain Index, such as personal mail databases or
databases of limited interest, or if important databases are missing from
the view, either customize the $MultiDbIndex views selection formula or
use the Domino Administrator to include or exclude databases.
Using $MultiDbIndex to view which databases will be indexed
1. From the Domino Administrator, choose File - Database - Open.
2. Select the cataloging server for the domain, and then select Domain
Catalog.
3. Hold down CTRL-SHIFT and click Open.
The Domain Catalog opens and displays its hidden views.
Setting Up Domain Search 10-7
Configuration
8. To change the scope of the Domain Catalog, select the servers that
you want to include in the Limit domain cataloging to the following
servers field. Use wildcard characters to index all servers certified
with a specific certifier for example */Sales/East/Acme. If the
field is blank (default), all servers in the domain are cataloged.
Configuration
Configuration
Tip On the Files tab, you can right-click a database and choose
Access Control - Manage to display its ACL.
access to the database that includes the document and be included in the
Readers field, if the document has one. The security check works as follows:
1. Domino checks the -Default- entry in the database access control list.
If the -Default- entry has Reader access or greater, the user can
read the document, and Domino returns the result in the result set.
2. If the user has Reader access or greater, Domino checks whether the
result document has a Readers field.
If the result document does not have a Readers field, the user can
read the document, and Domino returns the result in the result set.
If the result document has a Readers field, Domino checks
whether the user is included in the Readers field. If not, Domino
does not include the document in the result set because the user is
not authorized to read that document.
If the user is included in the Readers field, the user can read the
document, and Domino returns the result in the result set.
Caution The security checking works only for search results from
Domino databases. Results from file system searches depend on file
system security users see the search result even if they are not
authorized to view the document. Thus, users may not be able to access
all search results or they might be able to discern confidential
information from the existence of a particular search result. Be sure to set
file system security properly and index only file systems for which
security is not a high priority.
Tip If you want to index file systems for which security is a high
priority, you can attach the files to Notes documents in a database
selected for indexing.
Search security and server access lists
If you use server access lists within a domain to limit access to
information, you might need to check the ACLs of databases on those
servers to ensure that results are filtered. Otherwise, a search might
return a result to a user who cannot access the result document. In some
cases, users might be able to discern confidential information from a
search result.
Configuration
If the -Default- entry has less than Reader access, Domino checks
whether the user has Reader access or greater in the ACL. If not,
Domino does not include the document in the result set because
the user is not authorized to read that document.
For more information, see the topic The Domain Catalog earlier in
this chapter.
Note The Catalog task that creates the Domain Catalog must have
finished before you start the Domain Indexer task.
3. From the Domino Administrator, select the server that you want to
be the indexing server.
4. Click the Configuration tab.
5. Expand the Server section in the view pane.
6. Click Current Server Document.
7. Click Edit Server, and then click the Server Tasks - Domain
Indexer tab.
8. In the Schedule field, select Enabled.
9. Click OK.
10. Set the indexing schedule to meet the needs of your organization.
11. Select the servers that you want to include in the index in the Limit
domain wide indexing to the following servers field. Use wildcard
characters to index all servers certified with a specific certifier for
example */Sales/East/Acme. If the field is blank (default), the
Domain Indexer indexes all databases for which the Include in
multi database indexing property is enabled.
12. If you have Web clients, do the following to allow the indexing
server to form valid URLs when the results of a search are displayed
in a browser:
a. Click the Internet Protocols - HTTP tab.
b. For the host name, enter the fully qualified name of the computer
that serves as the indexing server, for example,
servername.acme.com.
c. Click the Domino Web Engine tab.
Configuration
2. Make sure you have created the Domain Catalog on the indexing
server.
By default, the indexing server uses two indexing threads per CPU, so a
server with two CPUs uses four indexing threads when indexing. By
adding the variable FT_Domain_Idxthds=n to the NOTES.INI file of the
indexing server, you can control the total number of threads used for
indexing on that server. For example, by adding
FT_Domain_Idxthds=8 to the NOTES.INI file of an indexing server
with two CPUs, you change the number of indexing threads to eight.
Configuration
Note Do not exceed eight threads per server or you may degrade the
performance of the server, even on servers with more than four CPUs.
Configuration
To see for yourself what performing a domain search is like for a browser
user, you can use a URL command in your browser to simulate such a
link. Enter the following command in your browser, substituting the
common name of your indexing server for servername:
http://servername/catalog.nsf?domainquery
Configuration
When the search form displays, you can define your search. If you have
properly configured the indexing server and the servers holding the
data, your search results display links that can be successfully followed
to each document found.
Description
FT_Domain_Directory_Name
FT_Domain_Idxthds
FT_Index_Attachments
FT_No_Compwintitle
FT_Summ_Default_Language
FTG_No_Summary
Configuration
Note This procedure updates the category information for this entry in
the Domain Catalog but does not change the category information saved
in the meta fields of the document itself.
Chapter 11
Setting Up Domino Off-Line Services
Configuration
11-1
Once the subscription is enabled, users can access it on the server using a
browser. The user clicks in a new frame on the subscriptions main page
to open a JavaScript menu. When the user selects install from the
menu, the subscription is installed on their computer.
Also installed on their computer is the Lotus iNotes Sync Manager, a
utility for managing DOLS subscriptions. Users can open subscriptions
online or offline, synchronize, and set subscription properties with the
Sync Manager.
For more information, see the Lotus iNotes Sync Manager Help
(available from the Help menu of the Lotus iNotes Sync Manager).
Domino Server
nHTTP
1b
Network
1a
Network
Browser
PC Client
Typically, the first step is for a user to enter the URL of a Domino server,
along with the path and name of a DOLS-enabled Web application on
that server, into their browser. The browser contacts the server through
the Web Server task, also called the nHTTP task (1a), and the Web Server
then communicates with the Web application (1b).
If the Web application has appropriate security levels set in the ACL, the
user is prompted to log into the Web application using their name and
Internet password. This authentication is also handled by the Web
Server.
Configuration
Web
App
Domino Server
nHTTP
DOLS
File
Sets
Network
2b
DOLS Filter
2c
Network
2a
Browser
2d
DOLS
File
Sets
PC Client
If the application is DOLS-enabled, and an Offline Configuration
Document (OCD) was created and saved, the user sees the DOLS Web
Control when they open the application. The user clicks the Web control
and selects Install Subscription... to start downloading the application
to their computer.
When the user selects Install Subscription..., the application requests
the OCD (2a). A special DSAPI filter file on the server, listening for URL
Web server requests, notices the OCD request. The filter queries the
client to determine if the iNotes Sync Manager (iNSM) client software is
already installed. If not, the filter tells the browser to begin downloading
a set of DOLS File Sets to the client over the HTTP connection (2b). These
file sets are used to install the iNotes Sync Manager software.
Domino Server
Web
App
Network
4a
nRPC
Browser
iNotes
Sync Mgr
4b
DOLS
File
Sets
Web
App
PC Client
Once the DOLS File Sets are downloaded, they are uncompressed, and
the iNotes Sync Manager launches (3). The Sync Manager then
configures the client for the incoming application, and launches a Sync
Task, which initiates a Remote Procedure Call (nRPC) connection with
the Domino server (4a). This secure, Domino replication connection
performs a number of operations to download and initialize the
application on the client (4b). When synchronization is complete, a
subscription of the application exists on the client. A subscription
includes all databases that were listed in the OCD as making up the
application. Their contents are adjusted according to Administrator and
user settings, as well as security information to ensure that the user on
the client has access to only the data to which they had access on the
server. Also, full-text indexes of all offline databases can be created if the
user requests it.
Configuration
Network
Domino Server
Network
Network
Browser
5b
5a
Local
nHTTP
5c
iNotes
Sync Mgr
Web
App
PC Client
When the user wants to open the application offline, they select it from a
list in the Sync Manager and click Open Offline. The Sync Manager
launches a local copy of the Web Server and the local browser (5a). The
Sync Manager tells the local Web server to connect with the local browser
(5b), and with the offline copy of the application (5c). The local Web
Server then validates the users login and password information, and
displays the application offline (locally) just as it would display it online
(on the server). Any data the user creates, modifies, and saves while
using the offline application is stored in the local version of the
application.
Domino Server
Web
App
Network
6a
nRPC
iNotes
Sync Mgr
6b
Web
App
PC Client
In order to synchronize the data between the offline and online versions
of the application, the Sync Manager, either by the users command or
automatically on a schedule, launches the Sync Task, which again creates
an nRPC connection to the Domino server (6a). The Sync Task then
replicates any or all data between the client copy of the application to the
server copy. Any changes to the security levels of the online application
are synchronized offline. Any outgoing e-mail which has accumuIated in
the local mail.box file is copied to the server and dispatched to the mail
router task for delivery. When synchronization is complete, the user may
disconnect from the network and continue using the application offline.
Configuration
Network
4. Click Security.
5. Click New Security Policy.
6. Fill out the following fields in the Basics tab:
Field
Description
Security domain
Description
Roaming User
ID Management
Description
Certifier ID to use
Configuration
Field
8. If you selected Use NAB for ID lookup, fill out the following fields
in the Lookup tab:
Field
Description
Description
Tighten access to the database Open the ACL for the subscription and
add the users and groups to whom you
want to grant access. Anonymous must
have No Access.
Tighten security on the
configuration document
Configuration
3. Click the Internet Protocols tab, then the HTTP tab. Change the
Output timeout field to 18000 seconds to allow enough time for
downloads. Change this accordingly, depending on the speed of
your connection.
Action
Domino services to install The offline subscription may need support for
offline
full-text indexing, LotusScript and
unscheduled agents (such as Web open), Java
Basic services
back-end classes and applets, MAPI
(required)
enablement, or custom services.
Full-Text Indexing
Select the appropriate boxes so that only files
LotusScript and
the users actually need are downloaded to
unscheduled agents
their machine.
Java classes and applets
MAPI enablement is available only when you
Custom Services
use the Extended Mail Template
MAPI enablement
(MAIL6EX.NTF) for Web Mail or iNotes
Default Language
Access for Microsoft Outlook users.
Choose a default language for the Web Control
menu and the iNotes Sync Manager. Users can
override this setting by selecting a different
language from the Web Control menu.
Custom services to install
offline
6. Click the Schedule tab and complete the following fields. Note that
the user can override most of these fields from within the
Subscription Properties box of the iNotes Sync Manager.
Name of Field
Action
Type of schedule
Select this field, then specify the time of day
you want synchronization to occur.
Weekly
Monthly
Start time
Frequency
Repeating schedule
Interval
Limitations
Stop synchronization at
Recurrence exceptions
Schedule disabled
Configuration
Daily
7. Click the Sync Options tab and complete the following fields:
Name of Field
Description
File Rules
Required files to
replicate
Optional files to
replicate
Name of Field
Description
Encryption
Configuration
Name of Field
Description
Sync Options
Date Filtering
Halt Conditions
Route mail on
client shutdown
Name of Field
Description
Replicate on
client shutdown
Use multi-user
data directory
Action
Push
subscription
settings:
Configuration
Allow per-user
Select this box to allow the subscription to share a file
with another subscription, as long as as the same user
shared
subscription data has installed both files.
For example, a user installs this subscription with the
directory catalog dircat1.nsf. If the user then installs
another subscription that uses dircat1.nsf., and also selects
this option, the two subscriptions share dircat1.nsf.
All subscriptions that share the same file must be either
encrypted or not encrypted. Non-encrypted subscriptions
may not be able to share a file that is encrypted.
Name of field
Action
Read only
subscription
settings:
Passthru server
settings:
Network
Settings:
Configuration
Configuration
Configuration
Error messages
The following table lists client and server error messages you may see as
you use DOLS. These error messages are logged in LOG.NSF under
Miscellaneous Events. You can locate LOG.NSF in the \Program
Files\Lotus iNotes\Data directory on the client machine. To open this
file from a browser while offline, enter http://127.0.0.1:89/LOG.NSF.
Error Message
Description
Synchronization failure.
Chapter 12
Planning the Service Provider Environment
This chapter describes the server and IP configurations and discusses
configuration-related decisions that you will make before you set up an
xSP server.
12-1
Service Provider
The generic term xSP can refer to many different types of service
providers application, Internet, storage, and management to name
just a few.
Service Provider
Policies
Policies are required when using the Domino service provider software.
Before registering a hosted organization, the service provider
administrator must decide which policy settings to implement. Before
registering a hosted organization, the service provider administrator can
create policy documents and policy settings documents and then assign
those documents during registration, or the service provider
administrator can create the documents during the hosted organization
registration process.
For more information on policies, see the chapter Using Policies and
see the topic Using Policy Documents in a hosted environment later in
this chapter.
For more information, see the C API Users Guide and the C API Reference
Guide on the IBM Web site, www.ibm.com.
Service Provider
CompanyA
home page
www.CompanyA.com
92.32.2.0
www.CompanyB.com
92.32.2.0
CompanyB
home page
www.CompanyC.com
92.32.2.0
xSPserver1
IP Address 92.32.2.0
CompanyC
home page
CompanyA
home page
www.CompanyB.com
92.32.2.3
CompanyB
home page
www.CompanyC.com
92.32.2.4
xSPserver2
IP Address 92.32.2.1
CompanyC
home page
Service Provider
www.CompanyA.com
92.32.2.2
CompanyE
home page
www.CompanyF.com
92.32.3.3
www.CompanyG.com
92.32.3.5
CompanyD
home page
CompanyF
home page
www.CompanyI.com
92.32.3.7
CompanyI
home page
www.CompanyH.com
92.32.3.5
CompanyG
home page
xSPserver12
IP Address 92.32.3.5
CompanyH
home page
xSPserver11
IP Address 92.32.3.6
xSPserver1
Service Provider
Data for
Hosted Organization
CompanyJ
Data for
Hosted Organization
CompanyA
Data for
Hosted Organization
CompanyB
Data for
Hosted Organization
CompanyC
xSPServer4
Data Distribution Application
Service Provider
Combined configuration
You can use any combination of the above configurations.
Combined Configuration
xSPserver8
xSPserver6
CompanyA
Server
xSPserver7
CompanyJ
Server
Contains workflow
application for CompanyA
and for CompanyJ
IIOP
LDAP
POP3 and IMAP are access protocols only, that is, they
retrieve mail. SMTP is required to enable POP3 and
IMAP users to send mail. Additionally, the POP3 or
IMAP client must be configured to send mail via an
SMTP server.
SSL
Service Provider
Protocol/Service
Protocol
Note The activity logging C API is included in the Lotus C API Toolkit
for Domino and Notes 6. This public C API can be used to read activity
data.
For more information on activity logging, see the chapter Setting Up
Activity Logging.
Activity records
Many sessions that the Domino server hosts last for an extended period
of time. To avoid losing activity information, many activity types
generate regular checkpoint records. For example, a two-hour Notes
session creates eight records: one open record, six checkpoint records and
one close record, assuming that the default checkpoint interval of 15
minutes is used. You need only review the most recent checkpoint record
for any activity because each checkpoint record shows all logged activity
data.
Service Provider
Billing methods
Suggested criteria
Prior to choosing and installing applications for hosted organizations, do
the following:
1. Decide how to track the applications available to each hosted
organization. Lotus Notes/Domino 6 does not include an application
to track installed applications.
2. Evaluate applications. For example, if an application is Notes-based,
it may need to access external files, or, it may be a Java application.
3. Evaluate the reliability of the application. Is the application reliable
or does it cause the server to stop or crash? Determine the impact, if
any, that each application has on server performance.
4. Determine if the application presents any security risks. Ensure that
the application does not allow users to navigate the file system or
add or run their own executable programs.
5. Evaluate how well the new application integrates with the existing
configuration.
6. Test each application on a non-production server before installing it
on an xSP server. Make sure that each application is easy to install
for each hosted organization.
Note Domino does not support the use of servlets for xSP servers.
Data for
CompanyA and
CompanyB
XSP Server1
All Applications
Service Provider
XSP Server2
All Applications
Chapter 13
Setting Up the Service Provider Environment
This chapter explains how to set up a hosted organization, lists and
explains the files and documents created when you register a hosted
organization, and provides other related information.
13-1
Service Provider
Service Provider
Service Provider
Extended ACL entries are created for all users and groups in a
hosted organization (*/HostedOrganizationName) providing Browse
and Read access to that hosted organization only.
For more information on Web Site documents, see the chapter Setting
up the Domino Web Server. For more information on Internet Site
documents, see the chapter Installing and Setting Up Domino Servers.
If you are using clustered servers, you can use the Storage panel on the
Register Hosted Organization interface to create additional storage for
the hosted organization on one or more servers in the cluster.
Note The HostedOrganizationAdmin group is created by default
(when you set up the hosted environment) and administrators are
automatically added to that group. Administrator groups enable you
to administer groups of people with administrator rights at one time
instead of individually establishing rights and settings for each
hosted organization administrator.
Service Provider
Note The Basics tab on the Server document contains the field
Loads Internet configurations from Server/Internet Sites
documents, which is enabled by default and cannot be changed in a
hosted environment. When this field is enabled, settings on the
Internet Site document take precedence over settings on the Server
document. This field is set when the servers are installed.
Does Acme Printing support DOLS users? Do they need Notes IDs?
If Acme Printing supports DOLS or needs Notes IDs for any purpose,
a Domino CA needs to be created for the hosted organization. If not,
they can use certifier IDs and passwords. Acme Printing does
support DOLS users.
Which mail protocol does Acme Printing use? If they use POP3 or
IMAP, they need SMTP on the same server. Acme uses POP3, so they
need SMTP.
The service provider administrator at the service provider site, does the
following from the Domino Administrator:
Service Provider
For more information on the Web Site document, see the chapter Setting
Up the Domino Web Server and for more information on Internet Site
documents, see the chapter Installing and Setting Up Domino Servers.
1. Ensure that you are working with the xSP server you just installed. If
you need to change to another server, choose File - Open Server, or
File - Preferences - Administration Preferences to select the server.
2. From the Domino Administrator, click the Configuration tab.
3. From the Tools pane, click Hosted Org - Create.
4. Enter the certifiers password, and click OK.
Service Provider
The information that you enter in the fields on the Register Hosted
Organization interface is used to populate many of the documents that
define the hosted organization. For example, you select the policy that
applies to the hosted organization from a list of available policies.
Otherwise, the policy can be created during the hosted organization
registration process. Additionally, the Internet-related information
determines which Internet Site documents are created for the hosted
organization. The Internet Site documents contain the information
needed to run the Internet servers in a service provider configuration
and support all possible configurations of IP addresses and DNS host
names. In a hosted environment, a Site document is required for each
protocol that the hosted organization uses.
Action
Registration Server
Organization name
Organization supports
DOLS
Password
Password quality
Explicit Policy
Password
Internet Domain
HTTP Host/Address
SMTP Host/Address
POP3 Host/Address
IMAP Host/Address
Action
CA Enabled
CA Server
Set ID file
Service Provider
Field
Action
Mail Server
Directory
Host
Server Name
Physical Storage
location
Action
Location
Comment
10. If you have not selected an explicit policy for this hosted
organization, this message appears:
"You must configure the organizational registration
policy for the hosted organization. This policy must
contain the necessary hosted organization settings. Do
you want to configure that policy now?"
11. Click Yes. If you click No, the hosted organization is not created.
Service Provider
12. Click Register. The Internet Site document for the first protocol you
specified appears. Modify the defaults, and add new information as
necessary.
Note The individual fields are listed in the topic What happens when
you register a hosted organization? in this chapter.
For more information on extended ACLs, see the chapter Setting Up
Extended ACLs.
IBM AIX
Enter the following command as the root user, where <en0> is the
network interface card.
ifconfig <en0> alias <IP address of hosted organization>
netmask 255.0.0.0
SUN Solaris
Enter these commands as the root user:
ifconfig <lo0>:1 plumb
ifconfig <lo0>:1 <hosted_company1_ip> <server_ip> up
ifconfig <lo0>:2 plumb
ifconfig <lo0>:2 <hosted_company2_ip> <server_ip> up
.
.
.
ifconfig <lo0>:x plumb
ifconfig <lo0>:x <hosted_companyx_ip> <server_ip> up
IBM AIX
Enter this command as the root user:
ifconfig <lo0> alias <IP address of hosted organization>
netmask 255.0.0.0
Service Provider
If you use a network router in the xSP configuration and you assigned a
unique IP address to each hosted organization, you must create a
loopback address for each hosted organization. The instructions vary by
platform.
Description
Web Site Rule document The Web Site Rule document is created from within
the corresponding Web Site document. The three Web
Site Rule documents that are automatically created in
a hosted environment are DOLS, iNotes help files,
and iNotes.cab.
Service Provider
For security purposes, you can create a File Protection document for each
server. A File Protection document controls the access that Web browser
clients have to the files on a servers hard drive. Create the File Protection
document after creating any Web Site document(s) and/or Internet Site
documents that you need.
For more information on File Protection documents, see the chapter
Controlling Access to Domino Servers.
Type of rule
Incoming rule
pattern
DOLS
Directory
/download/*
domino\html\download
Directory
/inotes5/help/* domino\html\inotes5\help
iNotes.cab
Redirection
/iNotes.cab
domino\html\iNotes.cab
Service Provider
The iNotes.cab file is an archive file that contains controls that are
installed into a browser and make iNotes features available to browsers.
The iNotes help files are downloaded to a central location on the server
so that they do not have to be individually downloaded for each hosted
organization.
The Global Web Settings document and the Web Site Rule documents
appear in the Internet Sites view. You can be review, edit, or delete them
from this view.
Action
Enter one:
An asterisk (*) if the document is to apply to all
servers in the Domino domain.
One or more names of servers to which this
document applies.
Action
Activity logging is
enabled
Enabled Logging
Types
Checkpoint interval
Log checkpoint at
midnight
Service Provider
Action
Start Date
End Date
Start Time
End Time
Results Database
Do the following:
1. Click this button to open the Results Database
dialog box.
2. Specify the server on which the Results
database will reside, the title (name) of the
database, and the file name.
3. Click OK.
4. Choose one:
Append to this database To append the data to the existing
Results database.
Overwrite this database To overwrite the data in the existing
Results database with new data.
5. Click OK. When the message box displays Analysis Completed,
click OK. The Log Analysis - Log Events view opens.
Chapter 14
Managing a Hosted Environment
This chapter contains instructions for moving a hosted organization from
one server to another, modifying the Server document, adding a hosted
organization to a server to provide new Web applications, viewing
hosted organizations, using the Web Administrator to manage users and
groups at a hosted organization site, and performing other actions
required to maintain a hosted environment.
14-1
Service Provider
Cross certificates
ACL file
HostedOrganizationAdmins group
Policy document
Service Provider
Service Provider
Service Provider
5. On the Mail tab, choose the name of the destination mail server from
the list displayed in the Choose the mail server field.
For more information on the Internet Site documents, see the chapters
Setting Up the Service Provider Environment and Installing and
Setting Up Domino Servers. For more information on the Web Site
document, see the chapter Setting Up a Domino Web Server.
Service Provider
4. Delete the hosted organizations ACL file from the data directory on
the source server.
Service Provider
The following console message is logged if there are invalid host names
in the Internet Site documents (excluding the Web Site document):
Lookup of IP address for host hostname.com failed
For example, to access the home page for the hosted organization Acme
Printing, enter:
www.acmeprinting.com/acme_printing/homepage.nsf
For example, to access your own mail file named JSMITH.NSF, at the
hosted organization named Acme Printing, enter:
www.acmeprinting.com/acme_printing/mail/jsmith.nsf
Note You can use a Web Site document to redirect users to other Web
sites.
For more information on redirecting users to other Web sites, see the
chapters Setting Up the Domino Web Server and Installing and
Setting Up Domino Servers.
Service Provider
Service Provider
Chapter 15
Setting Up the Administration Process
This chapter describes how to set up the Administration Process, a
program that simplifies administrative tasks, such as deleting users,
creating replicas, and editing ACLs.
Mail file management tasks, such as delete mail file and move mail
file.
15-1
Administration
Administration servers
Administration servers control how the Administration Process does its
work. You specify an administration server for the Domino Directory
and for specific databases. By default, the first Lotus Domino server you
set up in a domain is the administration server for the Domino Directory.
The administration server for the Domino Directory maintains the
Domino Directorys ACL, performs deletion and name change operations
in that Domino Directory, and these changes are replicated to other
servers in the domain. If you have multiple directories in your domain
not replicas of other domains directories, but more than one of your own
you can specify an administration server for each of the directories in
your domain. Do not specify an administration server in your domain for
a replica of another domains Domino Directory.
All databases need an administration server to manage name changes
and deletions that apply to the database for example, changes to the
ACL, Readers and Authors fields, or Names fields. If a database has
replicas, you assign an administration server to only one replica. Then
the Administration Process makes all changes to that replica, and
replication for that database carries out the changes in all other replicas.
You can also set up one or more extended administration servers to
distribute across multiple servers the processing of administration
requests that modify the Domino Directory.
For more information on extended administration servers, see the topic
Using an extended administration server later in this chapter.
Administration
For more information on the Certification Log, see the chapter Installing
and Setting Up Domino Servers.
ACLs, Reader and Author fields, Name fields and unread lists. When
choosing the administration server for databases in a domain, your
choices include:
If the domain has only a few servers, consider using one administration
server for both the Domino Directory and for other databases. The
majority of the administration server resources are used for updating the
Domino Directory and replicating to keep the Domino Directory
consistent across the domain. The responsibility of the administration
server of other databases is to maintain ACLs, Reader, Authors, and
Names fields; and unread lists during name management operations.
While this option centralizes administration, it may result in slower
server performance as the domain grows and the use of the
Administration Process to update the Domino Directory and maintain
databases increases.
A second option involves using a dedicated registration server as the
administration server for the Domino Directory. You limit this servers
responsibility to the processing of Domino Directory changes. You can
then use other servers, such as database hubs, for processing ACL
changes to other databases. To do so, specify the database hub as the
administration server for those databases. You can divide the
responsibility for database ACL changes among several administration
servers; but, you must make sure that when there are multiple replicas of
a database in the domain, you assign an administration server for only
one replica.
A third option involves using multiple servers to maintain the Domino
Directory. If your domain is geographically dispersed, having a single
administration server for the Domino Directory means all administration
requests for Domino Directory changes have to replicate to this one
server and the resultant changes have to replicate back. If your company
is organized hierarchically, that is, it is composed of multiple
organizations and organizational units, extended administration servers
15-4 Administering the Domino System, Volume 1
Administration
Enter
Administration
administration server for that directory. If so, the server processes the
request. If it is not the administration server for that directory, the server
leaves the request to be processed by the appropriate administration
server. If the server is unable to open the database, it ignores the request.
For more information on secondary Domino Directories, see the chapter
Setting up Directory Assistance.
For more information on designating a server as an administration
server, see the topic Specifying an administration server for databases
earlier in this chapter.
Create replica
Edit the Directory Profile document for the Domino Directory to include
the names of anyone allowed to create a Cross-domain Configuration
document. On the Directory Profile document, add the administrators
names to the List of administrators who are allowed to create
Cross-domain Configuration documents in the administration requests
database field. If a Cross-domain configuration document is created by
someone whose name is not in that field or who is not a manager of the
Domino Directory, that configuration will be ignored.
Administration
Enter
Create Replica
Delete Person in Address Book
Delete Server in Address Book
Get Replica Information for
Deletion
Administration
Enter
Create Replica
Delete Person in Address Book
Delete Server in Address Book
Get Replica Information for Deletion
Rename Person in Address Book
Rename Server in Address Book
Administration
Task
Administrator needs
this access in the
Domino Directory
Administrator
Administrator
needs this access needs this access in
in ADMIN4.NSF other databases
Add a resource to
or delete a
resource from the
Resource
Reservations
database
Author with
Create
documents
access
Add group
Author with
Create
documents
access and
GroupModifier
role
Add users to
group
Author with
GroupModifier role.
If administrator has
access greater than
Author, that access is
sufficient
Author with
Create
documents
access
CreateResource
role in the
Resource
Reservations
database
None
Editor access
Editor access
Approve a request One of these:
to move a user
Author with Create
name to another
documents access
hierarchy
and UserModifier/
Server Modifier
role
Author with
Create documents
access to the
Certification Log
Editor access
Approve the
deletion of a
resource from the
Resource
Reservations
database
Delete documents
access
Editor access
None
Create new
database access
on the registration
server
continued
Task
Administrator needs
this access in the
Domino Directory
Administrator
Administrator
needs this access needs this access in
in ADMIN4.NSF other databases
Create replicas of
databases
No requirement
Author with
Create
documents
access
All of these:
Create replica
access to the
destination
server
Reader access
to the database
on the source
server
In addition, the
source server
must have
Create replica
access to the
destination
server, and the
destination
server must
have Reader
access to one
replica of the
database.
Delete group
None
Administration
Author with
Author with Delete Create
documents access documents
access
and the
GroupModifier role
One of these:
Editor access
Delete servers
One of these:
Author with
Author with Delete Create
documents and the documents
ServerModifier role access
None
Editor access
Delete users*
One of these:
Author with
Author with Delete Create
documents access documents
access
and the
UserModifier role
None
Editor access
continued
Task
Administrator needs
this access in the
Domino Directory
Administrator
Administrator
needs this access needs this access in
in ADMIN4.NSF other databases
One of these:
Editor
None
Enable
Editor access
password-checking
during
authentication
Author with
Create
documents
access
None
Find name
None
None
Move replicas
from a cluster
server
None
Author with
Create
documents
access
Both of these:
Same access as
Create
replicas of
databases
Manager access
to the original
database
Move replicas
from a
non-clustered
server
None
Editor
Both of these:
Same access as
Create
replicas of
databases
Manager access
to the original
database
continued
Task
Administrator needs
this access in the
Domino Directory
Administrator
Administrator
needs this access needs this access in
in ADMIN4.NSF other databases
Move user to
another server
One of these:
Editor
One of these:
Author with
Author with Create Create
documents access documents
and UserModifier/ access
Server Modifier
role
Create replica
access on the new
mail server
In addition, the
old mail server
must have Create
replica access to
the new mail
server, and the
person whose
mail file is being
moved must be
running a Notes
Release 5 or
higher client.
Author with
Create documents
access to the
Certification Log
Editor access
Register user
If creating mail
files/roaming
files, Create
database access on
the mail server
and/or roaming
server,
accordingly.
If creating
replicas, Create
Replica access on
the replica servers.
If CERTLOG.NSF
resides on the
registration server,
Create document
access to
CERTLOG.NSF is
required.
continued
Administration
Author with
Author with Create
documents access and Create
documents
User/Creater role
access if using
Administration
Process for
background
processing
Task
Administrator needs
this access in the
Domino Directory
Administrator
Administrator
needs this access needs this access in
in ADMIN4.NSF other databases
Remove all
replicas of a
database
None
None
None
Author with
Create
documents
access
Author with
Create documents
access to the
Certification Log
None
None
Author with
Create
documents
access
None
None
Editor
Author with
Create
documents
access
None
Update client
information in
Person record
None
None
None
Displays
Administrative
Attention
Required
Pending
Administrator
Approval
All Activity by
Server
All Requests by
Action
All Requests by
Name
All Requests by
Server
Name Move
Requests
Administration
All Errors by
Server
continued
View
Displays
Certificate
Requests
Revocation
Requests
Configuration
Updates
Recovery
Information
Updates
Administration
Remove resource
Rename user
For more information on the administration requests and how they are
processed, see the appendix Administration Process Requests.
Administration
Icon and
Description
corresponding
timing
Icon and
Description
corresponding
timing
Icon displays for all Administration Process Request documents
that are marked as Approved by an administrator taking
action from within the Pending Administrator Attention view.
Icon displays for all Administration Process Request documents
that are marked as Rejected by an administrator taking action
from within the Pending Administrator Attention view.
Icon displays for all interval requests. These requests are
processed according to the Interval setting in the Server
document.
Icon displays for all requests that are posted for an
Administration Approval. These requests show up in the
Pending Administrator Approval view until acted upon.
Description
Icon displays when Administration Process Log documents have
been selected for reprocessing. When errors occur, the Log
documents appear in the All Errors by Server or All Errors by
Date views and can be reprocessed by selecting one or more
documents and clicking the Reprocess Selected Requests
button. The Log documents can also be reprocessed individually
by editing the Log document and checking Perform request
again.
Icon displays for all Administration Process Log documents that
report non-error type conditions. These requests show up in the
Administrative Attention Required view for easy access.
Icon displays when Administration Process Log documents have
been marked as processed. Processed means an Administrator
has reviewed the log and wishes to remove it from the view.
Mark one or more Log documents as processed by clicking the
Remove From View button in the Administrative Attention
Required, All Errors by Server or All Errors by Date views.
Icon displays for all Administration Process Log documents that
represent requests that have successfully completed work on
specific databases.
continued
Icon and
schedule
Description
Icon displays for all Administration Process Log documents that
report error type conditions. These requests appear in the All
Errors by Server and All Errors by Date views for easy
viewing.
Icon displays for all Administration Process Log documents to
indicate a potential blocking condition. A blocking condition can
occur when a request is waiting for some other event to occur in
order to process through.
or
Tell adminp p a
Administration
Administration
Action
Administration
Administration
Enter
Interval
Interval between
purging mail file
and deleting when
using object store
Start executing on
Start executing at
Store Admin
Process log entries
when status of no
change is recorded
Field
Enter
Suspend Admin
Process at
Restart Admin
Process at
Administration
ACLsModified
ReaderAuthorModified
ReplicasDeleted
ReplicasCreated
AppointmentsModified
ProfilesModified
DesignElementsDeleted
DirectoryDocumentsDeleted
Administration
Message
Occurs during
Renaming
Recertification
None
None
None
None
Renaming
Renaming
Administration
Message
Occurs during
Any request
Copy Servers
None
Certified Public Key
Place Servers
Notes Build
number into Server
Record
Request Move to
New Certifier
continued
Message
Occurs during
Initiate Rename in
Domino Directory
Recertify Server in
Domino Directory
Recertify Person in
Domino Directory
Rename Person in
Domino Directory
Rename Server in
Domino Directory
Do the following:
1. Create the necessary
Certifier document(s) in
the Domino Directory.
2. For each Certifier document, copy the certified
public key from the
certifier ID to the
Certifier document in
the Domino Directory.
3. At the server console,
enter load updall
names.nsf -t
$certifiers.
4.
continued
Administration
Message
Occurs during
When a server
Upgrade the server to the
running an older
current release.
version of Notes
encounters a
Domino 5.0
Administration
Request. An older
server is unable to
process the request.
Message
Occurs during
Create Replica
Move Replica
continued
Setting Up the Administration Process 15-41
Administration
The administrator or
Delete user, server,
database manager
or group
requesting the delete action
needs Author access (or
greater) to the Address
Book.
The requests require at least
Author (with Delete
documents) access with the
appropriate role
(UserModifier,
ServerModifier, or
GroupModifier). The
person must have access to
the replica of the Domino
Directory used to submit
the request and to the
replica on the
administration server for
the Domino Directory.
Message
Occurs during
None
Move Replica
Non-cluster move
replica
Rename in Access
Control List
Chapter 16
Setting Up and Using Domino Administration Tools
This chapter explains how to install and navigate the Domino
Administrator. It also includes information on setting up and using the
Web Administrator, which allows you to administer a Domino server
using a browser.
Administration
16-1
Window tab
Tabs
Domain
Bookmark bar
Server pane
Task pane
Results pane
Tools pane
Task pane
The tasks pane provides a logical grouping of administration tasks
organized by tabs. Each tab includes all the tasks associated with a
specific area of administration. For example, to manage the files located
on a particular server, select a server and click the Files tab.
Results pane
The appearance of the results pane changes, based on the task you are
performing. For example, the results pane may display a list of files, as
on the Files tab, or an active display of real-time processes and statistics,
as on the Server - Monitoring tab.
Administration
Server pane
The server pane displays the servers in the domain, grouped in different
views. For example, you can view all servers in the domain or view them
by clusters or networks. To pin the server pane open, click the pin icon
at the top of the server pane.
Tools pane
The tools pane provides additional functions associated with a selected
tab. For example, from the Files tab you can check disk space and
perform tasks associated with files.
Window tabs
Use window tabs to switch from one open window to another in the
Domino Administrator. Every time you open a database or a document,
a new window tab appears beneath the main menu bar.
Domains
You can access the servers in each domain that you administer. Click a
domain to open the server pane.
Bookmark bar
The Bookmark bar organizes bookmarks. Each icon on the Bookmark bar
(running down the left edge of the Domino Administrator window)
opens a bookmark or a list of bookmarks, which can include Web
browser bookmarks.
Description
Favorites
Lists your favorite servers that is, those you administer most
frequently. To add a server to Favorites, choose Administration Add Server to Favorites, and then specify the name of the server to
add.
Domain
For more information on adding domains, see the topic Setting Basics
Preferences, later in this chapter.
Description
Basics
Files
Monitoring
Registration
Statistics
Administration
Action
Domain name
Choose one:
Do not change location
Change to this location. Specify the
location from which you want to
manage this domain.
Action
On startup
Do one:
Choose Dont connect to any
server
Choose Connect to last used
server
Choose Connect to specific server
and then specify the startup domain
and startup server.
Do one:
Check this box to see the Welcome
page each time you start the
Domino Administrator.
Uncheck this box if you do not want
to see the Welcome page.
Title
File Name
Physical Path
Files Format
Size
Max Size
Quota
Warning
Created
Last Fixup
Is Logged
Template
Administration
Action
Do not keep more than <n> MB of Enter the maximum amount of virtual
monitoring data in memory
memory, in MB, used to store
(4 - 99MB)
monitoring data. Default is 4.
Not responding status displayed
after <n> minutes of inactivity
Action
Monitor servers
Do one:
Choose From this computer to
monitor servers from the local
Domino administration client.
Choose From server and then
click Collection Server. Select the
Domino server running the
Collector task for the servers being
monitored by the location you
selected.
Action
Registration
Domain
Certifier name list Choose a certifier ID to use when creating the user
name during user registration when a Notes user ID is
not being created for the user.
This field appears if the check box Create a Notes ID
for this person is not selected.
If you are working in a hosted environment and are
registering a user to a hosted organization, be sure to
register that user with a certifier created for that hosted
organization.
Do one:
Choose Certifier ID to use the certifier ID and
password. Then click Certifier ID, select the certifier
ID file, and click OK to select the certifier ID used to
register new certifiers, servers, and users.
Choose Use CA Process to use the Domino
server-based certification authority.
Registration
Server
Administration
Certifier ID
Field
Action
Explicit policy
User Setup Profile Select a profile. The default is none. You can assign
either a policy or a user setup profile, but you cannot
assign both to the same users.
Mail Options
User
ID/Password
Options
Field
Action
Advanced
Options
Server/Certifier
Registration
4. Click OK.
For more information on explicit policies, see the chapter Using
Policies. For more information on Advanced Options, see Domino
Administrator 6 Help.
You also enable statistic alarms for use with statistic event generators. If
you create statistics event generators to report alarms, you must enable
statistics alarms.
To set statistics preferences
1. From the Domino Administrator, choose File - Preferences Administration Preferences.
2. Click Statistics.
Administration
Action
Do one:
Enable the field and then specify, in
minutes, how often to create
statistics reports in the Monitoring
Results database (STATREP.NSF).
Default is 45 minutes. The value
must be greater than the monitoring
poll interval specified in the
Monitoring preferences.
Disable the field if you do not want
to create statistics reports or charts.
Do one:
Enable the field to report an alarm
when a statistic exceeds a threshold.
You must enable this field to
generate a statistic events. Alarms
are reported to the Monitoring
Results database (STATREP.NSF).
Disable the field if you do not want
to generate alarms.
Do one:
Enable the field to use the poll
interval specified in the Monitoring
preferences.
Disable the field to set a charting
interval that is different than the
poll interval. Then specify a time
interval in which to chart statistics.
The default is 20 seconds.
4. Click OK.
Use to administer
People & Groups People-related Domino Directory items such as, Person
documents, groups, mail-in databases, and policies
Files
Current server activity and tasks. This tab has five sub-tabs:
Status, Analysis, Monitoring, Statistics, and Performance.
Messaging
Replication
Configuration
Administration
From the People and Groups tab, you perform these tasks to manage the
Domino Directory:
See which server tasks are running, stop or restart them, or start new
tasks
Analysis
From the Analysis tab, you can:
Monitoring
From the Monitoring tab, you can:
View the current status of tasks running on each server and view
selected statistics
Statistics
From the Statistics tab, you can see the real-time statistics for the current
status of the Domino system.
Performance
From the Performance tab, you can:
Check mail
Tracking Center
From the Tracking Center tab, you can issue tracking requests to track
messages. You must enable the Tracking Center tab in the Web
Administrator.
Security
Monitoring
Messaging
Setting Up and Using Domino Administration Tools 16-15
Administration
For more information on enabling the Tracking Center for the Web
Administration, see the topic Message-tracking in the Web
Administrator later in this chapter.
Policies
Replication
Directory services
Off-line services
Right click Select an object that has an associated tool and right
click. For example, on the People & Groups tab, right-click a Person
document to access the People tools.
Menus For each tab that has tools, the appropriate tools menu
appears in the menu bar. For example, when you click the Files tab,
the Files menu appears.
The following table describes the tools that are on each tab.
Tab
Tools
People
Groups
Files
Disk Space
Folder
Database
Server - Status
Server - Analysis
Analyze
Messaging
Messaging
Task
User
Ports
Server
continued
Tab
Tools
Configuration
Certification
Registration
Policies
Hosted Org
Server
Miscellaneous
Web Administrator
If you have a browser and want to manage and view settings for a
Domino server, you can use the Web Administrator to perform most of
the tasks that are available through the Domino Administrator. This
section includes the following information about the Domino Web
Administrator:
Setting up the Web Administrator
Administration
For the most current information about supported browsers, see the
Release Notes.
Domino server tasks required
You must have the following Domino server tasks running:
The HTTP task must be running on the Web server so that you can
use a browser to access it.
For more information on how the HTTP server task synchronizes names
in the Server document with those on the Web Administrator database
ACL, see Giving additional administrators access to the Web
Administrator, later in this chapter.
Default database security
The default ACL settings for the Web Administrator database are listed
below. You do not need to change these settings if the administrators
name appears in the Administrators field of the Server document.
Access control list
Default name
Access level
Manager
-Default-
No access
Anonymous
No access
OtherDomainServers
No access
Administration
Authenticating administrators
You can use either an Internet password or an SSL client certificate to
access the Web Administrator. The Web Administrator uses either
name-and-password or SSL authentication to verify your identity. The
method the Web Administrator uses depends on whether you set up the
server or the Domino Web Administrator database (WEBADMIN.NSF),
or both to require name-and-password or SSL authentication.
Administration
Tab
Files
Files
People&Groups
Replication
Replication
Configuration
Configuration
Messaging - Mail
MsgTracking
ServerStatus
Server - Status
ServerAnalysis
Server - Analysis
ServerStatistic
Server - Statistic
To restrict a Web administrators access, use the Manage ACL tool on the
Files tab. For more information on managing ACL roles, see the chapter
Controlling User Access to Domino Databases.
Frames cannot be resized. If you resize the main window, the entire
Web Administrator reloads.
Administration
For the most recent information on using the new Domino Web
Administrator, see the Release Notes that shipped with this product or
download the Domino Administrator online help from the Lotus Domino
Administrator Release 6 download page on the Lotus Developer Domain
at http://www.lotus.com/ldd.
Additional buttons
The Domino Web Administrator includes these buttons that appear at to
the right of the tabs. These do not appear in the Domino Administrator:
Sign out Use this to log out when you cannot or do not want to
close the browser.
Help Use this to access on-line help documents for the Domino
Administrator.
The mail bookmark displays in the bookmark area only if you have
browsed to your home mail server.
Title
File Name
Physical Path
File Format
Size
Space Used
Max Size
Quota
Warning
Created
Last Fixup
Is Logged
Template Name
Inherit From
Type
Replica ID
For more information about modifying certifiers, see the chapter Setting
up a Domino Server-Based Certification Authority. For more
information about user registration in the Web Administrator, and about
creating and modifying groups, see the chapter Setting Up and
Managing Notes Users. For more information about registering a server,
see the chapter Installing and Setting Up Domino Servers.
Administration
In the Web Administrator, you cannot configure a server for SSL during
the server registration process.
Action
You must be a Full Access Administrator to edit the NOTES.INI file. You
must have Administrator access or higher to view the NOTES.INI file, or
to edit or view the cleanup script.
For more information on editing the NOTES.INI file, see the appendix
NOTES.INI File.
Administration
The Server Controller runs in its own window. You can minimize a
Server Controller window, but do not close or kill the window to stop the
Server Controller. Instead, use the Controller Quit command from a
console to stop a Server Controller and the server it controls.
When you run a Server Controller, you no longer have access to the
traditional console at the server. You can communicate only through the
Domino Console or a console in the Domino Administrator or Web
Administrator.
Note You can run the Server Controller as a Windows NT service.
Use -c to prevent the Domino Console from running when you start the
Server Controller. You might prevent the Console from running on a
slow machine or a machine that is low on memory. If you use this
argument and the Domino server ID requires a password, the Domino
server starts without running its server tasks. To run the server tasks,
you must connect to the Server Controller from a console and specify the
server password when prompted.
Use -s to prevent the server from running when you start the Server
Controller. Use this argument along with -c so that someone who is
directly at the server can start only the Server Controller, and then a
remote administrator can start the server and specify a required server
password remotely from a console.
Administration
Result
nserver -jc
nserver -jc -c
nserver -jc -s
nserver -jc -c -s
Note The Domino Console also starts by default when you start a
Server Controller.
For information on using the Domino Console, choose Help - Help
Topics from the Domino Console menu.
To stop the Domino Console
1. From the Domino Console, choose File - Exit.
2. If the Console is currently connected to a Server Controller, when
you see the prompt Exiting the Console by disconnecting all active
connections. Do you want to continue? do the following:
a. (Optional) To also stop a Domino server and Domino Server
Controller running locally, select the option Also, bring down
Domino (if running) and quit the local Server Controller - local
server name.
b. Click Yes.
Chapter 17
Using Domino with Windows Synchronization Tools
This chapter explains how to synchronize user and group information in
Windows NT User Manager for Domains, the Windows 2000 Active
Directory, and in Notes.
When you use Domino to register or delete a Notes user or delete a Notes
group, you can automatically update User Manager for Domains
(USRMGR.EXE). Conversely, special menu options and dialog boxes
added to Windows NT allow you to specify that additions and deletions
(and name changes for users) made to User Manager user or group
accounts are reflected in the Domino Directory. You can also add existing
Windows NT user or group accounts to the Domino Directory.
17-1
Administration
For example, if you run Notes on Windows NT, you can open User
Manager for Domains and specify that all changes to user accounts
during the session are also recorded in the Domino Directory on a
selected Domino server. You then display the list of existing user or
group accounts and select ones to be added to the Domino Directory.
Then you add, delete, or modify other user accounts while working in
Windows NT. All these changes are automatically made to the Domino
Directory. Plus, a mail file, Notes ID, and common password (shared by
the users Notes ID, Notes Internet password, and Windows NT account)
can be created for each new user.
These directory synchronization features let you keep both the Domino
Directory and User Manager current, without having to update both
when either changes. Also, you can manage user and group information
in the Domino Directory and User manager from either Notes or
Windows NT.
To set up Windows NT User Manager, you must complete these
procedures:
1. Enable Notes synchronization features.
2. Synchronize Windows NT and Notes users.
Example 2
You have users who are registered in both Windows NT and Domino.
You want to synchronize their accounts to make administration easier.
To accomplish this, you choose the User synching option in User
Manager. This copies the user account name from Windows NT to the
Network account name field in the users Person document. Now that
the products have a common entry, the Notes User Manager Extension
(NUME) program can communicate between them and keep them
synchronized.
Example 3
You already deployed Domino and synchronized Domino with Windows
NT. You want to add users as necessary. Use the Windows NT User
Manager to create a new Windows NT account and simultaneously
register the user in Domino. Use Domino to register a person and
simultaneously create the Windows NT account. You can also
accomplish this task when registering multiple users from a text file. The
default account name in Windows NT is the same as the name in the
Short name field of the Person document.
Administration
Enter
Enable all
To enable all Notes synchronization operations listed
synchronization under the Select synchronization operations to enable
operations
field. Whenever you perform one of the synchronization
operations in User Manager for Domains, you are
prompted to decide whether or not to perform the same
operation in Notes.
Choose one of these to enable and disable selected Notes
Select
synchronization synchronization operations:
operations to
User / Group registration to register new or existing
enable
Windows NT users and groups in Notes. This option
enables the Add Selected NT User / Group to Notes,
Registration Setup, and Mail / ID Registration Options
on the Notes menu.
User / Group deletion to delete a user or group
from Windows NT and have that user or group
deleted from the Domino Directory. Enables the
Delete / User Synch Options command on the Notes
menu.
User synching to change a user account name in
User Manager and duplicate that name change in the
Network account name field of the Person document
in the Domino Directory, allow changes to the users
full name and copy the new name to the User name
field in the Person document, enable the Notes menu
command Synch Selected NT Users with Notes, and
activate the Set common password on user synching
field.
Set common
password on
user synching
Prompt to
Choose one:
confirm/cancel Prompt for all operations (default)
synchronization
Prompt only for user / group deletions
operations
Do NOT prompt for any operations
Name format
for full name
parsing
Use
Policy-based
registration
3. To save and re-apply the settings in the next User Manager session,
choose Options - Save Settings on Exit.
4. Complete the procedure Synchronizing Windows NT and Notes
users.
The full name of the Windows NT user is added to the User name
field on the Person document if that name does not already exist in
the names list. Existing full names in the Person document are not
modified.
User synching does not register a Notes user that is, a Person
document, Notes ID, and mail file are not created. User synching can
only modify information in an existing Person document.
Note If an error occurs during user synchronization for example, a
Person document cannot be found for the NT server an error message
appears. Details on errors/status are also entered in the NT Event
Viewer application log.
If you change the Windows NT user account name or the full name, run
synchronization again. You should also run synchronization if you want
to synchronize the Windows NT password with the Notes password.
User synching is successful if these conditions exist:
The NT user account name matches the name in the Short name
field in the Person document.
Administration
The Windows NT last name matches the name in the Last name
field in the Person document.
Note If you have not created the appropriate policy documents prior to
setting the policy-based registration options, you are prompted to do so
during this procedure.
For more information on using policies, see the chapter Using Policies.
Action
Registration server A registration server for this session, that is, the
Domino server on which to create Person documents
in the Domino Directory. Users are automatically
assigned the same Domino domain as that of the
selected server. You must have a properly certified
Notes ID and sufficient access to the specified server
to register Notes users.
Default - Local
Enter the new Administration ID of the administrator
registering Notes users, and then enter a password.
Click OK.
Use common
password
Set Internet
Sets an Internet password for authenticated access to
Password in Notes the Domino Web server. The Internet password is
encrypted and set into the Internet password field in
the Person document. This password is mandatory if
the Internet registration only option is selected or if
the mail type is Other Internet, POP, or IMAP.
Default - Not selected
continued
Administration
Administration ID
Field
Action
Certifier name
Organizational
policy
Explicit policy
3. Click OK.
The Registration Setup menu item is active only if you have not enabled
the Use policy-based registration setting in the Notes Synchronization
Options.
To change default Registration Setup options
1. Before changing the default registration options, you must enable
user and group registration.
For more information, see the topic Enabling Notes synchronization
operations in Windows NT User Manager earlier in this chapter.
2. From the User Manager, choose Notes - Registration Setup.
Enter
Set Internet
password in Notes
Registration server
Administration ID
Profile name
Administration
Use common
password
Field
Enter
Internet domain
Address name
format
Separator
Choose one:
None
Underscore
Percent
Equal
This field displays if the mail type is Notes, POP, or
IMAP.
Certifier ID
Security type
Choose one:
North American
International
This field does not display if Internet registration
only is selected.
Certificate
expiration date
Alternate name
language
For more information on the User Setup Profile and the alternate name
language, see the chapter Setting Up and Managing Notes Users.
To change default Mail / ID Registration options
Mail / ID Registration options are not available if you selected
Internet-only registration in the Registration Setup dialog box.
1. Before changing the default Mail/ID Registration options, enable
user and group registration.
For more information on synchronizing user and group registration,
see the topic Enabling Notes synchronization operations in
Windows NT User Manager earlier in this chapter.
2. From the User Manager, choose Notes - Mail/ID Registration
Options.
3. (Optional) To create user mail files on a server other than the local
server, click Mail Server, select another server, and then click OK.
4. Change these settings, and then click OK:
Field
Enter
Mail Server
Mail Type
Choose one:
Create mail
files now
Administration
Field
Enter
Create mail
files in
background
Create full text Select to create a full-text index of the entire mail
index
database.
Store User IDs
Set ID path
The path and file name in which to store user IDs. If you
chose Store User IDs in file, you can select a file other than
the one that is displayed.
This button is activated only if you chose In file in the
Store User IDs field. The default is <Data
directory>\ids\people
Enter
First name, middle Accept the default names derived from the users full
name and last
name in Windows NT.
name
The name of the organizational unit the user is
included in. For example, if user John Smith is part of
engineering, the organizational unit could be Eng. The
user name would be John Smith/Eng.
Organizational units are useful for differentiating
between users of the same name. For example, John
Smith/Eng/Acme and John Smith/Doc/Acme, where
one employee is a member of Engineering and the
other is a member of Documentation. Each is assigned
a different organizational unit name.
Use common
password
Administration
Org unit
Field
Enter
Notes/Common
password for user
name
Confirm password Enter the new Notes password for this user again.
Set Internet
Enters the Internet address in the users Person
password in Notes document in the Domino Directory. This field applies
only if the user is registered for Notes mail. Activates
the following fields:
Internet address
Internet password for user name
Confirm Internet password
Internet address
Internet password
Confirm Internet
password
2. In the User Manager Username window, select the user accounts that
you want to register in Notes.
3. Choose Notes - Add selected NT Users/Groups to Notes.
4. If you are registering multiple users, choose one of the following, and
then click OK:
Prompt for the name and password of each user to enter
information manually for each user.
Register users at once without additional prompts to use
Windows NT full names as Notes user names and to generate
random Notes passwords in a database titled New User
Passwords (NTSYNC45.NSF). If you choose this option, continue
to Step 6.
5. If you are registering only one user or if you chose to enter user
information manually, complete these fields:
Enter
Use common
password
Notes/Common
Password for user
name
Confirm password
Set Internet password Enters the Internet address in the users Person
in Notes
document in the Domino Directory. This field
applies only if the user is registered for Notes mail.
Activates the following fields:
Internet address
Internet password for user name
Confirm Internet password
continued
Administration
Field
Field
Enter
Internet address
Internet password
Confirm Internet
password
6. When User Manager asks if you want to register the new Windows
NT users in Notes, do one of the following:
Click Begin Registration to register new users immediately.
Click Cancel to register new users later.
7. If you chose Register users at once without additional prompts in
Step 4, distribute the passwords to users so they can install their
Notes workstations. After installation, users can create new
passwords.
Note Automatically generated passwords apply only to Notes user IDs
and not to Windows NT or Notes Internet passwords.
To register new users later
If you choose not to register users immediately or if you click Stop
Registration to pause registration, use this method to register the users
later.
1. From User Manager, choose Notes - Register Notes Users Now.
2. Click Begin Registration.
3. Click OK.
Enter
Group Type
Choose one:
Multi-purpose (default)
Mail only
Access Control List only
Deny List only
Administration
Description
Enter
Members
Not members
Add to this list those users who are not members of the
group, or remove from this list user names that you
want to include in the Members list.
Note If there are global groups in the members list and you want to
add those groups to the Domino Directory, select Synchronize
groups in Members list with Notes also.
6. If you are registering group members in Notes, User Manager
prompts you for registration options. Choose one of the following:
Prompt for the name and password for each user to enter user
information manually for each user.
Register users at once without additional prompts to use
Windows NT full names as Notes user names and to generate
random passwords. If you choose this option, go on to Step 7.
7. If you chose to manually enter user information in Step 6, complete
these fields, and then click OK:
Field
Enter
Org unit
Field
Enter
Notes/Common password
for user name
Confirm password
Internet password
Confirm Internet password Enter the Internet password for this user
again.
Administration
Internet address
Enter
Group Type
Choose one:
Multi-purpose (default)
Mail only
Access Control List only
Deny List only
Description
Enter
Members
Not members
Note If there are global groups in the members list and you want to
add those groups to the Domino Directory, select Synchronize
groups in Members list with Notes.
6. If you are registering group members in Notes, User Manager
prompts you for registration options. Select one of the following:
Prompt for the name and password for each user to enter user
information manually for each user.
Register users at once without additional prompts to use
Windows NT full names as Notes user names and to generate
random passwords. If you choose this option, continue with Step 7.
7. If you chose to manually enter user information in Step 6, complete
these fields and then click OK:
Field
Enter
First name, middle Accept the default names derived from the users
name and last name full name in Windows NT.
The name of the organizational unit the user is
included in. For example, if user John Smith is part
of engineering, the organizational unit may be Eng.
The user name would be John Smith/Eng.
Organizational units are useful for differentiating
between users of the same name. For example, John
Smith/Eng/Acme and John Smith/Doc/Acme,
where one employee is a member of Engineering
and the other is a member of Documentation. Each is
assigned a different organizational unit name.
Use common
password
Confirm password
Administration
Org unit
Field
Enter
Set Internet
password
Internet Address
Internet password
Confirm Internet
password
Enter
Administration
For more information on migrating Active Directory users, see the book
Upgrade Guide.
User options are available to register Notes users in Active Directory. In
the Domino Administrators user registration interface, there is a
Windows User Options button on the Other panel of the Register
Person - New Entry dialog box. You can select options to register a user
in Active Directory at the same time that the user is registered in
Domino. This is essentially the opposite of what ADSync does.
Regardless of the tool with which you register a new user in both
directories, you can use ADSync to synchronize and delete users from
both directories. You can also use ADSync to rename users in both
directories.
For more information on the user options available when registering
Notes users, see the chapter Setting Up and Managing Notes Users.
Administration
Administration
Action
Select synchronization
operations to enable
User/group registration
User/group synchronization Click this check box to copy the values from
Active Directory objects fields to Domino
Directory fields, according to the field
mapping specified in the Field Mapping tab.
Member lists in groups are synchronized
when you enable this option.
Synchronization occurs when you select a
Synchronize menu item, or click a toolbar
button, or after an Active Directory object is
modified.
When you click this check box, these fields
are activated:
Recertify users on rename
Set common password on user
synchronization
continued
Field
Action
Prompt to confirm/cancel
synchronization operations
Administration
Action
Use Registration
server for all
operations
Administration ID
On user deletion
Field
Action
Default certifier
name
Default explicit
policy
Register security
groups in Notes as
Administration
You can modify any of the initial mappings, create mappings, or create
Notes field names. When an Active Directory object is created or is
synchronized with Notes, all field values in the mapped Active Directory
object are copied to corresponding fields in the Person or Group
document in the Domino Directory. If necessary, fields are created in the
Person or Group document and existing field values are overwritten.
This is one-way synchronization. No changes are made to the Active
Directory object.
Field Mappings in ADSync, unlike other settings, are different for each
Active Directory domain.
To map fields
1. From the MMC, choose Domino Directory Synchronization.
2. Click Field Mappings.
3. Choose either User or Group in the Field mappings for Object class
field.
4. Scroll through the In Active Directory list until you locate the Active
Directory field that you are mapping to a Domino Directory field.
5. Right-click the corresponding In Domino Directory field (it may
appear blank). An editable field appears. Enter the field name or
select one from the list.
6. Continue this process until you have mapped as many fields as
needed.
7. Click Apply and OK.
To allow the new fields to display in the dialog box, close and then
restart the Microsoft Management Console. The new fields appear.
Administration
Action
Register in
Domino
Directory
First name,
Middle name,
Last name
Enter the users first name and last name, and optionally,
enter a middle name.
Org unit
Fields
Action
Explicit Policy
Use common
password
Click this check box if you want to use one password for
Windows, Notes, and Notes Internet. The existing
Windows password is then replaced by the password
you enter here.
To preserve the existing Windows 2000 password, enter
that password as the common password.
If the Use common password check box is selected, the
Notes password for the user name field and the Confirm
password field are enabled.
Password
Confirm
password
4. Click Next.
5. Review the settings you specified for the user you are registering and
click Finish.
Administration
Action
If registration is canceled
for some users and/or
groups, try to register
them later
Action
If registration is canceled
for some users and/or
groups, try to register them
later
Administration
After the user or group is registered in Domino from the MMC using
ADSync.
When one or more users or groups are selected on the results pane of
the MMC and the Synchronize with Domino option is selected from
the context menu or the toolbar.
When you change any of the properties of the user or group object
and confirm your changes by clicking the OK or Apply buttons.
Administration
Action
Register in
Domino
Directory
Group name
Group type
Description
3. Click Next.
4. Review the information that displays and click Finish. Click OK.
Administration
Chapter 18
Planning Directory Services
This chapter describes the Domino directory services features and some
of the planning issues to consider before using them.
Internationalization features
Each Domino domain has at least one administration server for the
Domino Directory. The administration server is responsible for carrying
out Administration Process requests that automate changes to the
18-1
Directory Services
You can set up Notes clients to use directory servers, rather than their
mail servers, to look up names and addresses.
For information on setting up Notes clients to use directory servers, see
the chapter Setting Up the Domino Directory.
Directory Services
Some of the questions to ask when planning for the LDAP service are:
Should you create a full-text index for the Domino Directory? If your
LDAP clients typically use search filters that search for names or mail
addresses, then its not necessary to full-text index the directory. If
LDAP clients user other types of search filters, creating a full-text
index for the directory is recommended so the LDAP service can
process these kinds of requests more quickly by searching a full-text
index.
Do you need to extend the schema to add support for new object
classes or attributes? You may need to extend the schema if your
company has LDAP applications that search for application-specific
information. You can use the Domino LDAP Schema database
(SCHEMA.NSF) to extend the schema, or add forms and fields to the
directory. Using the Schema database is recommended.
The LDAP service can never process an LDAP search, add, or modify
request in a remote LDAP directory. It can only refer LDAP clients to
a remote LDAP directory.
Note The LDAP service, like any Domino Internet protocol server, can
use directory assistance to authenticate its clients using credentials in a
secondary directory, and to use groups in a secondary directory for
database authorization.
For more information, see the topic Planning directory assistance later
in this chapter.
Directory Services
Notes clients can use LDAP accounts set up in the Personal Address
Book to connect directly to a remote LDAP directory server. Using an
LDAP account, a Notes user can browse the remote LDAP directory and
can search for addresses in the remote LDAP directory when sending
mail.
Should you use Setup policy settings and/or Desktop policy settings
documents to set up and modify the LDAP accounts? This approach
automates the process of creating and updating the accounts.
LDAP accounts for the Bigfoot and VeriSign directories are set up by
default.
The tools you can use to add entries to the Domino Directory are the
Notes user registration program, migration tools that are integrated with
the Notes user registration program, Domino directory synchronization
tools, and third-party LDAP applications. You can also add an entry
manually, for example you typically add a group entry manually. You
might also develop a custom Notes application to add entries.
Planning Directory Services 18-7
Directory Services
For additional information on using LDAP to add entries, see the chapter
Setting Up the LDAP Service.
Directory Services
For more information, see the chapter Using Domino with Windows
Synchronization Tools.
Third-party LDAP applications
The LDAP service allows third-party LDAP applications to modify
directory entries. By default the LDAP service does not allow LDAP
write operations to a directory, so you must set up the directory to allow
them.
Directory Services
Directory servers
Using the Domino directory server field on the Servers tab of a
Location document in the Personal Address Book, Notes clients can use
directory servers, rather than mail servers, for directory lookups.
How many directory assistance databases should you use? You can
create more than one and set of groups of servers to use specific
ones.
Directory Services
Does the directory server require a search base? If so, enter the
search base in the Directory Assistance document.
Directory
assistance for
secondary
Domino
Directory or
Extended
Directory
Catalog
Directory
assistance
for remote
LDAP
directory
Yes
Yes
Yes
Yes
Notes client
LDAP-style
searches
Yes
Yes
Yes
No
Notes client
directory
browsing
Yes
Yes
Yes
No
Notes client
type-ahead
addressing
Yes
Yes (if no
Mobile
Directory
Catalog)
Yes (if no
Mobile
Directory
Catalog)
No
Notes client F9
Yes
address resolution
Yes
Yes
No
LDAP client
search and write
operations
Yes (search)
No (write)
Yes
No
No
continued
Feature
Directory
assistance for
secondary
Domino
Directory or
Extended
Directory
Catalog
Directory
assistance
for remote
LDAP
directory
LDAP client
referrals
No
No
No
Yes
Internet client
authentication
No
Yes
Yes
Yes
Group
authorization
(enabled for one
secondary
directory only)
No
No
Yes
Yes
Directory Services
directory with the most specific matching rule is searched first. For
example, if a user specifies the search base ou=Sales,o=Acme, the
server first searches a directory with the rule /Sales/Acme, before
searching a directory with the rule */Acme. If directories have
identical naming rules that match the search base specified by the
user, search orders assigned to these directories determine the order
in which the directories are searched.
4. If the search is not successful in any Domino Directory or Extended
Directory Catalog, the LDAP service refers clients to an LDAP
directory enabled for LDAP clients in the directory assistance
database.
If an LDAP user doesnt specify a search base, the LDAP service does
not return a referral.
If an LDAP user specifies a search base, the server picks an LDAP
directory enabled for LDAP users with a naming rule that matches
the specified search base. If there is no such directory, the server
doesnt return a referral. If there is more than one such directory, the
server picks the one with the most specific matching rule before
picking one with a less-specific rule. If directories have identical
naming rules that match the search base specified by the user, search
orders assigned to these directories determine the order in which the
LDAP service picks them for referrals.
Directory Services
Alternate names
Corporate hierarchies
Alternate names
The alternate naming feature assigns a Notes user an alternate name
recognizable in the users native language, in addition to a primary name
that is internationally recognizable. Users use alternate names to use
their native languages when displaying and working with names in the
Domino Directory.
For additional information, see the chapter Setting Up and Managing
Notes Users.
Corporate hierarchies
Companies can create corporate hierarchies to customize the way the
Domino Directory categorizes user entries. For example, companies
might create a corporate hierarchy that categorizes by management level.
You can assign one user to a maximum of four corporate hierarchies.
When Notes users address mail or use the search tool to find people, they
can choose to display the entries according to their corporate hierarchy
assignments, rather than simply by name or by Notes name hierarchy.
18-18 Administering the Domino System, Volume 1
If you use the LDAP service, are there attributes and object classes
already defined in the Domino LDAP schema that serve your
companys needs? The schema the types of directory entries that
are defined for the LDAP service by default defines many object
classes and attributes which you may be able to use rather than
adding new ones.
If your company doesnt use the LDAP service, should you create a
form in such a way that it can represent an LDAP object class? Its
good practice to create a form that can represent an LDAP object
class, so that if in the future your company uses the LDAP service,
the design requirements are in place.
Directory Services
Domino domain
A network of clients and servers whose users, servers, connections, and
access control information is described in a Domino Directory.
Extended Directory Catalog
A directory catalog used by servers that, to facilitate quick name lookups,
retains the individual documents and the multiple, sorted views
available in the Domino Directory. You create an Extended Directory
Catalog from the PUBNAMES.NTF template. Servers use directory
assistance to locate an Extended Directory Catalog.
extended ACL
An optional directory access control feature available for a Domino
Directory and Extended Directory Catalog used to apply restrictions to
users overall directory access.
LDAP schema
A set of rules that defines what can be stored as entries in an LDAP
directory. The Domino LDAP Schema database (SCHEMA.NSF), which
is created from the SCHEMA.NTF template, publishes the schema for a
domain.
LDAP service
The LDAP server task running on a server to process LDAP client
requests.
Lightweight Directory Access Protocol (LDAP)
A standard Internet protocol for accessing and managing directory
information. LDAP is a simpler version of the X.500 protocol that
supports TCP/IP.
Mobile Directory Catalog
Name for a condensed Directory Catalog set up on a Notes client.
Directory Services
Chapter 19
Setting Up the Domino Directory
This chapter describes the Domino Directory and explains how to set up
the Domino Directory for a Domino domain.
19-1
Directory Services
Users
,
Group
s,
Custo
m
Primary Directory
Primary Directory
D
Con omino
figur
ation
D
Con omino
figur
ation
Directory Server
Directory Server
Configuration Directory
Mail Server
Configuration Directory
Dom
Confi ino
gura
tion
Dom
Confi ino
gura
tion
Mail Server
Users
,
Group
s,
Custo
m
Configuration Directory
Dom
Confi ino
gura
tion
Application Server
Configuration Directory
Dom
Confi ino
gura
tion
Application Server
Group
Mail-in Database
Resource
Directory Services
When you use this combination directory, all the users from the
aggregated secondary directories are automatically trusted for
authentication, and all the groups can be used in database ACLs for
database authorization.
For more information on integrating an Extended Directory Catalog with
a primary Domino Directory, see the chapter Setting Up Directory
Catalogs.
1. From the Domino Administrator, connect to the server that stores the
replica of the Domino Directory you want to change.
2. Click the Files tab.
3. Select the Domino Directory, and then double-click.
Directory Services
Directory Services
1. From the Domino Administrator, select the server that stores the
primary Domino Directory.
2. Select the Configuration tab, and select Server - Current Server
Document.
3. Click Edit Server.
4. On the Basics tab, in the Directory Information section, below the
Directory Type field, deselect Allow this directory to be used as a
remote primary directory for other servers.
5. Click Save & Close.
(Optional) Use the extended ACL to set access at the form and field
level.
Directory Services
Access level
User type
-Default-
Unspecified
Anonymous
No access
Unspecified
LocalDomainAdmins
Person
group
LocalDomainServers
OtherDomainServers
Reader access
Server group
Server
Person
You might want to customize the database ACL. For example, to have
stricter control over database access, you might change the access for the
-Default- entry to No Access and explicitly add the names of groups of
users to the ACL that you want to allow access.
Note The default access for the -Default- entry allows users only to
change some of the fields in their Person documents.
The access defined in the ACL by a role never exceeds a general access
level. For example, even if you give the UserCreator role to an
administrator who has Reader access in the ACL, the administrator
cannot use the Create menu to create Person documents.
For more general information on roles in an ACL, see the chapter
Controlling User Access to Domino Databases.
Creator roles
Assign creator roles to control who can create documents in the Domino
Directory. To create documents in the Domino Directory, administrators
must have:
Allows
GroupCreator
NetCreator
PolicyCreator
ServerCreator
UserCreator
Caution Assigning Creator roles does not provide true security because
Domino sometimes ignores Creator roles when administrators add
documents to the directory programmatically. For example, an
administrator who does not have the UserCreator role can still use the
User Registration program to register a user.
Directory Services
Modifier roles
Rather than assigning Editor access which allows administrators to
modify all documents, assign administrators Author access along with
one or more Modifier roles to control the types of documents they can
edit. For example, assign the UserModifier role to administrators who are
responsible for managing users. Unlike Creator roles, Modifier roles are a
true security feature.
Allows
GroupModifier
NetModifier
PolicyModifier
ServerModifier
UserModifier
Corporate hierarchies
You can categorize a Person document in the Domino Directory by a
corporate hierarchy. When a Notes user clicks the Address button to
select the name in the Person document from a Domino Directory, or
uses the Find People search tool to find the name, the user can view the
name by the assigned Corporate Hierarchy.
You can categorize user names in any way you want in a corporate
hierarchy. For example, you might categorize users by company division:
Marketing
Kaplan, Judy
Spera, Phyllis
Research and development
Burke, Kathy
Murphy, Bob
You can assign a user to up to six subcategories below a top-level
category. For example, the following corporate hierarchy sorts each user
by one subcategory below a top-level company division category.
Marketing
Design
Spera, Phyllis
Planning
Kaplan, Judy
Research and development
Hardware
Burke, Kathy
Murphy, Bob
You can assign a user to up to four corporate hierarchies. For example, in
addition to categorizing a user by company division, you could also
categorize the user by geographic location:
Boston
Spera, Phyllis
Directory Services
Software
Marketing
Design
Spera, Phyllis
fill out the Corporate Hierarchy Information tab in her Person document
like this:
Directory Services
2. Enter the name of the directory server in the Directory server field in
the Basics tab of the document.
Enter
Condensed server
directory catalog for
domain
Choose one:
Yes to display the members of a new group
in alphabetical order.
No (default) to display members of a group
in the order in which you add them. If you
select No, you can still override this option
and alphabetize members of a specific group.
Field
Enter
Choose one:
Yes (default) to allow you to create Alternate
Language Information documents that
enable LDAP clients to search for user
information in an alternate language.
No to prevent the creation of Alternate
Language Information documents.
List of administrators
who are allowed to create
Cross Domain
Configuration documents
in the Administration
Process Requests
database
Directory Services
Chapter 20
Setting Up the LDAP Service
This chapter describes how to set up a Domino server to use the
Lightweight Directory Access Protocol (LDAP) service.
20-1
Directory Services
In addition to the LDAP service, Domino and Notes offer these LDAP
features:
Notes client support for LDAP. For more information, see Notes 6
Help.
Migration tools that use LDAP to import entries from another LDAP
directory and register the entries in Domino
Directory Services
Note The first value in the FullName field defines the distinguished
name for any entry in the Domino Directory except a Domino Group or
Domino Server; the first value in the ListName field defines the
distinguished name for a Domino Group, and the first value in the
ServerName field defines the distinguished name for a Domino Server.
These messages indicate that the LDAP service is verifying that each part
of a Notes-style distinguished name in a document in the directory has a
separate document to define the name part. If the LDAP service detects
that a part of a name is missing such a corresponding document, it
creates one in a hidden view. Creating an additional document in this
way ensures that LDAP clients can always use subtree searches to find
the original document.
For example, if the distinguished name in a Person document is Phyllis
Spera/Boston/Acme, and there is no Domino Certifier document
registered for the organizational unit Boston, the LDAP service creates an
organizationalUnit document for Boston. Then, an LDAP user can use a
search filter that specifies a search base of ou=Boston,o=Acme with the
subtree scope to find the entry cn=Phyllis Spera,ou=Boston,o=Acme.
If the server running the LDAP service is the administration server for a
Domino Directory or Extended Directory Catalog, the LDAP service can
verify the directory tree. The LDAP service does not verify the directory
tree for a Configuration Directory or for a condensed Directory Catalog.
The LDAP service can create three types of documents, depending on
which part of a Notes distinguished name is missing one: country,
organizationalUnit, and organization documents. The LDAP service adds
such a document when:
A Notes user name is registered with a country part. In this case, the
LDAP service creates a country document.
where servername is the name of the name of the Domino that created the
documents. Specify the name in LDAP format, for example:
"creatorsname=cn=westserver,o=acme"
How the LDAP service forms a value for the mail attribute
To return to value for the mail attribute for a Person, Group, Mail-In
Database, or Resource document, the LDAP service searches for the
following:
1. A fully formed Internet address in one of these fields, in the order
indicated:
a. Internet Address (InternetAddress)
b. Short Name (ShortName) If the Internet Address Lookup
field on Conversions tab of a Global Domain document is
disabled, the LDAP service doesnt look for a short name.
Directory Services
Prevent the LDAP service from carrying out LDAP operations in the
primary Domino Directory.
Directory Services
Setting Up the LDAP Service 20-7
Start the LDAP service automatically Edit the ServerTasks setting in the
when you start Domino
NOTES.INI file to include the LDAP task.
Domino adds the LDAP task to the
ServerTasks setting automatically on the
administration server for a domain
Domino Directory, or if you select the
option Directory services (LDAP
services) during server setup.
Start the LDAP service manually
For information on the NOTES.INI file and on server commands, see the
appendices.
Directory Services
Except where noted in the table, restarting the LDAP task or the Domino
server is unnecessary after changing a setting because the task checks for
setting changes automatically, by default at three-minute intervals. You
can use the NOTES.INI setting LDAPConfigUpdateInterval to change the
interval at which the LDAP service checks for changes to its settings.
Setting
Description
Automatically
Full Text Index
Domino
Directory? 4
Choose fields
that anonymous
users can query
via LDAP 2, 3,
Allow LDAP
users write
access 3
Rules to follow
when this
directory... 4
Timeout 4
Setting
Description
Maximum
Controls the maximum number
number of entries of entries that the LDAP service
returned 4
can return in response to an
LDAP search
Default: no limit
Minimum
Controls the minimum number
characters for
of characters users must place
wildcard search 4 before the first wildcard in a
substring search filter
Default: 1
Allow Alternate
Language
Information
processing 4
Enforce
schema? 4
Maximum
number of
referrals 4
Activity
Controls the size of the
Logging
information Activity Logging
truncation size 4 can log for an LDAP Add or
Modify operation
Default: 4096 bytes
Directory Services
Encode results
in UTF8 for
LDAP-v2
clients? 4
Set in the Server document of each server that runs the LDAP service. To
configure authentication options for the ports enabled in a Server
document, you can instead use a Directory Site document. Using the site
document to configure authentication options is required in a hosted
organization environment.
2
Enter
TCP/IP port
number
TCP/IP port
status
Choose one:
Enabled (default) to allow LDAP clients to connect to
the server without using SSL.
Redirect to SSL to direct LDAP clients connecting
without using SSL to use SSL instead. The LDAP
service returns a message to LDAP clients indicating
that they must connect over SSL.
Disabled to prevent LDAP clients from connecting
using the TCP/IP port.
Directory Services
Authentication If the TCP/IP port status field is set to Enabled, choose one:
options: Name Yes (default) to allow LDAP clients to use
& Password*
name-and-password authentication when connecting
using the TCP/IP port.
Enter
SSL port
number
Choose one:
Enabled to allow LDAP clients to connect to the
LDAP service over SSL.
Disabled (default) to prevent LDAP client
connections over SSL.
Authentication
options: Client
certificate*
Authentication
options: Name
& password*
Authentication
options:
Anonymous*
Directory Services
You specify anonymous search access separately for each directory the
LDAP service serves.
Note Always use the directory database ACL, optionally with an
extended ACL, to control directory access for authenticated LDAP users,
and to prevent anonymous LDAP users from modifying the directory.
Domain Configuration Settings document
The Choose fields that anonymous users can query via LDAP setting
on the LDAP tab of a domain Configuration Settings document in a
Domino Directory or Extended Directory Catalog is the default method
used to determine search access for anonymous LDAP users. The LDAP
service uses the default settings in this document as the default
anonymous search access, even if you do not create the document.
You can modify the Choose fields that anonymous users can query via
LDAP setting to customize search access for anonymous LDAP users.
Database ACL/Extended ACL
You can use the database ACL along with an extended ACL to define
anonymous LDAP search access to a directory, rather than use the
domain Configuration Settings document.
For information on extended ACLs, see the chapter Setting Up
Extended ACLs.
Choosing which method to use
The database ACL/extended ACL is a more flexible method of
controlling anonymous LDAP search access than the domain
Configuration Settings document. For example, when you use the
domain Configuration Settings document to allow or deny access to an
attribute, the access applies to all entries that contain the attribute.
However, when you use the database ACL/extended ACL, you can deny
access to an attribute contained in entries at a particular branch of the
directory tree, but allow access to the same attribute contained in entries
located at other branches. Or you can deny access to the attribute in a
particular type of entry throughout the directory, but allow access to it in
another type of directory entry.
20-16 Administering the Domino System, Volume 1
However, there are implications to using extended access that dont apply
to the use of the domain Configuration Settings document. For example,
after you enable extended access, you can make directory changes only on
a directory replica located on a Lotus Domino 6, and not on a server from
a previous release of Domino. The database ACL/extended ACL method
also causes database security to be enforced for Notes namelookups, such
as type-ahead lookups. If the domain Configuration Settings document
method is adequate for your needs, it may make sense to use it instead.
Anonymous LDAP search access and upgrades from previous
releases
If you upgrade a server from a previous release to Lotus Domino 6, the
LDAP service uses the LDAP anonymous access configuration from the
previous release. If you create or edit the domain Configuration Settings
document after updating the directory with the Lotus Domino 6
PUBNAMES.NTF design, the list of attributes allowed for anonymous
access include the following attributes not listed in previous releases:
Attribute
Attribute
Attribute
Attribute
altServer
ditContentRules
namingContexts subschemasubentry
attributeTypes
extendedAttributeInfo o
supportedControl
extendedClassInfo
objectClass
supportedExtension
cn
objectClasses
supportedLDAP
Version
createTimestamp ldapSyntaxes
ou
supportedSASL
Mechanisms
creatorsName
modifiersName
st
vendorname
dc
modifyTimestamp
street
vendorversion
Directory Services
These attributes were not listed listed in previous releases because you
could not prevent anonymous LDAP access to them in previous
releases anonymous LDAP users always had search access to these
attributes. In Lotus Domino 6, you can deny anonymous LDAP search
access to the attributes above, although they are allowed for anonymous
search access by default to be consistent with the anonymous search
behavior of previous releases.
6. Do the following for each server in the domain that runs the LDAP
service:
a. If you made the changes to a Domino Directory replica on a
different server, replicate the changes to the server.
b. Enter the following command on the server to put the changes
into effect:
Restart Server
Setting Up the LDAP Service 20-19
Directory Services
5. Click Save & Close to save the changes in the Configuration Settings
document.
MailDomain
O
OfficeCity
OfficeCountry
OfficeState
OU
PublicKey
ShortName
Street
Type
UserCertificate
13. In the Forms box, select Group.
14. With the Group form still selected, select each of the following fields
in the Fields box, and for each field click Allow Read:
InternetAddress
MailDomain
Members
Type
15. Next to Schema, select LDAP.
16. In the Object Classes box, select dominoPerson.
17. With the dominoPerson object class still selected, in the Attributes
box select cn and click Allow Read.
18. Click OK twice, and when you see the prompt Save changes before
exiting? Click Yes.
Directory Services
You control LDAP write access separately for each directory. For
example, you could enable write access for the primary Domino
Directory, and leave write access disabled for an Extended Directory
Catalog.
Note You cannot enable LDAP write access to a condensed Directory
Catalog served by the LDAP service.
Keep the following points in mind if you enable LDAP write access for a
directory:
1. Domino does not provide a tool for doing LDAP write operations,
you must develop or obtain one.
2. If you allow LDAP write access, use the directory database ACL, and
optionally, extended ACL, to control the directory changes that
LDAP users can make.
3. Enable schema checking for the LDAP service to require that
directory changes made via LDAP conform to the directory schema.
By default schema checking is disabled, if you allow LDAP write
operations, enabling it is recommended to maintain consistent
directory contents.
4. The Administration Process server task doesnt respond to LDAP
write operations. For example, if an LDAP user deletes a Person
document, the Administration Process cant delete the associated
user name from database ACLs.
5. The LDAP service can carry out an LDAP write operation in a
secondary Domino Directory or Extended Directory Catalog only if
that directory is stored locally on the server that runs the LDAP
service. If the LDAP service receives a write operation request for a
Domino Directory on a remote server, it sends an LDAP referral to
the client. The LDAP service refers the client to the administration
server for the directory. If there is no administration server specified,
it refers the client to the remote server that stores the directory. The
client must then follow the referral itself.
1. From the Domino Administrator, open the directory for which you
want to enable write access.
2. Select the Servers - Configurations view.
Directory Services
8. If you enabled LDAP write access, set up the database ACL, and
optionally extended ACL, to specify the directory contents that
LDAP users can modify.
For more information, see the chapters Setting Up the Domino
Directory and Setting Up Extended ACLs.
9. Configure how the LDAP service responds when it finds more than
one occurrence of a name specified in an LDAP write operation.
It receives an LDAP add request and finds more than one Domino
Directory enabled for LDAP clients in its directory assistance
database with a directory assistance naming rule that most
specifically matches the distinguished name specified in the request.
Note that if there is no Domino Directory enabled for LDAP clients in
directory assistance with a rule that matches the distinguished name
specified in an add operation, the LDAP service adds the entry to its
primary Domino Directory. If there is only one Domino Directory
enabled for LDAP clients in directory assistance with a rule that
matches the distinguished name specified in an add operation, the
LDAP service adds the entry to that directory.
For more information on the LDAP service and directory assistance, see
the chapter Setting Up Directory Assistance.
To specify the Rules to follow when this directory is the primary
directory and there are multiple matches on the distinguished name
being compared/modified for all servers in the domain that run the
LDAP service:
1. From the Domino Administrator, open the server that runs the LDAP
service, or a server in the same domain as the one that runs the
LDAP service.
2. Click the Configuration tab.
Directory Services
3. In the left pane, expand Directory, then LDAP, and then select
Settings.
Naming rule
Search order
Domain B
*/*/*/*/*/*
Domain C
*/*/*/*/*/*
Domain D
*/*/*/DomainD/Acme*
Domain D
Domain D
directory is the
only directory
with a rule that
most specifically
matches a name
added
Domain B
Rules for
Domain B and C
both match the
name being
added; entry
added to
Domain B
because it has
lower search
order than
Domain C.
None
Rules for
Domain B and C
both match the
name being
added; entry not
added.
Directory Services
Enter
Timeout
Maximum number of
entries returned
Many LDAP clients do not support language tags in search queries. Such
LDAP clients can specify, for example, givenName=Etienne to find an
entry with givenName;lang-fr=Etienne defined.
To enable LDAP alternate language searches, configure the LDAP service
to allow them, and add the language tags to entries. Use an Alternative
Language Information document in the Domino Directory to add
language tags to a Person document. Use LDAP add and modify
operations to add language tags to any other type of entry.
Setting Up the LDAP Service 20-29
Directory Services
RFC 2596 defines language tags that you can append to an attribute to
define an alternate language value for the attribute. For
example,givenName;lang-fr=Etienne defines Etienne as a french value
for the givenName attribute. The LDAP service supports language tags.
To conform to RFCs 2251 through 2254, you can use the LDAP service
option DN Required on Bind? to require that an LDAP client that binds
using name-and-password security to any LDAP service running in the
domain use their fully qualified LDAP distinguished name as their
LDAP client logon name. In a Person document in the Domino Directory,
the distinguished name is the first value in the FullName field, labeled
User Name. By default, the LDAP service doesnt require an LDAP client
to use the distinguished name as a logon name.
Directory Services
character encoding for LDAP V2 clients, then the LDAP service may
sometimes be unable to return results containing international characters
to V2 clients that use UTF-8.
Note The LDAP service always uses UTF-8 character encoding when
returning results with international characters to LDAP V3 clients, for
example, Microsoft Outlook Express clients and Notes clients.
To enable or disable the use of UTF-8 character encoding for LDAP V2
clients for the LDAP service running on any server in a domain:
1. From the Domino Administrator, open the server that runs the LDAP
service, or a server in the same domain as the one that runs the
LDAP service.
2. Click the Configuration tab.
3. In the left pane, expand Directory, then LDAP, and then select
Settings.
4. Do one of the following:
If you see the prompt Unable to locate a Server Configuration
document for this domain. Would you like to create one now?
click Yes, then click the LDAP tab on the document that is created.
If you do not see this prompt, click Edit LDAP Settings.
5. Choose one:
Yes (default) to use UTF-8 character encoding for LDAP V2
clients.
No to prevent the use of UTF-8 character encoding for LDAP V2
clients.
6. Click Save & Close.
For more information on LDAP service referrals, see the chapter Setting
Up Directory Assistance.
Directory Services
When the LDAP service cant find information for which an LDAP client
is searching, it can return a referral to the client, which is a URL to
another directory server that might hold the information the client is
requesting. The LDAP service uses directory assistance to return
referrals.
Port to use for the connection, for example 389 for TCP/IP, or 636 for
SSL.
For more information, see the documentation provided with the client.
Setting up Notes clients to use the LDAP service
To set up Notes clients to connect to the LDAP service running on a
particular Domino server, create LDAP accounts for the LDAP service in
the Notes clients Personal Address Books. Use Setup policy settings
20-34 Administering the Domino System, Volume 1
Account Names
Server Addresses
Protocols
LDAP
Directory Services
Field
The primary Domino Directory of the server running the LDAP service is
trusted for client authentication automatically. You must explicitly trust
other directories for client authentication.
For additional information, see the chapters Setting Up Directory
Catalogs, Setting Up Directory Assistance, Setting Up
Name-and-Password and Anonymous Access to Domino Servers, and
Setting Up Clients for S/MIME and SSL.
where:
xxx represents the text string to search for
attributes are any of these attributes to retrieve:
cn
url
doctitle
docauthor
docsummary
dbheading
dbcategories
dbtitle
For example, the following query searches for all documents that contain
the text HR policies and then returns the cn, url, doctitle, docauthor,
and dbtitle values for those documents:
"(&(ObjectClass=Document)(Object=*HR policies*))" cn url
doctitle docauthor dbtitle
You can use operators with the Object attribute search filter. For
example, to find all documents that contain both the text HR policies
and the text 1999 and then return the same set of attributes as the
example above, use this query:
"(&(ObjectClass=Document)(&(Object=*HR
policies*)(Object=*1999*)))" cn url doctitle docauthor
dbtitle
To search the text of a database, you must have at least Reader access in
the ACL of the source database.
The settings for the LDAP service that are controlled through the
domain Configuration Settings document.
The LDAP service port settings in the Internet Ports section of the
Server document.
enter this server command on a server that runs the LDAP service:
To show the status of the above settings as well as the status of the LDAP
service settings controlled through the NOTES.INI file, enter this server
command:
Tell Ldap showconfig debug
Directory Services
Description
Anonymous LDAP
Connections
Strong Authentication
Connections
Statistic
Description
Server.Running
Sessions.Inbound.Accept.Queue
Sessions.Inbound.Active
Sessions.Inbound.Active.SSL
Sessions.Inbound.BytesReceived
Sessions.Inbound.BytesSent
Sessions.Inbound.Peak
Sessions.Inbound.Peak.SSL
Directory Services
Statistic
Statistic
Description
Sessions.Inbound.Total
Sessions.Inbound.Total.SSL
Sessions.Outbound.Active.SSL
Sessions.Outbound.Peak
Sessions.Outbound.Peak.SSL
Sessions.Outbound.Total
Sessions.Outbound.Total.SSL
Sessions.Threads.Idle
Sessions.Threads.InThreadPool
Sessions.Threads.Peak
DisableLDAPOnAdmin
LDAPBatchAdds
LDAPConfigUpdateInterval
LDAPGroupMembership
LDAPNotesPort
LDAPPre55Outlook
Schema_Daemon_Breaktime
Schema_Daemon_Idletime
Directory Services
Setting
Setting
Description
Description
2079
2222
2251
2252
2253
2254
2255
2256
A Summary of the X.500 (96) User Schema for use with LDAPv3
2596
2798
Chapter 21
Managing the LDAP Schema
This chapter defines the term LDAP schema and provides information
about the Domino LDAP schema and how to extend it.
LDAP schema
A directory entry contains information about a particular entity, for
example, a person or a group, and is associated with a distinguished
name. An LDAP schema is a set of rules that define what can be stored as
entries in an LDAP directory. Each LDAP directory has a default schema,
which organizations can customize, or extend, by adding elements to it.
The elements of a schema are attributes, syntaxes, and object classes.
LDAP directory servers provide the ability to enforce the schema to
ensure that directory changes made using LDAP operations conform to it.
Attributes
An attribute defines a piece of information that directory entries contain.
For example, some common attributes for entries related to people are cn
(common name), telephoneNumber, and userPassword.
An attribute is either mandatory or optional for a particular type of
entry. When an attribute is mandatory and directory administrators use
schema-checking to enforce the schema, administrators must provide a
value for the attribute when they add or modify the entries using LDAP
operations. An attribute can be defined to allow multiple values.
Multiple types of directory entries can use the same attribute.
Object classes
Directory Services
Syntaxes
A syntax defines the data format in which an attribute value is stored.
Directory String, Integer, and JPEG are examples of standard LDAP
syntaxes.
You can extend the schema to add custom schema elements that your
organization needs.
To see detailed information about the Domino LDAP schema, open the
Domino LDAP Schema database (SCHEMA.NSF) on any server that runs
the LDAP service.
For information relating to upgrading the LDAP schema, see the Upgrade
Guide.
Location
Server\Configuration Settings
Server\Connection
Server\Holiday
Server\Domain
Directory Services
Directory Services
a
em
sch
d
a
Lo
- Domino-specific elements
- Extended elements
(NAMES.NSF)
Schema
- Extended elements
(SCHEMA.NSF)
LDAP Service
SCHEMA.NSF
Subordinate
Server
Loa
ds
che
ma
Schema
SCHEMA.NSF
che
ds
Loa
LDAP Service
Schema
Administration
Server for Domino Directory
SCHEMA.NSF
ma
LDAP Service
Subordinate
Server
Administrators use the Schema database to learn about the schema and
to extend the schema. Administrators can access the Schema database
from a Lotus Notes Release 5, Lotus Notes 6, or Web browser client, and
can use the Schema database to extend the schema from a Lotus Notes 6
or Web browser client.
SCHEMA.NSF replaces the Domino Release 5 SCHEMA50.NSF database.
For more upgrade information, see the Upgrade Guide.
Managing the LDAP Schema 21-7
Directory Services
Extended Documents
Pending Documents
Draft Documents
Each of these views included sub-views for object classes, attributes, and
syntaxes.
All Schema Documents view
The All Schema Documents view contains a document for each element
defined in the schema. It also contains documents for draft schema
elements awaiting administrator approval and pending schema elements
awaiting processing by the schema daemon on the administration server
for the Domino Directory.
Extended Documents view
The Extended Documents view shows a document for each extended
object class, attribute, and syntax added using the Schema database and
incorporated into the schema by the schema daemon running on the
administration server for the Domino Directory.
The Extended Documents view does not show schema extensions made
by adding forms and fields to the Domino Directory. Only the All
Schema Documents view shows new schema elements defined by new
Domino Directory forms and fields.
Pending Documents view
The Pending Documents view shows a document for each object class,
attribute, and syntax that an administrator has added using the Schema
database and approved that is awaiting processing by the schema
daemon on the administration server for the Domino Directory.
In the All Schema Documents view, a green check mark icon indicates a
pending schema element.
Draft Documents view
The Draft Documents view shows a document for each new object class,
attribute, and syntax that an administrator has added using the Schema
database, but has not yet approved.
In the All Schema Documents view, an hourglass icon indicates a draft
schema element.
21-8 Administering the Domino System, Volume 1
Directory Services
Schema database
You can use the Domino LDAP Schema database (SCHEMA.NSF) to
extend the schema. The Schema database:
An object class that you add to the schema using the Schema database
does not map to a form in the Domino Directory. Therefore, to add
entries defined by these schema elements to the directory, administrators
must use LDAP operations, and the entries are accessible only via LDAP,
and are not visible to Notes and Web users.
Domino Directory
You can extend the schema by adding forms, subforms, and fields to the
Domino Directory. This method allows Notes and Web users to create
and view entries that use the new schema elements as documents, while
also enabling LDAP user access to the entries. This method is more time
consuming than using the Schema database, and must be done carefully
to avoid mistakes in schema definition.
For information on using the Domino Directory to extend the schema, see
the appendix Customizing the Domino Directory.
Directory Services
If the attributes will apply to more than one structural object class, add
them to a new auxiliary object class and then add the auxiliary object
class to each structural object class that will use the attributes.
For example, suppose you want to add the same attributes to object
classes A and B, both part of the default schema. Add the attributes to a
new auxiliary object class C, then add C to A and B.
Note To add a new type of entry to the directory, typically you create a
new structural object class that inherits from top.
Registering an object identifier (OID) for you organization
When you use the Domino LDAP Schema database to add a new element
to the schema, you must specify an OID for the element. To do this, your
organization should have a registered OID prefix which is used as the
root of all the OIDs you assign to your schema elements. An OID is a
unique series of numbers assigned to a schema element. For example, in
the Domino schema, the dominoPerson object class has the following
OID assignment:
2.16.840.1.113678.2.2.2.1.1.
A registered OID prefix begins with one of the following numbers:
When you use the Schema database to create a new schema element, you
first create a draft document for the element. You approve the draft
document when you are ready, and the document then moves from the
Draft Documents view to the Pending Documents view, where it awaits
processing by the Schema daemon on the administration server for the
Domino Directory. The Schema daemon on the administration server
incorporate the changes into the schema and publishes them in the
Schema database. The Schema database then replicates to subordinate
servers in the domain that run the LDAP service.
To use the Schema database to extend the schema, you must use one of
the following clients:
Lotus Notes 6
Directory Services
3. Select the All Schema Documents view, then click New Document Add Attribute Type.
Action
LDAP name
OID
Syntax name
Description
Equality match
Ordering match
Choose one:
Yes to allow more than one value for the attribute
(default)
No to allow only one value
Collective
Choose one:
Yes to allow the values for this attribute to be shared
No to prevent values from being shared (default)
No user
modification
Choose one:
Yes to prevent users from modifying the values
No to allow users to modify values (default)
5. Click Save & Close. A draft document for the new attribute appears
in the Draft Documents - Draft Attribute Types view.
6. Complete the procedure Approving draft schema documents in the
Schema database.
3. Select the All Schema Documents view, then click New Document Add Object Class.
4. Complete these fields on the Basics tab:
Field
Action
LDAP name
OID
Description
Mandatory attributes
Optional Attributes
5. Click Save & Close. A draft document for the new object class
appears in the Draft Documents - Draft Object Classes view.
6. Compete the procedure Approving draft schema documents in the
Schema database.
Directory Services
Action
LDAP name
OID
Directory Services
1. Make sure you have Manager access in the database ACL with the
Delete documents privilege.
Schema-checking
When schema-checking is enabled the LDAP service carries out LDAP
and and modify operations only if the operations conform to the schema.
Schema checking is enabled by default and its best to keep this default
behavior if you allow write access to a directory so you have better
control over the contents of a directory. When schema-checking is
enabled the LDAP service does the following to check that LDAP add
and modify operations comply with the schema:
If any of these checks fail, the LDAP service aborts the operation and
returns the message, Object Class Violation.
Schema-checking is done only for LDAP add and modify operations and
not when Notes and Web users add and change documents in a Domino
Directory.
Note Whether or not you enforce schema-checking, the LDAP service
requires that each directory tree component specified in a distinguished
name during an add or modify DN operation corresponds to an entry in
the directory. For example, to add an entry with the distinguished name
uid=JDoe, o=Acme, there must be an entry in the directory for
o=Acme.
Directory Services
The easiest way to see the schema is to open the All Schema Documents
views in the Domino LDAP Schema database (SCHEMA.NSF).
Description
DisableLDAPOnAdmin
Schema_Daemon_Breaktime
Schema_Daemon_Idletime
Directory Services
Managing the LDAP Schema 21-21
Chapter 22
Using the ldapsearch Utility
This chapter describes how to use the ldapsearch utility to search an
LDAP directory.
Where:
22-1
Directory Services
You do not have to use ldapsearch from a machine that runs the Domino
LDAP service.
Use to
-?
-a deref
-A
Retrieve only attribute names, not the values for the attributes.
-b base dn
-B
-D bind dn
-f file
-F sep
Print sep rather than equal sign (=) between attribute names and
values. Use this parameter, for example, if a tool that reads the
ldapsearch output expects a different separator.
-h host name Specify the host name of the server to which youre connecting
for example, -h server.acme.com.
continued
Parameter
Use to
-l timelimit
Specify a time limit (in seconds) for the search to complete. If you
do not specify this parameter or if you specify a limit of 0,
searches can take an unlimited amount of time. ldapsearch never
waits longer than a search time limit set on the server, however.
-L
-M
-n
-p port
Specify the port that the server uses. If you dont use this
parameter, ldapsearch uses port 389.
-R
-s scope
Specify the scope of the search when you use the -b parameter:
base to search only the entry specified with the -b
parameter
onelevel to search only the immediate children of the entry
specified with the -b parameter but not the entry itself
subtree to search the entry specified with the -b parameter
and all of its descendants. This is the default behavior when
you use -b without -s.
The order in which you specify -b and -s is unimportant.
Sort the results by a specified attribute.
-z sizelimit
-u
-v
Use with -S to specify that that LDAP server sorts the results
before returning them. If you use -S without -x, ldapsearch sorts
the results.
Using the ldapsearch Utility 22-3
Directory Services
-S attribute
For example, this search filter finds all entries containing Smith as the
value for the sn (surname) attribute:
"sn=Smith"
You can specify any attribute stored in a directory in a search filter. The
following are common attributes used to search for entries about people:
You can specify search filters on the ldapsearch command line, or you
can specify them in a file and use the ldapsearch parameter -f to refer to
the file. If you use a file, specify each search filter on a separate line.
Note you can include language tags in a search filter if the LDAP
directory, such as the Domino Directory, supports them. For example:
"givenName;lang-fr=Etienne"
For example, use this search filter to find entries with the surname
Browning and the location Dallas.
"(&(sn=Browning)(l=Dallas))"
You can nest boolean operators. For example, use this search filter to find
entries with the surname caneel or givenname alfred in the mail domain
MDN:
"(&(maildomain=MDN)(|(sn=caneel)(givenname=alfred)))"
Use to
Example
cn=John Browning
cn=John*
cn=J*Brown
>=
cn>=D
<=
=*
~=
&
(&(cn=John
Browning)(l=Dallas))
(|(cn=John
Browning)(l=Dallas))
(!(cn=John
Browning)(l=Dallas))
sn=*
You can use the plus sign (+) with ldapsearch to return all the
operational attributes for entries. Operational attributes are attributes
used for directory administration, and a directory server only returns
them if you request them.
Using the ldapsearch Utility 22-5
Directory Services
For example, to return all operational attributes for entries with the
common name John Brown specify:
ldapsearch -h host "cn=John Brown" +
You can use the + syntax only with the directory servers that support the
syntax, such as the Domino LDAP service.
To return a specific operational attribute only, specify the attribute.
Command
ldapsearch -h ldap.acme.com
objectClass=*
ldapsearch -A -h ldap.acme.com
objectClass=*
ldapsearch -h ldap.acme.com
objectClass=* mail cn sn givenname
ldapsearch -b ou=West,o=Acme,c=US
-h ldap.acme.com (cn=Mike*)
ldapsearch -l 5 -h ldap.acme.com
objectClass=*
ldapsearch -z 5 -h ldap.acme.com
objectClass=*
continued
22-6 Administering the Domino System, Volume 1
Search
Command
Directory Services
Chapter 23
Setting Up Directory Assistance
This chapter describes directory assistance and how to set up and
monitor directory assistance in your organization.
Directory assistance
Directory assistance is a feature a server can use to look up information
in a directory other than a local primary Domino Directory
(NAMES.NSF). You can configure directory assistance to use a particular
directory for any of these services:
Client authentication
23-1
Directory Services
Each server process that provides directory services and detects a local
directory assistance database configuration loads directory information
configured in the directory assistance database into an internal memory
table. During server startup and thereafter at five-minute intervals each
server process checks for changes to the directory assistance database
configuration and if found, each process reloads its internal memory
table to reflect the changes.
To look up names in a Domino Directory or an Extended Directory
Catalog, a server uses NAMELookup calls. To look up names in a remote
LDAP directory, a server uses a gateway feature that translates
NAMELookup calls to LDAP operations, and then translates LDAP
operations back to NAMELookup calls a Domino server doesnt have
to run the LDAP service to use a remote LDAP directory for directory
services.
Client authentication
On the Basics tab, next to Make this domain available to, select
Notes clients and Internet Authentication/Authorization.
On the Naming Contexts (Rules) tab, enable at least one rule that
corresponds to the distinguished names of the users in the directory
to be authenticated, and next to Trusted for Credentials, select Yes.
Directory Services
Directory
Assistance
Database
LDAP
Directory
Web Client
ldap.acme.com
the user configures the name alice browning on the client. During
authentication, the server searches for an entry that contains the name
alice browning. When it finds the entry, it can only authenticate the client
if cn=alice browning,o=acme matches a trusted naming rule for the
directory.
A users distinguished name is also used as the basis for access control in
Domino, so you should use users distinguished names in database
ACLs, in groups used in database ACLs, in access lists in Server
documents, and in Web server File Protection documents.
For more information on name-and-password security, see the chapter
Setting Up Name-and-Password and Anonymous Access to Domino
Servers.
Encountering duplicate names during client authentication
If a server finds more than one directory entry containing the name
presented by the client that corresponds to a valid distinguished name
for authentication, within one directory or across directories, the server
authenticates the client using the entry with the valid password or X.509
certificate. If more than one such entry has a valid password or X.509
certificate and the same distinguished name, the server authenticates the
user using the first password or X.509 certificate it finds.
Consistent client names and passwords across protocols
If Domino servers authenticate a client over more than one Internet
protocol, for ease of directory administration, create one directory entry
for the client with one name and password that applies to all the
protocols. Then set up the client to use the same name and password for
all protocols.
For example, if a client connects to Domino over HTTP for Web browsing
and over LDAP for directory services, create one directory entry for the
cllient with a name and password, and set up the client to use the name
and password for both types of connections.
Directory Services
On the Basics tab, next to Make this domain available to, select
Notes clients and Internet Authentication/Authorization.
Notes
Database
Web Client used by
Allen Kenny/AcmeWeb
Secondary
Domino
Directory
Directory Server
Web Server
Directory Services
Use the Select Addresses dialog to browse and select names from
the directory, if the Mail file location field in the active Location
document is set to On server.
Directory Services
LDAP directory to select the format of the mail address for Notes clients
to use:
If you select Notes Mail Address user entries in the remote LDAP
directory must have values for the mailDomain attribute. Typically the
Notes Mail Address option is used only in some cases if the remote
LDAP directory is a Domino Directory.
Directory Services
Note that when returning a referral, the Domino server running the
LDAP service never connects to the remote LDAP directory server.
Some LDAP clients can accept more than one referral so that if the host
name specified in one referral is unavailable, the client can attempt to use
another. By default, for a given search, the LDAP service can refer an
LDAP client to only one remote LDAP directory host name. If there are
LDAP clients that use the LDAP service that can accept more than one
referral, you can use the LDAP service configuration setting Maximum
number of referrals to increase the number of referrals that the LDAP
service can return.
For information on how naming rules affect which host names the LDAP
service refers to clients, see the topic Naming rules and the LDAP
service later in the chapter.
Domain names
Directory failover
Each directory assistance naming rule includes six parts, with each part
containing one of the following:
For more information on how naming rules affect the LDAP service, see
the topic Naming rules and the LDAP service later in the chapter.
To find a flat name, a name without distinguishing parts, or to process an
LDAP search request that doesnt specify a search base, a server ignores
naming rules and, and searches directories according to search orders
specified for the directories in the Directory Assistance documents.
Directory Services
Note Some LDAP directories do not use the country (c), organization
(o), and organizational unit (ou) naming model. If you set up directory
assistance for an LDAP directory such as this, use an all-asterisk naming
rule for the directory.
Marilyn Jenkins/Omega
Alan Jones/Sales/East/Acme/US
Randi Bowker/Marketing/East/Acme/US
Cheryl Lordan/IS/West/Acme/US
Derek Malone/Accounting/West/Acme/US
Deborah Jones/West/Acme/US
Karen Lessing/West/Acme/DE
Rule
Includes
Excludes
*/*/*/*/*/*
No names
/ / */ */Acme/*
Alan Jones/Sales/
Marilyn Jenkins/Omega
East/Acme/US
Randi Bowker/Marketing/
East/Acme/US
Cheryl Lordan/IS/
West/Acme/US
Derek Malone/Accounting/
West/Acme/US
Deborah Jones/West/
Acme/US
Karen Lessing/West/
Acme/DE
/ / */West/
Acme/*
Cheryl Lordan/IS/West/
Acme/US
Derek
alone/Accounting/West/
Acme/US
Deborah Jones/West/
Acme/US
Karen Lessing/West/
Acme/DE
Marilyn Jenkins/Omega
Alan Jones/Sales/East/
Acme/US
Randi Bowker/Marketing/
East/Acme/US
/ / /West/
Acme/*
Deborah Jones/West/
Acme/US
Karen Lessing/West/
Acme/DE
Marilyn Jenkins/Omega
Alan Jones/Sales/East/
Acme/US
Randi Bowker/Marketing/
East/Acme/US
Cheryl Lordan/IS/West/
Acme/US
Derek Malone/Accounting
/West/Acme/US
continued
Directory Services
Setting Up Directory Assistance 23-15
Rule
Includes
Excludes
/ / */West/
Acme/DE
Karen Lessing/West/
Acme/DE
Marilyn Jenkins/Omega
Alan Jones/Sales/
East/Acme/US
Randi Bowker/Marketing/
East/Acme/US
Cheryl Lordan/IS/West/
Acme/US
Derek Malone/Accounting/
West/Acme/US
Deborah Jones/West/
Acme/US
/ /IS/West/
Acme/*
Cheryl Lordan/IS/West/
Acme/US
Marilyn Jenkins/Omega
Alan Jones/Sales/East/
Acme/US
Randi Bowker/Marketing/
East/Acme/US
Derek Malone/Accounting/
West/Acme/US
Deborah Jones/West/
Acme/US
Karen Lessing/West/
Acme/DE
Directory Services
Note You cant define a search base for the primary Domino Directory.
a naming rule that matches the search base. If there is more than one
such directory, the LDAP service refers the client to the one with the
lowest search order.
If the client doesnt specify a search base, the LDAP service refers the
client to an LDAP directory that is enabled for LDAP clients, and if there
is more than one, it refers the client to the one assigned the lowest search
order.
If there is more than one host name specified in the Directory Assistance
document for the LDAP directory that the LDAP service picks for a
referral, the LDAP service refers the client to the first host name listed.
If you increase the number of referrals the LDAP service can return to a
client, the LDAP service follows the logic described above to pick the
first directory referral. If there is more than one host name specified in
the Directory Assistance document for this directory, the LDAP service
uses the additional host name(s) as the additional referral(s), up to the
maximum number of referrals the LDAP service configuration allows. If
there is no additional host name specified for the first directory picked
for referrals, then LDAP service can refer the client to an LDAP directory
with a different Directory Assistance document.
Naming rules as LDAP naming contexts
Some LDAP client applications, for example the IBM WebSphere
Application Server, can discover naming contexts configured for an
LDAP directory server by searching the directory servers root directory
server entry (DSE). When an LDAP user doesnt specify a search base,
these applications can use the naming contexts configured on the server
to contruct one to apply to the LDAP client searches.
The LDAP service uses naming rules configured in the directory
assistance database to define naming contexts in its root DSE.
Directory Services
Setting Up Directory Assistance 23-19
Make sure servers that use the directory assistance database have
fast network access to the directory replicas you specify. Fast
network access to replicas is particularly important if servers use a
directory to look up groups for database authorization.
If a directory is used for Notes mail addressing, make sure the Notes
users that use the feature have at least Reader access in the directory
ACL, so they can browse the directory. If Extended Access is enabled
for a directory, then the users must also have at least Reader access
to use typeahead or F9 address resolution.
The server that stores the replica is unavailable, for example, the
server is down or there is a network connectivity problem.
Directory Services
Directory Services
Setting Up Directory Assistance 23-23
On the Naming Contexts (Rules) tab enable at least one rule that
corresponds to the names to be authenticated, and select Trusted for
Credentials for the rule.
Directory Services
Note You are not required to store user passwords, and you shouldnt
store X.509 certificates, in a condensed Directory Catalog. Instead you
can set up directory assistance for the secondary Domino Directories that
are aggregated to enable servers to find the passwords/X.509 certificates.
Next to Domain Name enter the domain of the servers with the
Configuration Directories.
You can set up directory assistance for the primary Domino Directory to
prevent a server that runs the LDAP service from using the primary
Domino Directory when processing LDAP requests. For example, you
might want the LDAP service to use a secondary Domino Directory, but
not the primary Domino Directory.
The primary Domino Directory from which you exclude LDAP searches
can be local, or can be remote if the server running the LDAP service has
a Configuration Directory.
Setting Up Directory Assistance 23-27
Directory Services
If all the servers that use the directory assistance database are within
one domain and use a local primary Domino Directory, you have to
specify only one replica. Directory assistance requires the replica
specification to load properly, but the servers always do lookups in
their local primary Domino Directory replicas, regardless of the
replica you specify. An easy method is specifying an asterisk in the
(*) in the Server Name field, and a file name in the Domino Directory
File Name field, for example, NAMES.NSF
Directory Services
10. Use the command tell adminp process interval to force processing
of the Set Directory Assistance Field request, or wait until the
Administration Process processes the request when it next processes
interval requests.
For more information, see the appendix Server Commands.
11. Replicate the modifed Domino Directory to the servers that will use
the directory assistance database.
Setting Up Directory Assistance 23-31
Directory Services
9. When you see the dialog box stating Request has been submitted,
click OK again.
12. Restart the servers so they detect the directory assistance database
file names in their Server documents.
13. Continue to one or both of these procedures:
Creating a Directory Assistance document for a Domino directory
Creating a Directory Assistance document for a remote LDAP
directory
Entering the directory assistance database file name to a Server
document manually
1. Make sure that you:
Created and replicated the directory assistance database
Have either Author access and the ServerModifier role, or Editor
access in the ACL of the Domino Directory to which you will add
the file names.
2. From the Domino Administrator, click the Configuration tab.
3. Next to Use Directory on, select the server whose Domino
Directory you want to modify.
4. In the left pane, choose Server - All Server Document.
5. Select a specific Server document, and then click Edit Server.
6. In the Directory Assistance database name field in the Directory
Info section on the Basics tab, enter the file name that you gave to
the replica of the directory assistance database on this server for
example, DA.NSF. If the directory assistance database is in a
subdirectory under the data directory, include the path relative to
the data directory for example, DIRECTORIES\DA.NSF.
7. Click Save & Close.
8. If the Domino Directory you changed is not the replica of the server
whose directory assistance database file name you specified,
replicate the updated Domino Directory to the server.
9. Restart the server so it detects the directory assistance database file
name now in its Server document.
10. Continue to one or both of these procedures:
Creating a Directory Assistance document for a Domino directory
Creating a Directory Assistance document for a remote LDAP
directory
Enter
Search order
Directory Services
Company
name
Field
Enter
Make this
domain
available to
Choose one:
Group
Authorization Yes to search the members of groups in the directory
when authorizing database access. You must also select
Make this domain available to: Notes Clients and
Internet Authentication/Authorization.
No (default) to prevent searching the members of groups
in the directory when authorizing database access.
You do not have to enable a rule that is Trusted for
Credentials.
Enable this option in only one Directory Assistance
document, Notes or LDAP, in the directory assistance
database.
If the domain specified in the Domain name field is the
same Domino domain (the primary domain) of the servers
that use directory assistance, the servers use the directory
to look up groups for database authorization automatically,
even if you choose No for this option.
For more information, see the topic Directory assistance
and group lookups for database authorization.
Enabled
8. Click the Naming Contexts (Rules) tab, and for each rule you want to
define, complete the following fields. By default, an all-asterisk rule
is enabled with Trusted for Credentials set to No.
Field
Enter
N.C. #
Enabled
Choose one:
Yes to enable a rule
No to disable a rule
9. Click the Replicas tab. Use either the Database links field or the
Replica# fields to specify replicas of the directory for servers to
use. If you make any entry in a Replica# field, then directory
assistance ignores all entries in the Database links field.
To set up directory assistance to use cluster failover to locate an
available replica of the directory, specify only one replica of the
directory within the cluster.
For more information on failover, see the topic Directory assistance
and failover for a Domino Directory or Extended Directory Catalog.
Directory Services
Setting Up Directory Assistance 23-35
Field
Enter
Directory Filename
ACMEWEST.NSF
If you do not enter an asterisk, you muse make these four Server
Name/Directory Filename entries:
Server Name
Directory Filename
Server A
ACMEWEST.NSF
Server B
ACMEWEST.NSF
Server C
ACMEWEST.NSF
Server D
ACMEWEST.NSF
If some servers use directory assistance but dont have local replicas of
the directory, add at least one explicit Server Name/Directory Filename
entry in the Directory Assistance document for these servers to use. If
you use the directory assistance failover method, specify at least one
explicit Server Name/Directory Filename entry for servers with local
replicas to use as an alternate in the event the replica is unavailable.
Note Do not use * in the Server Name field in a Directory Assistance
database that Lotus Domino Release 4 servers use. Instead, create a
separate Directory Assistance database that uses explicit server names
for Release 4 servers to use.
Directory Services
Enter
Domain type
Choose LDAP.
Domain name A domain name of your choice that is different from the
domain name specified for any other Directory Assistance
document - Notes or LDAP - in the directory assistance
database. For more information, see the topic Directory
assistance and domain names.
Company
name
Search order
Make this
domain
available to
Field
Enter
Choose one:
Group
Authorization Yes to search the members of groups in this LDAP
directory when authorizing database access.
No (default) to prevent searching the member of groups
in the directory when authorizing database access.
Choose Yes for only one directory, Notes or LDAP,
configured in the directory assistance database.
You do not have to enable a rule that is Trusted for
Credentials.
If you select Yes, in the Nested group expansion field
that appears choose one:
Yes (default) to search nested groups groups that are
members of groups listed in database ACLs.
No to search only the members of groups listed in
database ACLs, and not the members of groups nested
within those groups.
For more information on group authorization, see the topic
Directory assistance and group lookups for database
authorization.
Enabled
8. On the Naming Contexts (Rules) tab, for each rule you want to define
for the directory, complete the following fields. By default, an
all-asterisk rule is enabled with Trusted for Credentials set to No.
Field
Enter
N.C. #
Enabled
Choose one:
Yes to enable a rule
No (default) to disable a rule
Choose one:
Yes to allow servers to use credentials in the LDAP
directory to authenticate Internet clients whose
distinguished names in the directory correspond to the
rule.
No (default) to prevent servers from using this directory
to authenticate Internet clients whose distinguished
names in the directory correspond to the rule.
For more information, see the topic Trusted naming
rules.
Setting Up Directory Assistance 23-39
Directory Services
Trusted for
Credentials
Enter
Hostname
The host name for the remote LDAP directory server for
example, ldap.acme.com. A Domino server uses this host
name to connect to the remote LDAP directory server, or
to refer LDAP clients to the LDAP directory.
Enter an additional host name or host names so that a
Domino server can use an alternate LDAP directory server
if the directory server represented by the first host name
specified is unavailable. Separate host names with
commas.
If you specify more than one directory server and each
listens on a different port, specify the ports after the host
names. For example:
ldap1.acme.com:390, ldap2.acme.com:391
Field
Enter
Channel
encryption
Choose one:
SSL (the default) to use SSL when a Domino server
connects to the remote LDAP directory server
None to prevent SSL from being used.
Keep SSL selected in the Channel encryption field if you
use the remote LDAP directory for client authentication or
to look up the members of groups for database
authorization.
If you choose SSL, make selections in these associated
fields:
Accept expired SSL certificates
SSL protocol version
Verify server name with remote servers certificate
For more information, see the next topic Configuring SSL
in a Directory Assistance document for a remote LDAP
directory.
Port
Maximum
number of
entries
returned
Directory Services
Timeout
Field
Enter
Dereference
Choose one to control the extent to which alias
alias on search dereferencing occurs during searches of the remote LDAP
directory:
Never
Only for subordinate entries
Only for search base entries
Always (default)
If aliases arent used in the LDAP directory, selecting
Never can improve search performance.
For more information, see the topic Configuring alias
dereferencing in a Directory Assistance document for a
remote LDAP directory.
Preferred mail To specify the format of addresses from the directory to be
format
used in Notes mail, choose one:
Notes Mail Address
Internet Mail Address (default)
For more information, see the earlier topic Notes mail
addressing using a remote LDAP directory.
Attribute to be
used as Notes
Distinguished
Name
Type of search Choose one to control which LDAP search filters are used
filter to use
to search the directory:
Standard LDAP (default)
Active Directory
Custom
Standard LDAP works in most situations.
For more information, see the topic Configuring search
filters in a Directory Assistance document for a remote
LDAP directory.
V2.0 only
V3.0 handshake
V3.0 only
Negotiated
Directory Services
Disabled
Choose Enabled to require that the subject line of the remote servers
certificate include the LDAP directory server host name. For this option
to work properly, the subject line in the remote servers certificate must
include its DNS host name. Keep the option enabled if you are sure that
the X.509 certificate of the remote LDAP directory server contains the
remote servers host name in the appropriate format.
The Domino CA and some other CAs provide a dialog box into which
users enter the subject line when requesting a certificate. For example,
the Domino CA prompts each user to enter the remote servers
information such as, the common name, organizational unit name,
organization name, state (or province), and country name. The Domino
CA places this information in the subject line and adds the appropriate
prefix (cn=, ou=, o=, and so on) to each field. If you used a Domino CA to
create the remote servers certificate, enter the remote servers host name
in the common name field when using the Verify server name with
remote servers certificate option. For example, the Domino CA allows
users to enter the following valid subject lines (mailserver.acme.com is
the servers DNS host name):
cn=mailserver.acme.com, ou=sales, ou=marketing, o=acme, st=mass,
c=us
cn=mailserver, ou=sales - mailserver.acme.com o=acme, st=mass,
c=us
To ensure that users enter the DNS host name properly, recommend that
they enter it as the common name (cn=) when they request a certificate
from the Domino CA. Other CAs may have different dialog boxes for
entering the subject line; users must follow these dialog boxes to enter
the remote servers DNS host name.
Specifying a name and password for Domino servers in a Directory
Assistance document for a remote LDAP directory
In the Optional Authentication Credential section on the LDAP tab of a
Directory Assistance document for a remote LDAP directory you can
enter a distinguished user name and a password. If a Domino server
connects to the remote LDAP directory server, it presents the name and
password so the remote LDAP directory server can authenticate the
Domino server.
Directory Services
Setting Up Directory Assistance 23-45
Active Directory
Custom
Note The Active Directory search filter option replaces the Release 5
NOTES.INI setting WebAuth_AD_Group, which allowed for searches of
Active Directory groups.
Defining custom search filters
You might need to define custom search filters if searches are not
returning results or are returning results for the wrong entries. This
situation can occur if the remote LDAP directory server uses a
non-standard schema.
Selecting Custom in the Type of search filter to use field displays the
following three fields used to define the custom search filters.
Custom search
filter field
Description
Mail Filter
Authentication
Filter
Custom search
filter field
Description
Authorization
Filter
To define custom search filters, you should be familiar with valid search
filter syntax described in RFCs 2251 and 2254.
Syntax for custom LDAP search filters
To define a custom search filter, insert parameters into standard LDAP
search filters to represent a part of the names being searched for.
Name part
Defined as
Example of name
part (in bold)
Parameter to insert to
represent name part
First name
%a
Last name
Alex M Davidson
%z
Whole
name
Alex M Davidson
%*
Local part
amd@acme.com
%l
Domain
part
%d
(EmpID=%*)
(EmpID=amd)
amd
(EmpID=%z)
(EmpID=)
amd
(mail=%*@acme.com)
(mail=amd@acme.com)
continued
Directory Services
amd
(mail=%*@*)
(mail=amd@*)
amd@acme.com
(mail=*@%d)
(mail=*@acme.com)
amd@acme.com
(mail=%*)
(mail=amd@acme.com)
amd@acme.com
(uid=%l)
(uid=amd)
blue
(color=%*)
(color=blue)
Description
Never
Always
The following table describes which of these entries are returned for a
subtree search of o=Acme 2 (o=Acme2 and subordinate entries) for each
Dereference alias on search option.
Option
Entries returned
Never
o=Acme2
cn=John Doe, o=Acme2
o=Acme2
cn=John Doe, o=Acme1
o=Acme1
cn=John Doe, o=Acme2
Always
o=Acme1
cn=John Doe, o=Acme1
Directory Services
Once you have set up this feature, clients can authenticate using either
their Notes distinguished names or their original LDAP distinguished
names. Database ACLs, Server document access control fields, access
control groups, and Web server File Protection documents can use only
the Notes distinguished names.
cn=Jack Johnson/ou=Boston/o=Acme
cn=Jack Johnson,ou=Boston,o=Acme
Jack Johnson/Boston/Acme
uid=675894,ou=boston,o=airius
675894
Directory Services
Comments
Domain type
Notes
Domain name
Domain B
Basics tab
Search order
None
Make this
domain
available to
Selected for:
Enables Domain A
servers to use the Domain
B directory for all
directory assistance
services.
Group
Authorization
Yes
Enabled
Yes
continued
Contents
Comments
Enables Domain A
servers to search all
names in the directory.
Trusted for Credentials
selected to allow servers
to authenticate all Internet
users registered in the
directory.
Replica1:
Replica2
N.C.1:
Replicas tab
Directory Services
The following table shows the settings for the Directory Assistance
document for the Extended Directory Catalog that is in each domains
directory assistance database.
Contents
Comments
Domain type
Notes
Domain name
EDC
Company name
Company Y
Search order
None
Basics tab
LDAP Clients
Group
Authorization
Yes
Enabled
Yes
*/ */ */ */ */ *
Enabled - Yes
Trusted for Credentials - Yes
Replicas tab
Replica1:
Server1/DomainA is a
Server Name:
member of a cluster. Only
Server1/DomainA
Directory Filename: EDC.NSF one replica of the Extended
Directory Catalog in the
cluster is specified so that
cluster failover is used to
find an available replica.
Comments
Domain type
Notes
Domain name
EDC
Company name
Company Z
Search order
Basics tab
Enabled
Yes
continued
Setting Up Directory Assistance 23-55
Directory Services
LDAP Clients
Contents
Comments
*/ */ */ */ */ *
Enabled - Yes
Trusted for Credentials No
Server Name:
Server1/DomainA
Directory Filename:
EDC.NSF
Server1/DomainA is a
member of a cluster. Only
one replica of the Extended
Directory Catalog in the
cluster is specified so that
cluster failover is used to
find an available replica.
Replicas tab
Replica1:
Comments
Domain type
LDAP
Domain name
ActiveDir
Company name
Company Z
Search order
Basics tab
Contents
Comments
Group
Authorization
No.
Enabled
Yes.
*/ */ */ */ */ *
Enabled - Yes
Trusted for Credentials - Yes
continued
Directory Services
Contents
Comments
Hostname
ldap1.companyz.com,
ldap2.companyz.com
Optional
Authentication
Credential
Base DN for
search
cn=recipients, dc=east,
dc=acme, dc=com
Channel
encryption
Yes
Port
636
Accept expired
SSL certificates
Yes
SSL protocol
version
Negotiated
LDAP tab
Verify server
Yes
name with remote
servers certificate
Timeout
60
Maximum
100
number of entries
returned
continued
Contents
Comments
Dereference alias
on search
Never
Preferred mail
format
Attribute to be
used as Notes
Distinguished
Name
notesname
Company Z uses
Notes-style distinguished
names, rather than the
original LDAP names of the
users in the Active
Directory, for client
authentication and in Notes
database ACLs. The
specified attribute,
notesname, is defined in
Active Directory as the
attribute to store the Notes
name. Company Z uses its
own tool to add Notes-style
distinguished names as
values for the notesname
attribute in user entries.
Type of search
filter to use
Active Directory
Directory Services
Setting Up Directory Assistance 23-59
Use the Show Xdir command to display information about all the
directories a server uses for directory services.
Description
Database.DAReloadCount
Chapter 24
Setting Up Directory Catalogs
This chapter describes how to set up and manage directory catalogs.
Directory catalogs
A directory catalog is an optional directory database that typically
contains information aggregated from multiple Domino Directories.
Clients and servers can use a directory catalog to look up mail addresses
and other information about the people, groups, mail-in databases, and
resources throughout an organization, regardless of the number of
Domino domains and Domino Directories the organization uses. A
directory catalog includes the type of information that is important for
directory services, and excludes other types of information that are part
of a Domino Directory, for example Domino configuration information,
such as information in Connection documents.
You use a directory catalog in conjunction with, rather than instead of,
the primary Domino Directory and the Personal Address Book. A server
searches its primary Domino Directory, and a Notes client searches its
Personal Address Book, before searching a directory catalog.
There are two types of directory catalogs: condensed Directory Catalogs
and Extended Directory Catalogs. Condensed Directory Catalogs use a
unique design based on the DIRCAT5.NTF template that enables them to
be extremely small. Condensed Directory Catalogs are designed for use
on Notes clients. A condensed Directory Catalog on a Notes client is also
known as a Mobile Directory Catalog.
Servers can use a directory catalog for mail addressing, for processing
LDAP service operations, to look up client authentication credentials,
and to look up the members of groups in database ACLs when
authorizing users database access.
24-1
Directory Services
LotusScript methods*
@NameLookup function
*Can access the Users view but not the $Users view.
In addition, LDAP applications can search a condensed Directory
Catalog used by a server that runs the LDAP service.
When they address mail, users can press F9 to verify quickly the
address of anyone in the organization.
Directory Services
Users can flag mail for encryption when using clients that are
disconnected from the network. The clients look up the public key
and encrypt the mail when the users connect to the network and
send the mail.
Users can use the detailed search feature available for Local Address
Books to search the directory catalog. For example, if a user wants to
send mail to someone by the name of Robin at the Los Angeles
location but doesnt remember Robins last name, the user can search
for First name Robin and Location Los Angeles to retrieve the
name from the directory catalog.
Users can use the Mail Address dialog box to open and scroll
through the names in the directory catalog.
If there are multiple Person documents with the same name in one
directory or across directories, you can remove the duplicates from
the directory catalog. The Dircat task then aggregates the first Person
document with the name that is encountered, which avoids name
ambiguity problems, for example, the Router failing to deliver mail
because it finds more than one occurrence of a name.
Directory Services
You can set up servers to use an Extended Directory Catalog. You create
an Extended Directory Catalog from the PUBNAMES.NTF template, the
same template used to create the Domino Directory. An Extended
Directory Catalog combines advantages of a Domino Directory and a
condensed Directory Catalog. It aggregates entries from multiple
Domino directories into a single directory database as does the
condensed Directory Catalog, but it retains the individual documents
and the multiple, sorted views available in the Domino Directory to
facilitate quick name lookups.
Directory Catalog that a server can use to quickly find the name. A
condensed Directory Catalog has one view used for lookups, which you
choose how to sort when you configure it. To look up a name in a
condensed Directory Catalog that doesnt correspond to the selected sort
order, the server uses the full-text index to search for the name, which
takes longer than a view search.
Using an Extended Directory Catalog on servers that route mail is a
particular advantage, because a mail server can use views to quickly find
an address regardless of the address format. When a mail server uses a
condensed Directory Catalog, mail routing can back up if the Router uses
the full-text index to look up addresses, for example, some Internet
addresses, that dont correspond to the selected sort order.
When a Notes user with a condensed Directory Catalog on the client
sends mail to a group, if the clients directory catalog doesnt contain the
members of the group, there can be a delay while a server does a full-text
search of a condensed Directory Catalog to look up the members. Delays
when sending mail to groups are not an issue if mail servers use
Extended Directory Catalogs.
Ease of application access
Applications can access information in an Extended Directory Catalog as
easily as they can in a Domino Directory. Application access to a
condensed Directory Catalog however is restricted by the nature of the
aggregate documents and the number of views.
Multiple-view, enterprise directory
Users can open an Extended Directory Catalog and see an enterprise-wide
directory with multiple views that sort by entry type. In a condensed
Directory Catalog, there is only one view to display the different types of
entries.
Groups for database authorization
Servers can use groups in only one directory configured in a directory
assistance database, in addition to the primary Domino Directory for
authorizing database access. Using an Extended Directory Catalog for
this purpose, effectively allows servers to use groups in any secondary
Domino Directory aggregated in the directory catalog for database access
control.
Remote lookups
Servers use Directory Assistance to locate an Extended Directory
Catalog, so you need to replicate the Extended Directory Catalog only to
two or a few strategic servers to which the Directory Assistance database
then points. You can configure failover so that if one replica of the
directory catalog is unavailable, servers can use an alternate.
24-6 Administering the Domino System, Volume 1
Directory Services
Directory Services
DA = Directory Assistance
Directory Services
Authentication goal
Aggregate A, B, C, and
D into one EDC. Create
one DA database used
by all servers. Create
one DA document for
the EDC with the
*/*/*/*/*/* naming
rule enabled and
trusted for credentials.
Aggregate A, B, C, and D
into one CDC used by all
servers. In the Server
documents for each server,
enable the option Trust the
server based condensed
directory catalog for
authentication with internet
protocols.
Aggregate A, B, C, and D
into one CDC used by all
servers. Do not enable the
option Trust the server
based condensed directory
catalog for authentication
with internet protocols in
the Server documents.
Create one DA database
used by all the servers.
Create separate DA
documents for A, B, C, and
D. In the DA documents for
A and B, enable the rule
*/*/*/*/*/* and trust the
rule for credentials. In the
DA documents for C and D,
do not trust any rule for
credentials.
continued
Aggregate A, B, C, and
D into one EDC. Create
one DA database used
by all servers and create
one DA document for
the EDC. In the DA
document, create the
rule
*/*/*/west/acme/*
and the rule
*/*/*/east/acme/* and
enable trusted for
credentials for both
rules. Do not trust any
other naming rule for
credentials.
Aggregate A, B, C, and D
into one CDC used by all
servers. Do not enable the
option Trust the server
based condensed directory
catalog for authentication
with internet protocols in
the Server documents.
Create one DA database
used by all the servers.
Create separate DA
documents for A, B, C, and
D. In each DA document,
create the rule
*/*/*/west/acme/* and the
rule */*/*/east/acme/* and
enable trusted for
credentials for both rules.
Do not trust any other
naming rule in any of the
DA documents for
credentials.
Directory Services
Authentication goal
Have enough disk space to store local replicas of the source Domino
Directories that are aggregated, if you choose to store the directories
locally on the server, rather than have the server access them over
the network.
Typically its best to run the Dircat task to build and maintain a directory
catalog on a server in one domain, and then replicate the directory
catalog to servers throughout an organization that need to use the
directory catalog. Using this approach, rather than having each domain
build an maintain its own version of the directory catalog, is beneficial
because only one server then does the CPU-intensive Dircat processing of
24-14 Administering the Domino System, Volume 1
As the following table shows, you can store a source Domino Directory
locally on a Dircat server, or on a remote server that the Dircat server
accesses over the network. Its best to store the source directory replicas
locally for high availability and quick access. If you store replicas of the
Setting Up Directory Catalogs 24-15
Directory Services
Enter
Locally
Locally in a linked
directory
Aggregated by default?
Option(s) in configuration
document that affect aggregation of
the document
Person
Yes
Group
Mail-in Database
Yes
Resource*
Yes
Server (Extended
Directory Catalog
only)
No
Custom documents No
youve added to a
Domino Directory
Directory Services
Setting Up Directory Catalogs 24-17
If there are occurrences of more than one Person document with the
same distinguished name, and the multiple documents really represent
one user, keep Remove duplicate users selected so that:
The Remove duplicate users field does not apply to Group documents.
To distinguish between different groups with the same name in multiple
directories, the Dircat task uses the Domain defined by this Domino
Directory field in the Directory Profile of the source Domino Directories
to append the domain to all group names.
Removing duplicate user entries from an Extended Directory
Catalog to improve Dircat performance
You can reduce the time it takes the Dircat task to run on an Extended
Directory Catalog by selecting No to retain all entries with duplicate
names. Doing so keeps the Dircat task from building a particular view
required for the removal of entries with duplicate names. Retaining
entries with duplicate names does not result in a similar performance
gain for a condensed Directory Catalog.
Deleting Person documents from the source Domino Directories
when Remove duplicate users is selected
If you choose the Remove duplicate users option, and later remove a
Person document from a source Domino Directory that is the one
aggregated into the directory catalog, the Dircat task removes the
corresponding user entry from the directory catalog the next time it runs,
so the name is longer be found in the directory catalog.
To cause the Dircat task to add the user entry back into the directory
catalog, make a minor change to a remaining Person document in one of
the source Domino Directories for the user. The next time Dircat runs, it
then aggregates information from the remaining Person document into to
the directory catalog. You can also correct the problem by clicking the
Clear History button in the directory catalog configuration document,
although this approach isnt recommended because it causes a rebuild
the entire directory catalog.
For example, if Source Directory A and Source Directory B both contain a
Person document with the name Phyllis Spera/Acme, if Remove
duplicate users is enabled and Directory A is listed first in the
Directories to include field, when the Dircat tasks runs, it includes only
the entry from Directory A. If someone then removes the Person
document from Directory A, the name Phyllis Spera/Acme is removed
from the directory catalog the next time Dircat runs. To add the name
back, make a small change to the remaining Person document in
Directory B, so the Dircat task adds the name back to the directory
catalog the next time it runs.
Mail Only to aggregate only Mail only groups from all of the
directories listed in the Directories to include field.
All to aggregate all types of groups from all the directories listed in
the Directories to include field.
All in first directory only to aggregate all types of groups, but only
those from the first directory listed in the Directories to include
field.
Directory Services
A selection formula can select only the types of groups indicated by the
Group types option.
How a selection formula interacts with the Include Servers option
The Include Servers field in a directory catalog configuration document
for an Extended Directory Catalog controls whether the Dircat task
aggregate Server documents. If you use a selection formula that includes
Server documents, you must select the Server documents as part of the
selection formula as well as select Yes in the Include Servers field.
You cannot aggregate Server documents into a condensed Directory
Catalog.
Directory Services
Group
FullName
ListName
Type
All
FirstName
Person
MiddleInitial
Person
LastName
LastName
Location
Person
MailAddress
Person
Shortname
Person
MailDomain
InternetAddress
MessageStorage
Members
Group
2
AltFullName
AltFullNameLanguage
Person
2
Person
Required fields that ensure that each document aggregated in the directory
catalog has a known name and type
Directory Services
Setting Up Directory Catalogs 24-23
(Optional) Add
only to allow Notes
users who are not
connected to the
network to look up
free time schedules
of other users. Note
that adding the
Members fields is
not generally
recommended
because it increases
the directory
catalog size and
requires more
replication. Use a
server directory
catalog or directory
assistance to
provide a way for
servers to look up
the members of
groups from a
secondary Domino
Directory.
(Required)
Allows Notes
clients and
servers to look
up the members
of groups from
secondary
Domino
Directories.
AltFullName,
AltFullNameLanguage
(from Person
documents)
(Optional) Add if
users in the
directory catalog
use alternate names
in their certificates.
(Recommended) (Recommended)
Include this field
Include this
field even if no even if no
certified alternate
certified
alternate names names are used in
are used in your your
organization; then
organization;
then if alternate if alternate
certified names certified names
are put into use are put in use
later, no directory
later, no
catalog rebuild is
directory
catalog rebuild necessary.
is necessary.
(Required) Allows
Notes clients and
servers to look up
the members of
groups from
secondary
Domino
Directories.
continued
Field to add
(Optional) Add to
enable servers to
look up Internet
passwords in the
directory catalog
for Internet client
authentication.
Soundex fields
Directory Services
Directory Services
Directory Services
Incremental fields that is, how and when the Dircat task updates
changes to fields in the aggregate documents. The default directory
catalog performance settings work fine in most situations.
Note Change these settings only on a condensed Directory Catalog used
only by servers, and not on a condensed Directory Catalog used by
clients.
These settings are irrelevant and unavailable for an Extended Directory
Catalog which doesnt combine multiple source Domino Directory
entries into aggregate documents.
Packing density
The packing density is the number of entries from a source Domino
Directory that can be stored in one aggregate document in the condensed
Directory Catalog. 255 is the maxium packing density and the default. If
full-text searching is frequently used to search a server directory catalog,
for example if the LDAP service uses the directory catalog, and these
searches of the directory catalog are slow, you can decrease the packing
density to improve performance of these searches.You might also
decrease the packing density to reduce the odds that a particular
aggregate document needs to replicate.
Directory Services
Incremental fields
Because a single field in an aggregate document contains values for the
field from many of the source Domino directories, its likely that at any
one time every field in the aggregate document might require updating
and, therefore, would need to replicate. To manage changes to fields in a
condensed Directory Catalog, the Dircat task, by default, uses an
incremental merge process that stores the changes in temporary fields in
aggregate documents until, by default, 5 percent of the total entries from
the source Domino Directories change. Then the Dircat task merges the
changes stored in the temporary fields into the permanent fields in the
aggregate documents and deletes the temporary fields. This process
occurs somewhat randomly over a period of time so that at any time,
only a few aggregate documents need to replicate. When the directory
catalog on the server running the Dircat task replicates, only the updated
fields replicate. This incremental replication results in improved
replication performance, especially when replication occurs over a
dial-up connection.
Directory Services
You can create multiple directory catalogs, and set up groups of clients
or servers to use specific ones. For example, if user group 1 sends mail
only to users registered in directories A, B, and C, and user group 2
sends mail only to users registered in directories D and E, you can create
a client-based condensed Directory Catalog that aggregates A, B, and C
for group 1 to use, and create another condensed Directory Catalog that
aggregates D and E for group 2 to use.
Document/ Database
Field(s)/Tab(s)
Purpose
Directory Profile of
each Domino
Directory to be
aggregated in the
directory catalog
Domain
defined by this
Domino
Directory on
the Basics tab
Directory Catalog
All fields
Configuration
document in
database created
from DIRCAT5.NTF
Domino Directory
Server document of
Dircat server that
builds the directory
catalog
Field(s)/Tab(s)
Purpose
Used for an
Extended
Directory
Catalog too?
Desktop policy
settings document
and/or Setup policy
settings document
in Domino
Directory in which
clients are
registered
Mobile
directory
catalogs field
on the Databases
tab
Sets up a condensed
Directory Catalog
automatically on Notes
clients
No
Field(s)/Tab(s)
Purpose
Used for
Extended
Directory
Catalog too?
Domino Directory
Server document of
each server that
uses the condensed
Directory Catalog
Name of
Specifies the file name of a
condensed
servers local condensed
directory catalog Directory Catalog
on this server
field on Basics
tab
No
Directory Profile
document in the
Domino Directory
of the servers that
use the condensed
Directory Catalog
Directory
catalog file name
for domain
field on Basics
tab
No
Domino Directory
Server document of
each server that
uses the condensed
Directory Catalog
Can use directory assistance instead to trust for client authentication only some
rather than all of the aggregated directories
Do the following for each Domino Directory you will aggregate into the
directory catalog:
1. Open a Domino Directory.
2. Choose Actions - Edit Directory Profile.
Directory Services
Description
Sort by
Use Soundex
Remove duplicate
users
Group types
Include Mail-in
Databases
Restrict aggregation
to this server
Send Directory
Catalog reports to:
Directory Services
Additional fields to
include
Selection formula
Total number of
Read-only field that shows the total number of
people/group/mail-i entries aggregated from Domino Directories after the
n databases and
Dircat task runs.
resources
Packing density
Incremental fields
Merge factor
Replication history
Shows the date and time when the Dircat task last
replicated the aggregated directories.
Click Clear History to do a full rebuild of the
directory catalog. Do not click Clear History unless
you understand Dircat rebuilds. For more
information, see the later topic The Dircat task.
4. Choose Edit - Copy As Link - Database Link, then close the directory
catalog.
5. Open the Desktop policy settings document or Setup policy settings
document you want to use to automate setup of the condensed
Directory Catalog on clients.
6. Click the Databases tab, and then click the Mobile directory
catalogs field.
Setting Up Directory Catalogs 24-39
Directory Services
3. From the Domino Administrator, click the Files tab, and open a
replica of the directory catalog.
7. Choose Edit - Paste to past the directory catalog database link into
the Mobile directory catalogs field.
8. Click Save & Close.
Note Notes users should do pull replications regularly with up-to-date
replicas of the directory catalog on servers.
Step 5: Set up servers to use the condensed Directory Catalog
Note In general its better for a server to use an Extended Directory
Catalog rather than a condensed Directory Catalog.
To set up a server to use a condensed Directory Catalog:
1. Create a replica of the built directory catalog on the server. Set up
replication between the server and the Dircat server so that this
servers replica of the directory catalog is kept up-to-date.
2. If necessary, from the Domino Administrator choose File - Open
Server, to open the server you are setting up to use the directory
catalog.
3. Click the Configuration tab.
4. In the left pane, expand Server - Current Server Document.
5. Click Edit Server.
6. On the Basics tab, in the Name of condensed directory catalog on
the server field, enter the file name of the directory catalog replica
you created on this server. If multiple servers use the same file name
for their local replicas of the directory catalog, see the Tip below for a
quick way to specify the file name.
7. (Optional) To allow the server to use all user names aggregated in
the condensed Directory Catalog for client authentication, on the
Basics tab of the Server document select Trust the server based
condensed directory catalog for authentication with internet
protocols. If you dont want to trust the entire directory catalog for
authentication, do not select this option.
Note To specify instead that the server trust for authentication
names from only one or some of the directories aggregated in the
directory catalog, in a directory assistance database used by the
server, create a Directory Assistance document for each aggregated
Domino Directory to trust that has a trusted rule enabled.
For more information, see the topic Using a condensed Directory
Catalog for client authentication earlier in the chapter, and also the
chapter Setting Up Directory Assistance.
8. Click Save & Close
Document/Database
Field(s)/Tab(s)
Purpose
Directory Profile of
each Domino
Directory to be
aggregated in the
Directory Catalog
Domain
defined by this
Domino
Directory
field on the
Basics tab
Domino Directory
Server document of
the Dircat server that
builds and updates
the directory catalog
All fields in
Server Tasks Directory
Catalog tab
No
continued
Directory Services
Used for a
condensed
Directory
Catalog
too?
Document/Database
Field(s)/Tab(s)
Purpose
Directory Assistance
document in
Directory assistance
database used by
each server that uses
the directory catalog
All fields
related to a
Notes
Directory
Assistance
document
Server document in
the Domino
Directory of each
server that uses the
directory catalog
Directory
Allows a server to use
Assistance
directory assistance1
database
name field on
the Basics tab.
No
Directory Services
Description
Remove duplicate
users
Group types
Include Mail-in
Databases
Include Servers
Selection formula
Replication history
Shows the date and time when the Dircat task last
replicated the aggregated directories
Click Clear History to do a full rebuild of the
directory catalog. Do not click Clear History unless
you understand Dircat rebuilds. For more
information, see the later topic The Dircat task.
Full rebuilds
Directories to include
Group types
Setting Up Directory Catalogs 24-45
Directory Services
Selection Formula
Partial rebuilds
If the replica of a source Domino Directory the Dircat task uses is deleted,
and then replaced with a file operating system copy with the same
replica ID, then the Dircat task does a partial rebuild, which involves
comparing all documents in the new file system copy of the Domino
Directory to the corresponding contents in the directory catalog to look
for changes. The Dircat task also does a partial rebuild if the Fixup task
deletes corrupted documents from a source Domino Directory which are
then replaced through replication. A partial rebuild is a longer process
than an update, but takes less time than a full rebuild.
Enter
Directory Catalog The file name(s) of the directory catalog(s) the Dircat
filenames
task should process. Separate multiple file names with
commas.
Schedule
Select Enabled.
Run Directory
Catalog
aggregator at
Days of week
Directory Services
where dc.nsf is the file name of a local directory catalog on the server.
You can do a full rebuild of a directory catalog. Keep in mind that a full
rebuild removes and recreates all the aggregated documents so that the
first replication after the rebuild will require a full replication of the
database.
To do a full rebuild of a directory catalog, you can run the dircat task
against the directory catalog using the -r switch, for example:
load dircat dc.nsf -r
Or you can do a full rebuild by clicking the Clear History button on the
advanced tab of the directory catalog configuration document.
Pausing the Dircat task
Before you shut down a server that is in the middle of Dircat processing,
pause the Dircat task. When you pause the Dircat task, the Dircat task
finishes aggregating the directory catalog it is currently running on and
then goes idle. if you dont pause the Dircat task before server shutdown,
the Dircat task must reaggregate the directory catalog it was processing
at the time of server shutdown from the beginning.
To pause the Dircat task, enter this server command:
Tell Dircat Pause
You can then shut down the server. Or, to resume Dircat processing,
enter this server command:
Tell Dircat Resume
Directory Services
3. When prompted, select the name of the server that should run this
agent to mail the reports on your behalf. You must have Run
restricted LotusScript/Java agents access to the server you pick.
4. Click Save & Close.
If youve configured the Dircat task to run on schedule, use the Show
Schedule command to see when the task is next scheduled to run.
Chapter 25
Setting Up Extended ACLs
This chapter describes how to set up and manage an extended access
control list (ACL), which is an access control feature available for a
Domino Directory and an Extended Directory Catalog.
Extended ACL
An extended access control list (ACL) is an optional directory
access-control feature available for a directory created from the
PUBNAMES.NTF template a Domino Directory or an Extended
Directory Catalog. An extended ACL is tied to the database ACL, and
you access it through the Access Control List dialog box using a Notes 6
or Domino Administrator 6 client. You use an extended ACL to apply
restrictions to the overall access the database ACL allows a user you
cannot use it to increase the access the database ACL allows. Use an
extended ACL to set access to:
A specific document
25-1
Directory Services
Set access to documents and fields easily and globally at one source,
rather than requiring you to control access through features such as
multiple Readers and Authors fields.
Control the access of users who access the directory through any
supported protocol: Notes (NRPC), Web (HTTP), LDAP, POP3, and
IMAP.
Access setting
Tasks allowed
Browse
Create
Delete
Directory Services
Tasks allowed
Allows a user to read a field. The user must also have Browse
access to the document.
Allows a user to modify a field.
When more than one type of document uses a particular field, you
control access to the field separately for each type of document.
If you are controlling the access of Notes and Web users, be aware of the
following issues. These issues do not apply to access through other
means, such as LDAP access or Notes application access, except where
indicated.
Administer access
Grant Administer access to allow someone with Designer or Editor
access in the database ACL to modify access settings at an extended ACL
target. Someone with Manager access in the database ACL can modify an
extended ACL without having Administer access. Grant Administer
access to allow someone to manage access to documents under a target
category without granting the person Manager access in the database
ACL. A user with Editor or Designer access in the database ACL does
not have the Administer access by default; you must grant the user that
access explicitly. You grant someone Administer access to a target
category and not to a specific document.
Directory Services
Setting Up Extended ACLs 25-5
Form-specific access
You click Form and Field Access from the Extended Access at target
dialog box to use the Form and Field access at target dialog box to set
form-specific access settings that are exceptions to the selected subjects
default access at the selected target. The following figure shows access
set for the Person form for the -Default- subject at / (root):
More than one subject that is shown at a selected target can apply to a
particular user. For example, a user might be a member of two groups,
both of which have access set to the target O=Acme. The following
precedence rules are applied to determine the access a user has to a
target when there are multiple subjects that apply to the user at the
target.
Note Even after precedence rules are applied, a users access can never
exceed the access the database ACL allows the user.
Setting Up Extended ACLs 25-7
Directory Services
When you select a target in the Extended Access at: target dialog box,
by default the dialog box shows all the subjects in the extended ACL
with access settings to the target. Included are subjects whose access is
set at and inherited from a higher target through the scope This
container and all descendants. (You can select Show Modified to see
only the subjects with access set directly at the target.)
1. Access set for a subject with the scope This container only take
precedence over access set for a subject with the scope This
container and all descendants regardless of subject type. For
example, the access set for the subject */Acme and the scope This
container only takes precedence over the access set for the subject
Kathy Brown/Acme and the scope This container and all
descendants.
2. Among subjects with the same scope, access for a more-specific type
of subject take precedence over access for a less-specific type of
subject. The order of subject specificity, from most specific to least
specific, is:
a. Individual user or server
b. Self
c. Group
d. A wildcard, for example */Acme
e. -DefaultFor example, the access set for Kathy Brown/Acme with the scope
This container and all descendants takes precedence over the
access set for the group Admins/Acme with the scope This
container and all descendants.
3. When evaluating more than one group subject or more than one
wildcard subject, the access settings of the subjects are combined,
with Deny access taking precedence over Allow access. For example,
if the group Admins/Acme denies Write access and allows all other
access, and the group Managers/Acme denies Create access and
allows all other access, users that are members of both groups are
denied Write and Create access and allowed all other access.
Tip To determine a users effective access to an extended ACL target
after extended access settings and database access are evaluated, select
the target in the Extended Access at target dialog box, then click
Effective Access.
For more information on using the Effective Access tool, see the topic
Showing a subjects effective access to an extended ACL target later in
the chapter.
Subject 1
Subject 2
Subject: */Acme
Scope: This container
and all descendants
Allow: Read, Browse
Deny: Create, Delete,
Write
Subject: */Acme
Allow: Create, Delete, Rule 1
Scope: This container Write
only
Deny: Read, Browse
Allow: Create, Delete,
Write
Deny: Read, Browse
Subject: Admins/Acme
group
Scope: This container
and all descendants.
Allow: All
Subject: */Acme
Allow: All
Scope: This container
and all descendants
Deny: All
Rule 2
Subject: Admins/Acme
group
Scope: This container
and all descendants
Allow: Read, Browse
Deny: Create, Delete,
Write
Subject:
Deny: All
Managers/Acme
group
Scope: This container
and all descendants
Allow: Create, Delete,
Write
Deny: Read, Browse
Rule 3
Directory Services
Setting Up Extended ACLs 25-9
Group
Anonymous
-Default-
Self
With the exception of Self, these are the same types of entries that are
acceptable in a database ACL.
For more information on the database ACL, see the chapter Controlling
User Access to Domino Databases.
You specify more than one subject at a target to give each subject its own
access to the target. For example the group Admins/West/Acme and the
group Admins/East/Acme might each have access set at the / (root)
target. You can also add the same subject at multiple targets, to give the
subject different access to each target.
If the database ACL and an extended ACL both list a particular subject,
Administration Process requests can rename or delete the subject in the
extended ACL, as well as in the database ACL.
Anonymous as subject
As in the database ACL, the subject Anonymous controls the access of all
users and servers that access a server without first authenticating.
Anonymous access applies to access via all the supported protocols.
Self as a subject
The subject Self is available only for an extended ACL and not the
database ACL. At a target category only, you can use Self to define the
access that all users have to their own documents that fall under the
target category. A users own document is one with a distinguished
name that matches a distinguished name presented by the user. Use Self
so that you can use one subject to control all users access to their own
documents at a target category.
-Default- as a subject
Adding and setting access for the -Default- subject at a target is optional.
If you set access for -Default- at a target, all users and servers whose
access is not determined by another subject at the selected target get the
access set for -Default-. If you add the -Default- subject to a target and
you want some users to have different access to the target than the
-Default- access, add a subject or subjects that represent those users to the
target with the desired access.
Directory Services
Directory Services
Person documents
Server documents
Certifier documents
Policy documents
Target scope
When you select a category as a target in the Target box, you use the
Scope of Target box to specify whether a subjects access settings apply
only to documents at that category or also to documents under
subcategories as well. Keep This container and all descendants (the
default) selected to apply the subjects access settings to documents
under the selected target category as well as to documents under
subcategories. Select This container only to apply the subjects access
settings to documents under the selected target category only.
The following figure shows the target scope This container and all
descendants selected for the subject Admins/Acme at the / (root) target.
You select a scope for each subject with access at a target category.
Example of using This container and all descendants as a target
scope
Suppose you want users who access the database through the -Defaultentry to see any Person and Group document in the directory but no
other type of document. You could do the following:
In the extended ACL, add the -Default- as the subject at / (root) and
deny it all access by default, but allow it Browse and Read access to
the Person and Group forms.
Keep This container and all descendants as the scope to apply the
access settings to the entire directory.
Directory Services
Setting Up Extended ACLs 25-15
Target: / (root)
Subject: -DefaultScope: "This container
and all descendantts"
/ (root)
Default access:
Person form:
Group form:
O=Acme
Default access: B C D R W
BC D R W
Person form:
Group form:
BC D R W
OU=East
Default access: B C D R W
Person form: B C D R W
Group form:
BC D R W
OU=West
Default access: B C D R W
Person form: B C D R W
Group form:
BC D R W
= Deny
Target: / (root)
Subject: Admins/Acme
Scope: "This container and
all descendantts"
/ (root)
O=Acme
OU=East
BC D R WA
Target: O=Acme
Subject: Admins/Acme
Scope: "This container only"
OU=West
BC D R WA
= Deny
Add Admins/Acme to the database ACL with Editor access and all
privileges and administration roles.
Add Admins/Acme to O=Acme, allow all access and select the scope
This container only.
Setting Up Extended ACLs 25-17
Directory Services
Assuming there are no other subjects in the extended ACL that control
access for the members of the Admins/Acme group, precedence rules
determine that the access set for Admins/Acme at O=Acme with the
scope This container only controls Admins/Acmes access to the
documents directly under O=Acme. The access set for Admins/Acme at
O=Acme with the scope This container and all descendants controls
Admins/Acmes access to the documents subcategorized under OU=East
and OU=West below O=Acme.
The following figure illustrates these access settings.
Database ACL
Admins/Acme: Editor with all privileges and administration roles
Target: / (root)
Subject: Admins/Acme
Scope: "This container and
all descendants"
Target: O=Acme
Subject: Admins/Acme
Scope: "This container and
all descendants"
Access:
/ (root)
O=Acme
B C D R WA
OU=East
BC D R WA
= Deny
Target: O=Acme
Subject: Admins/Acme
Scope: "This container only"
Access:
OU=West
BC D R WA
Security goals
To establish security, Acme has these goals:
1. Allow members of the Admins/Acme group to:
Have full access to all documents in the directory
Manage access at any target in the extended ACL
Setting Up Extended ACLs 25-19
Directory Services
Access
Description
-Default-
Reader
Admins/Acme Manager
group
Delete
All administration
roles
Admins/West Editor
/Acme group Create, Delete
All administration
roles
Admins/East/ Editor
Acme group
Create, Delete
All administration
roles
Anonymous
No Access
Access
-Default-
Default:
Yes
Allows
non-administrators to
read only Person,
Group, and Resource
documents
Yes
Yes
Access
Admins/West/ Default:
Acme group
Allow all
Allows members of
Admins/West/Acme to
have full access to
documents under
OU=West
Subject
Access
Admins/East/ Default:
Acme group
Allow all
Allows members of
Admins/East/Acme to
have full access to
documents under
OU=East
Directory Services
As a general rule use the default target scope This container and all
descendants as the target scope to extend subjects access to target
subcategories.
When you use a sparse access control model Domino can check extended
ACL access settings quickly and you can manage extended ACL access
settings easily.
After you enable extended access, you cant make changes to the
database on a server running an earlier release because the changes
cant replicate to a Domino 6 server. If you enable extended access,
you must make directory changes only to a replica on a Domino 6
server.
Directory Services
Directory Services
Click Add - Name and type or select a subject name, then click
OK. If the subject is a user, server, or group that is not in the
directory for which you are controlling access, this prompt
appears: Subject can not be found in the directory. To continue,
please specify the subjects type: Person, Server, Group. Select
one of the options presented, then click OK.
For each form for which you want to set different access than the
subjects default access set for the selected target, do the following:
1. Select the subject for which you are setting access in the Extended
Access at target dialog box and click Form and Field Access to
open the Form and Field access at target dialog box. The dialog box
shows the forms in the directory in the Forms box. When you select a
form in the Forms box, the Fields box shows only the fields in the
selected form.
2. (Optional) To set the Form and Field Access at target dialog box to
display LDAP object classes and attributes rather than forms and
fields, next to Schema select LDAP. This option works only if you are
setting access to a directory on a server running the LDAP service.
For more information, see the topic Displaying LDAP attributes and
object classes when setting form-specific access earlier in the chapter.
3. (Optional) To look at the subjects default access to the selected target
you previously specified in the Extended access at target dialog box.
a. Below the Forms box, select the -Default- entry and look at the
default Browse, Create, and Delete access settings. Optionally,
modify these default access settings. The changes will show in
the Extended access at target dialog box when you close the
Form and Field Access at target dialog box.
b. With the -Default- entry still selected in the Forms box, look at the
-Default- entry in the Fields box to see the default Read and Write
access. Optionally, modify these default access settings . The
changes will show in the Extended access at target dialog box
when you close the Form and Field Access at target dialog box.
4. In the Forms box, select the form for which you want to set access.
Notice that the Fields box changes to show only the fields on the
selected form.
5. In the Forms box, set the desired Browse, Create, and Delete access
settings for the selected form.
a. Keep the form for which you are setting access selected in the
Forms box.
b. Select -Default- in the Fields box.
c. Set the subjects general Read and Write access to the fields on
the selected form.
Directory Services
6. To set the subjects Read and Write access to all fields in the selected
form:
7. To set the subjects Read and Write access to a specific field in the
selected form:
a. Keep the form for which you are setting access selected in the
Forms box.
b. Select the field in the Fields box.
c. Set the subjects Read and Write access to the selected field. These
settings take precedence over the settings specified in step 6.
8. (Optional) To show the form-specific access you have set:
a. Above the Forms box, select Show - Modified. Notice that Show Modified is also selected above the Fields box.
b. Select a form listed in the Forms box to see the access set
specifically for that form.
c. With the form still selected, look at the Fields box to see the fields
on the form for which youve set access.
9. When youve finished setting form-specific access, click OK to close
the Form and Field access at target dialog box.
10. Continue to Step 13 in the procedure Setting a subjects access to an
extended ACL target.
If you have the required access to make the change and the subjects
access settings are grayed out, the subjects access to the selected target is
set at a higher target with the scope This container and all descendants.
In this case you can do one of the following:
At the selected target, click Add to add the subject to the selected
target and set different access for the subject at the target. The new
access to the selected target overrides the access set at the higher
target. If you choose the scope This container and all descendants
the new access applies to all documents subcategorized below the
selected target as well. If you choose the scope This container only,
documents categorized immediately below the selected target get the
new access settings, but documents under subcategories of the selected
target continue to have the access settings specified at the higher
target.
Select the higher target, select the subject at the higher target, and
change the access. The changes apply to documents directly under the
higher target and to documents below all subcategories of the higher
target, including the target for which the subjects access is grayed out.
For information, see the topic Extended ACL target earlier in the
chapter.
5. In the Access List box, select the subject that you want to remove,
and click Remove.
6. Click OK and when you see the prompt Save changes before
exiting? Click Yes to save the changes and close the Extended
access at target dialog box.
7. Click OK to close the Access Control List dialog box.
Setting Up Extended ACLs 25-29
Directory Services
4. In the Target box at the left of the Extended Access at target box,
select the target from which you want to remove the subject.
10. The Access derived from box shows all the subjects that can
control the subjects access allowed in the database ACL and the
extended ACL and displays a check mark next to the subject or
subjects that determine the access.
11. When you are finished viewing the effective access, click Done.
Directory Services
Chapter 26
Overview of the Domino Mail System
This chapter describes how the Domino mail system works and provides
information that you need to consider before you deploy mail.
Messaging overview
The Domino mail system has three basic components: Domino mail
servers, Domino mail files, and mail clients. The Domino mail server is
the backbone of an organizations messaging infrastructure, acting both
as an Internet mail server and a Notes mail server. Domino provides
standards-based Internet messaging through its support of the Simple
Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3),
Internet Message Access Protocol (IMAP), and Multipurpose Internet
Mail Extensions (MIME). At the same time, Domino supports Lotus
Notes mail through the use of Notes routing protocols Notes remote
procedure calls (NRPC) and the Notes rich text message format.
Domino mail servers provide services that directly and indirectly
support messaging. These include specialized databases for locating
users and servers, for message storage and transit, and for collecting
statistics; and processes that initiate and receive connections between
servers, route messages, and allow users to retrieve mail.
Every mail user in a Domino system has a mail file on a Domino mail
server. You can create a replica of the mail file on other servers for
failover in case the primary server is unavailable. Users create mail
messages using a mail client, such as Lotus Notes, or a POP3 or IMAP
client, and send mail through the Domino mail server, which routes the
message to its recipient. The recipient then uses a mail client to read the
message. To protect confidential information in mail messages, Domino
supports Notes public key encryption and S/MIME encryption.
The Lotus Notes client and the Domino mail router (the Router) create
and send messages in the format (MIME or Notes rich text) appropriate
for each recipient, as determined from the address format and settings in
the recipients Person document. If conversion between formats is
necessary, Domino performs the conversion automatically.
26-1
Mail security
Mail clients
Mail clients retrieve messages from the server using NRPC, IMAP and
POP3. In addition, Web clients, such as the iNotes Web Access client,
access mail through the Domino HTTP service. The Notes client sends
and retrieves mail using NRPC, or Internet protocols (SMTP, IMAP and
POP3).
The following table lists some of the required and optional components
Domino uses to route mail:
Component Name
type
Description
SMTP task
Server task
IMAP task
Converter
POP3 task
HTTP task
DOLS
Description
Databases
and
database
templates
Mail Router
Mailbox
(MAIL.BOX)
Mail Journaling
database
(MAILJRN.NSF)
Mail Tracking
database
(MTSTORE.NSF)
Component Name
type
Transfer
Server
Task
Notes routing
Notes routing
Servers
Submission
MAIL
.BOX
Router
Servers
SMTP routing
SMTP routing
Delivery
SMTP
Listener
User
DB
IMAP
IMAP Client
POP3
POP3 Client
Server
Notes Client
Description
Server
documents
Configuration
Settings
documents
Connection
documents
Foreign SMTP
Domain
documents
Internet Site
documents
For more information setting up routing in the local Internet domain and
setting up a smart host, see the chapter Setting Up Mail Routing.
Documents
Description
File
Identification
documents
Person
documents
In environments where all users access mail from Notes mail clients, you
might specify rich text storage. For users who always access mail from
IMAP or POP3 clients, MIME storage eliminates the need to convert
messages before they can be read. If you set a users preferred storage
format to Keep in senders format, the Router does not change the
format of messages before placing them in the mail file, so the mail file is
likely to contain a mix of rich text and MIME messages.
By default, each user is considered to be the owner of their personal mail
file, and as such, is granted Manager access in the mail files Access
Control List (ACL). Users with Manager access can delegate subsidiary
access to their mail files to specified, trusted individuals from a Notes
client, iNotes Web access client, or Webmail client. For example,
executives in an organization may allow their secretaries to read and
send mail on their behalf.
To allow for mail delivery, the default ACL also grants Manager access
to a users mail server and other servers in the local Domino Domain.
The ACL provides no access to other users in the mail system.
During registration, the presiding administrator can assume Manager
access of a users mail file by resetting the mail file owner access from
Manager to Designer. Users require a minimum of Editor access to their
mail files to perform routine mail operations creating, sending,
replying to, and deleting messages. Other mail file operations require
greater access privileges. For example, users must have at least Designer
access to create a full-text index.
To help manage disk space, you can set database quotas to restrict the
mail file size. In the Configuration Settings document, you can enable the
Router to withhold delivery of new mail when a mail file reaches its
quota. The Router continues to withhold mail until the user reduces the
size of the mail file by deleting or archiving messages.
In addition to a users primary mail file, users and administrators can
replicate mail files to other locations. Administrators can create server
replicas to provide failover. A user can create a local replica on a
workstation or laptop and use it to work off-line.
Overview of the Domino Mail System 26-13
The Router on a users home server delivers incoming messages for the
user to the mail file. Messages in a mail file may be stored in either Notes
rich text format (also known as Compound Document, or CD format) or
MIME format. The format used depends on settings in the users Person
document. If a users mail client opens or downloads a message that is
stored in a format it cannot read, Domino automatically converts the
message. For example, if an IMAP client opens a message stored in Notes
rich text format, the Domino IMAP service converts the message to
MIME before passing it to the client.
Notes client users can create mail filtering rules to manage inbound
messages. Administrators can use the Domino Administrator and other
standard Notes database tools, such as Compact and Fixup, to perform a
variety of maintenance tasks.
Mail security
To provide secure message transfer among clients and servers, the
Domino mail server supports name and password authentication and
Secure Sockets Layer (SSL) for SMTP mail routing, IMAP, and POP3
access, and supports Notes encryption when routing mail over Notes
routing.
To encrypt and sign messages, Notes clients can use Notes encryption
with User ID files and public-private keys or Internet mail security with
X.509 certificates. Internet mail clients can use X.509 certificates.
For more information, see the chapters Planning Security, Setting Up
SSL on a Domino Server, Encryption and Electronic Signatures, and
Setting up Clients for S/MIME and SSL.
Mail clients
Clients interact with mail files on the Domino server in different ways.
All clients can create, send, and receive mail. Some clients, such as Web
browsers, can only interact with mail on the server and cannot store mail
locally. Some clients, such as POP3 clients, can only download mail from
the server and work with it locally. Some clients, such as Lotus Notes,
iNotes Web Access, and IMAP clients, can download mail or work with
it on the server and can store mail locally. You can use the following
types of clients with the Domino mail server:
POP3 clients
Users with POP3 clients can download mail to a local mail file and
interact with it there, as well as leave a copy of the mail in their file on
the Domino server. POP3 clients retrieve mail from a Domino server that
runs the POP3 service, use SMTP to send mail, and can use LDAP to
access the Domino Directory.
Enable the POP3 service and enable the SMTP listener so that POP3
clients can use the Domino server for mail.
For more information, see the chapter Setting Up the POP3 Service.
iNotes Web Access clients and Webmail clients
Users with mail files on a Domino server running the HTTP service can
retrieve and send mail from a Web browser. All mail-related tasks and
actions are transmitted to the server over HTTP and performed by the
server.
From a Web browser, a user accesses mail using either the standard mail
template or the iNotes Web Access template (iNotes60.ntf). Users whose
mail files are based on the standard mail template can interact with mail
on the server but cannot store mail locally.
Users whose mail files are based on the iNotes Web Access template and
who use Internet Explorer as their Web browser can use the iNotes Web
Access mail client. On servers running Domino Off-Line Services
(DOLS), iNotes Web Access users can create a local mail file replica and
work offline. Changes made to the offline mail file are replicated to the
server the next time the user connects. Users whose mail files are based
on the standard mail template cannot access a local mail file replica from
the browser.
Enable the HTTP service for Web clients to use the Domino server for
mail.
For more information, on setting up the HTTP service, see the chapter
Setting Up the Domino Web Server. For more information on
supporting iNotes Web Access, see the chapter Setting Up iNotes Web
Access.
iNotes Web Access for Microsoft Outlook
Users with mail files based on the Extended Mail template
(MAIL6EX.NTF) on a Domino server running Domino Off-Line Services
(DOLS), can use iNotes Web Access for Microsoft Outlook to access mail
from a Microsoft Outlook client.
Together with the iNotes Sync Manager, iNotes Web Access for
Microsoft Outlook lets a user create a local mail file replica and work
offline. Changes made to the offline mail file are replicated to the server
the next time the user connects.
For more information about iNotes Web Access for Microsoft Outlook,
see the chapter Setting up iNotes Web Access.
iNotes Web Access for Microsoft Outlook communicates with the server
using the Notes MAPI service provider. Installing DOLS on the client
automatically creates and configures a MAPI profile. Data exchanged
between client and server travels over Notes routing protocols. Users can
send and receive Mail using Outlook, as well as create and update entries
in the mail files calendar view using calendaring and scheduling tools in
the Outlook client.
to move the message to or in other words, the next hop on the path
to the messages destination. Each server uses its routing table to
calculate the next hop along the route to the destination server. When the
message reaches the destination server, the Router delivers it to the
recipients mail file.
Two networks in the same domain can communicate with each other in
the absence of a Connection document if any one server is a member of
both networks. Servers that reside in multiple networks can act as a
bridge between networks running diverse protocols. For example, if you
have one Domino named network running TCP/IP and another running
SPX, you can set up a server that runs both protocols to be a member of
both Domino named networks. This server acts as a bridge between the
networks.
If the two servers share a Notes named network, the Router immediately
routes the message from the MAIL.BOX file on the senders server to the
MAIL.BOX file on the recipients server. The Router on the recipients
server then delivers the message to the recipients mail file. Because mail
routes automatically within a Notes named network, you do not need to
create any additional connections or documents.
On servers that support both SMTP and Notes routing, each time the
Router detects a new message in MAIL.BOX, it chooses the protocol by
which to transfer the message. The routing decision is based on the
messages address and format, and whether the server is configured to
send SMTP within the local Domino domain, outside the local Internet
domain, or both.
Using SMTP to send mail to local domain addresses
Enabling SMTP within the local Domino domain allows the Router to
consider SMTP as an alternative routing protocol when transferring mail
to another Domino server in the same Domino domain. When
configuring servers to send SMTP within the local Domino domain, you
have the following options:
If you replace or relocate a machine, you can assign the existing host
name and IP address to the new or relocated machine. This change is
transparent to users, and messages continue to route properly.
You can use DNS to provide failover and load-balancing for your mail
servers by creating multiple MX records for a domain name on the DNS
server. When you set more than one MX record for a name, you can set
preference values to control how DNS selects those records. DNS selects
lower value preferences first for example, DNS selects 5 before 10. If
more than one MX record has the same preference value, DNS randomly
selects from among those MX records. If one of those MX records fails
for example, because a server is unavailable DNS caches that failure
and tries other MX records of equal weight, followed by less-preferred
MX records.
Chapter 27
Setting Up Mail Routing
This chapter describes how to set up mail routing on your Domino
system. If you are upgrading a mail system from a previous Domino
release, see the Upgrade Guide.
rich text format, the Router converts the message to MIME before
delivering it to the local recipients mail file. Likewise, during message
transfer, if a server receives a message in MIME format and must transfer
it to a Domino Release 4 server, which does not support MIME, the
server converts the MIME message to Notes rich text before transferring
it. To determine whether the receiving server can handle MIME
messages, the sending server checks the Server document of the
receiving server to find out what version of Domino its running.
To minimize the number of conversions, Domino servers running
Release 5 or later support the transfer of MIME messages over Notes
routing. As a result, MIME messages destined for Internet recipients can
route through internal servers as is, regardless of whether the
intermediate servers use Notes routing or SMTP.
This shuts down the Router. Mail accumulates in MAIL.BOX, since other
servers and clients continue to deposit mail, but the Router does not
deliver or transfer the messages.
To reload the Router, enter this command at the console:
load router
The Router task starts and begins routing and delivering mail.
Domino administrator
The Domino SMTP servers you use for inbound and outbound Internet
mail can connect to the Internet either directly or through an SMTP relay
host or firewall. Routing between the Domino Internet mail server and
internal mail servers can be over either SMTP or Notes routing. Its not
necessary to enable SMTP routing on your internal servers.
Using a single server to route mail to external Internet domains
In this configuration, a single designated mail server connects to the
Internet. All other internal mail servers route messages addressed to
recipients in external Internet domains to this server. If you use SMTP for
internal mail routing, you can configure all of your internal servers to use
the server that is connected to the Internet as a relay host. In the
Configuration Settings documents that apply to any mail servers that do
not connect directly to the Internet, enter the host name of the designated
relay host in the Relay host for messages leaving the local Internet
domain field. When the Router on these internal servers finds a message
addressed to a recipient in an external Internet domain, it looks up the
specified relay host in the DNS and forwards the message to it.
To set this up using Notes protocols, create a Foreign SMTP Domain
document and an SMTP Connection document. When the Router on a
server not connected directly to the Internet finds a message addressed to
a recipient in an external Internet domain, the Router forwards the
message to the domain in the Foreign SMTP Domain document, which is
connected to the server with an Internet connection by the SMTP
Connection document. When that server receives the message, its Router
connects to the external Internet domain and routes the message.
Using multiple servers to route mail to external Internet domains
In this configuration, a few designated mail servers connect to the
Internet. Other mail servers route messages addressed to recipients in
external Internet domains to these servers. To set this up using SMTP,
configure the servers that are connected to the Internet as relay hosts
for example, create a DNS name, such as outbound.acme.com, that maps
to multiple MX records. Each MX record lists one of the connected
servers. Enter the DNS name in the Relay host for messages leaving the
local Internet domain field in the Configuration Settings document that
applies to all servers that do not connect directly to the Internet. When the
Router on those servers finds a message addressed to a recipient in an
external Internet domain, it forwards the message to one of the servers
that are listed in DNS and correspond to that name.
To set this up using Notes protocols, create Foreign SMTP Domain and
SMTP Connection documents. When the Router on a server not
connected directly to the Internet finds a message addressed to a
recipient in an external Internet domain, the Router forwards the
message to the domain in the Foreign SMTP Domain document, which is
connected to one of the servers with an Internet connection by the SMTP
Connection document. When that server receives the message, its Router
connects to the external Internet domain and routes the message.
Enabling all mail servers to route mail to external Internet domains
In this configuration, every mail server connects to the Internet and runs
the TCP/IP network protocol. Each server has the setting SMTP used
when sending messages outside of the local Internet domain enabled in
its Configuration Settings Document. When a user sends a message to a
recipient in an external Internet domain, the Router looks up the domain
in the Domain Name Service (DNS) and uses SMTP to connect to the
receiving server in that domain. The Router transfers the message and
closes the connection.
Routing SMTP mail over dialup connections
Your organization may connect to the Internet and external Internet
domains through a dialup connection for example, to an Internet
Service Provider (ISP). To set up a dialup connection in your Domino
mail system:
Use one server for inbound and one server for outbound messages
Use all servers to route outbound mail and one to route internal mail
Mail1
INTERNET
Mail2
SMTP enabled for outbound
Listener enabled for inbound
Mail3
Setting up DNS correctly to list Mail2 as the connecting server for the
acme.com domain for inbound mail.
via SMTP
Mail2
INTERNET
Mail1
via SMTP
In this example, one Domino server, Mail2, routes messages from the
Acme organization destined for other Internet domains (external
addresses) and a second Domino server, Mail3, receives mail addressed
to the Acme Internet domain (acme.com). Mail2 has the field SMTP
used when sending messages outside of the local Internet domain
enabled on the Router/SMTP-Basics tab of the Configuration Settings
document that applies to the server. Mail3 has the SMTP listener task
enabled on the Basics tab of its Server document, and has an MX (mail
exchanger) record in the external DNS.
If a user on the Acme internal mail server, Mail1, sends a message to an
external address one with a domain other than acme.com the server
routes the message to Mail2, which can route mail to external domains.
Any mail from an external Internet domain one other than acme.com
is routed to Mail3, which is listed in the DNS as the MX host for
acme.com. Once the mail reaches Mail3, the server routes it to its
destination.
The internal mail server, Mail1, can route Internet mail to the server with
SMTP enabled for external mail (Mail2) either via Notes routing, with a
Foreign SMTP Domain document and SMTP Connection document
linking to Mail2, or via SMTP routing, with Mail2 configured as the relay
host.
Configuring these servers requires:
Mail2
outbound to Mail1
inbound from Mail1 or Mail3
Mail1
via SMTP
INTERNET
via SMTP
Mail4
outbound to Mail3
inbound from Mail3 or Mail1
Mail3
SMTP to external Internet domain enabled
MX record in DNS for acme.com
SMTP Listener enabled
In this example, two Domino servers, Mail1 and Mail3, route messages
from the Acme organization destined for other Internet domains
(external addresses) and receive mail addressed to the Acme Internet
domain (acme.com). Mail1 and Mail3 have the field SMTP used when
sending messages outside of the local Internet domain enabled on the
Router/SMTP-Basics tab of the Configuration Settings document that
applies to the servers and have the SMTP listener task enabled on the
Basics tab of their Server documents.
If a user on the Acme internal mail server Mail2 sends a message to an
external address one with a domain other than acme.com the server
routes the message to Mail1, which can route mail to external domains. If
a user on the Acme internal mail server Mail4 sends a message to an
external address one with a domain other than acme.com the server
routes the message to Mail3, which can route mail to external domains.
This splits the load of outbound messages half route to Mail1 and half
route to Mail3.
Any mail from an external Internet domain one other than acme.com
is routed to either Mail1 or Mail3. The external DNS has two MX
records for the acme.com domain, one for Mail1 and one for Mail3. When
an Internet mail server tries to connect to the acme.com domain to
transfer a message, it looks up acme.com in the DNS. The server finds the
27-12 Administering the Domino System, Volume 1
The internal mail servers can route Internet mail to the server with SMTP
enabled for external mail either via Notes routing, with a Foreign SMTP
Domain document and SMTP Connection document linking to the SMTP
server, or via SMTP routing, with the SMTP server configured as the
relay host.
Configuring these servers requires:
Mail1
Mail2
Mail3
Mail1
via SMTP
Mail2
non-Notesserver.acme.com
Mail3
In this example, Acme has three Domino servers and a third-party SMTP
host in the local Internet domain that handles mail for some users. All
users have entries in the Domino Directory. When a user sends mail to
another user in the acme.com domain, the Domino server looks up the
recipient in the Domino Directory. If the recipient has a mail file on one
of the Domino mail servers Mail1, Mail2, or Mail3 the server routes
the message to its destination over Notes routing. Notes routing handles
both MIME and Notes format messages. If the recipient has a mail file on
the third-party server, non-Notesserver.acme.com, their Person
document has a forwarding address with the domain
non-Notesserver.acme.com. To route mail over SMTP, Mail1 and Mail3
find a Foreign SMTP Domain document for
*.non-Notesserver.acme.com that corresponds to an SMTP Connection
document listing Mail2 as the server to which to transfer messages. The
server sends the message via Notes routing to Mail2, which has the field
SMTP used when sending messages outside of the local Internet
Setting Up Mail Routing 27-15
mail4.acme.com
Mail1
via SMTP
Domino mail
system
Mail2
Mail3
smarthost.acme.com
non-Domino
mail system
mail5.acme.com
If the local Internet domain includes mail systems other than Domino,
users who have Internet addresses ending in yourdomain.com may not
have mail files on a Domino server or Person documents in the Domino
Directory. When Domino receives a message for such a user, the Router
cannot resolve the address. To prevent Domino from generating delivery
failures, set up the Domino server to forward mail it receives for
unknown local domain users to a local smart host. A smart host is
typically a more central computer that has an authoritative directory of
all users in the local domain. When Domino receives mail it doesnt
know how to deliver, it sends it to the smart host.
Mail1
via SMTP
INTERNET
Mail2
via SMTP
Mail3
In this example, Acme has three mail servers, Mail1, Mail2, and Mail3,
each of which can route messages from the Acme organization destined
for other Internet domains (external addresses). All three servers have
the field SMTP used when sending messages outside of the local
Internet domain enabled on the Router/SMTP-Basics tab of the
Configuration Settings document that applies to them. One server, Mail2,
receives mail addressed to the Acme Internet domain (acme.com). Mail2
Setting Up Mail Routing 27-17
In this example, Acme has three Domino servers (Mail1, Mail2, and
Mail3) and a third-party SMTP host, smarthost.acme.com, that houses
the directory for users who have non-Domino mail files within the
acme.com domain. Users in the non-Domino system do not have Person
documents in the Domino Directory. The Domino servers have the field
SMTP allowed within the local Internet domain enabled and have
smarthost.acme.com listed in the Local Internet domain smart host
field on the Router/SMTP-Basic tab of the Configuration Settings
document.
has the SMTP listener task enabled on the Basics tab of its Server
document.
If a user on one of the mail servers sends a message to an external
address one with a domain other than acme.com the server looks
up the destination domain in the DNS, connects to the destination server
over TCP/IP, establishes an SMTP connection, and transfers the message.
Any mail from an external Internet domain one other than acme.com
is routed to Mail2. The DNS lists Mail2 as the MX host for acme.com.
Once the mail reaches Mail2, the server routes the message to its
destination.
Since each server can send messages directly to external domains, no
relay host, Foreign SMTP Domain documents, or SMTP Connection
documents are needed.
Configuring these servers requires:
Setting up DNS correctly to list Mail2 as the connecting server for the
acme.com domain for inbound mail
A specific server
Enter
Group or server
name
The location of the two servers: same Notes named network, same
Domino domain, adjacent Domino domain, non-adjacent Domino
domain
To a server in same
Domino named
network
To a server in a
different Domino
named network
within the local
Domino domain
To an adjacent
Domino domain
Type of connection
required
To a non-adjacent
Domino domain
To a gateway for a
foreign domain
To an SMTP-enabled
server (for example,
a server that can
send mail to the
Internet)
The Router does not check the Global Domain document for changes in
response to the update configuration command. The information
contained in the Global Domain document is loaded into memory only
after server initialization. It is not refreshed when the routing tables
reload.
Domain Z
Domain A
Domain B
Domain C
Domain Z
Domain A
Domain B
Domain C
You also use Adjacent domain documents to allow Free Time searches
across domains. For more information, see the chapter Setting up
Calendars and Scheduling.
Note Restrictions set in an Adjacent domain document work in
conjunction with those in the Configuration Settings document. Domino
always defaults to the most restrictive entry.
Adjacent Domain documents do not provide connectivity to adjacent
domains, and are not required to enable connections between adjacent
domains. To define routes between adjacent domains, create a
Connection document.
Using Adjacent domain documents to restrict mail
By default, a domain that can route mail to your domain can also route
mail through your domain to another adjacent domain. When mail
routes from one domain to another through your domain, it ties up your
resources. To prevent your servers from being used to transfer mail
between other domains, you can selectively allow and deny mail routing
through your domain to the domain named in the Adjacent domain
document.
The Allow and Deny fields on the Restrictions tab of the Adjacent
domain document let you control the flow of messages from other
domains to the adjacent domain. Entries in these fields must be the
names of adjacent domains; the Router ignores entries for non-adjacent
domains beyond the previous hop. If you deny a domain from sending
The settings in the Allow and Deny fields work in conjunction with the
Allow and Deny fields on the Router/SMTP - Restrictions and Controls Restrictions tab of the Configuration Settings document. In the event of
any conflict between settings, Domino applies the most restrictive entry.
Messages may be further restricted by Adjacent Domain documents,
Non-adjacent Domain documents, and Configuration Settings documents
set up between domains along the routing path.
To create a Adjacent domain document
1. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
2. Choose Domains.
3. Click Add Domain to create a new Domain document.
4. On the Basics tab, complete these fields:
Field
Enter
Domain type
Adjacent domain The name of the adjacent Domino domain. The current
name
domain must have a Connection document to this
domain.
Domain
description
Enter
mail through your domain, the Router denies all mail received from that
domain, including messages the domain may have passed on from
another, non-adjacent domain. There is no way to restrict specific users
from routing to a Notes domain. Restrictions apply to all users in
specified domain.
Note You cannot use wildcards in the Restrictions fields. You must
enter explicit domain names.
6. Create a Connection document to specify how servers in the current
domain connect to the adjacent domain.
Kathy Burke
Domain A
Domain B
Robin Rutherford
Judy Kaplan
Domain C
Domain D
Non-adjacent domains
Robin Rutherford@C@B
In processing the message, the Router on the domain A mail server looks
only at the last part of the address, and uses the Connection document to
determine the route to domain B. The domain B server then uses the
Connection document in its Domino Directory to transfer the message to
domain C.
Although the use of explicit addressing is an effective method for
directing mail to non-adjacent domains, because it relies on a complete
knowledge of the inter-domain routing topology, its also not a very
practical solution. This information is not readily available to a typical
user. To simplify routing and addressing to non-adjacent domains, you
can create a Non-adjacent domain document in the Domino Directory to
define the path between the non-adjacent domains.
Using a Non-adjacent domain document
Administrators can create a Non-adjacent domain document to control
message routing to a non-adjacent domain. A Non-adjacent Domain
documents serves three functions:
Enter
Domain type
Mail sent to
domain
Route through
domain
Domain
description
5. Click the Restrictions tab, complete one or both of these fields, and
then save the document:
Field
Enter
Allow mail only Enter the names of Domino domains adjacent to the
from domains
current domain that are allowed to route mail to this
non-adjacent domain.
Leave this field blank to allow any domain to route mail
through the local domain to the non-adjacent domain.
Deny mail from Enter the names of Domino domains adjacent to the
domains
current domain that are not allowed to route mail to this
non-adjacent domain.
Leave this field blank to allow any domain to route mail
through the local domain to the non-adjacent domain.
Note You cannot use wildcards in the Restrictions fields. You must
enter explicit domain names.
6. Create a Connection document to specify how servers in the current
domain connect to the intermediary adjacent domain.
Note Since, by definition, all servers in a domain use the same Domino
Directory, only one Non-adjacent domain document is required for each
non-adjacent domain. You do not have to create a separate document for
each server.
Enter
Domain type
Foreign Domain Name The domain name of the foreign mail system. This
name was chosen when the MTA or gateway was
installed.
Domain description
Enter
6. Click the Mail Information tab and complete these fields, and then
save the document:
Field
Enter
Gateway mail filename The gateways mail file name. See the
documentation that came with the gateway for the
proper file name.
Restrictions that you set on this Foreign domain document apply only to
the From domain of the previous hop. These restrictions work in
conjunction with those in the Configuration Settings document. Domino
always defaults to the most restrictive entry.
One or more Foreign SMTP domain documents that define the next
domain for sending SMTP mail addressed to a given set of
destination addresses
The gateway server receives outbound mail from internal servers over
Notes routing and then transfers it to the Internet over SMTP. The
gateway server can connect to the Internet directly or through an SMTP
relay host or firewall that connects to the Internet.
The Foreign SMTP domain document
A Foreign SMTP domain document provides servers that dont use
SMTP routing and which do not have access to DNS with the next hop
information required to route Internet mail. You can also use Foreign
SMTP domain documents with servers that route mail over SMTP to
configure different routing paths for mail sent to different destinations.
A Foreign SMTP Domain document provides servers in a Domino
domain with information on where to transfer mail destined for external
SMTP addresses. The Foreign SMTP domain document specifies the
name of the next hop domain to which messages addressed to a specific
Internet domain or domain pattern are sent. For example, a Foreign
SMTP Domain document might specify that the next hop for messages
addressed to the domain company.com should be the domain
TheInternet.
The next hop domain can either be an actual Domino domain that is, a
group of servers sharing a Domino Directory or a virtual domain.
Use the name of an existing Domino domain if you can create a
Connection document to it and it already has SMTP servers connected to
the Internet. If the network does not currently have a Domino domain
that routes outbound Internet mail, use a virtual, or logical, domain
name. The name must not correspond to the name of any servers or
27-32 Administering the Domino System, Volume 1
domains in the Domino Directory. Domino uses the virtual domain name
to link this SMTP domain document with an SMTP Connection
document, which, in turn, specifies the name of an SMTP-enabled server
that can process outbound mail, for example, a firewall server that can
route outbound Internet mail.
Enter
Domain type
5. Click the Routing tab, complete these fields, and then click Save &
Close:
Field
Enter
Messages
Addressed to
Internet Domain
Enter
Connection type
SMTP
Source server
Connect via
Choose one:
Direct connection For servers that communicate
over LAN connections
Dial-up connection For servers that communicate
over transient connections, such as phone lines. If
you select this option, Domino displays the field
Dial using connection record.
Dial using
connection
record
Destination
server
Field
Enter
Destination
domain
SMTP MTA relay Specifies the SMTP host to which the source server
transfers outbound mail. This allows a SMTP server to
host
further split Internet destinations and configure
multiple relays.
If this field is blank, the Router transfers outbound mail
to the relay host specified in the servers Configuration
Settings document.
If there is no relay host specified in either this field or in
the Configuration Settings document, the Router
determines the next hop by looking up the destination
domain in the DNS or a local hosts file, depending on
the value of Host name resolution field on the
Router/SMTP- Basics tab of the Configuration Settings
document.
Enter
Replication task
Disabled
Routing task
Route at once if
Enable the SMTP Listener task in the Server document of each server
you want to receive mail over SMTP
Enable SMTP routing within the local Internet domain so that servers
can send mail over SMTP within the local Internet domain.
Specify the relay host, if any, to be used when sending mail outside
the local Internet domain. Configure a relay host for SMTP servers
that do not have direct access to the Internet.
If you intend to allow users to access mail from POP3 or IMAP mail
clients, you must install and enable these access protocols on users mail
servers. By default, Domino supports only Notes client access.
For information about using POP3 mail, refer to the chapter Setting Up
the POP3 Service. For information about using IMAP mail, see the
chapter Setting Up the IMAP Service.
Field
Enter
Choose one:
Enabled to use SMTP to route mail to the
Internet
Disabled (default) to prevent the server from
routing mail outside the local Internet domain
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
6. On the Router/SMTP - Basics tab, complete this field, and then save
the document:
Enter
Choose one:
Always (default) The Router can use SMTP to
transfer mail to any Domino server in the local
Domino domain that runs the SMTP Listener.
Only if in same Domino named network The Router
can use SMTP to transfer mail to other Domino servers
in the local Domino domain only if the destination
server is in the same Domino named network. If the
destination server is in the local Domino domain, but
resides in a different Domino named network, the
Router must use Notes routing to transfer mail.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Enter
Create forwarding addresses for users that do not have Notes mail
files
Move for example, a user may resign from the company but leave
a forwarding address so that mail addressed to the old address is
forwarded to the new location.
Use a different mail system and do not have Notes mail files.
Enter
Local Internet
domain smart
host
The host name for the server that hosts the directory
for SMTP recipients who are not in the local Domino
Directory. To provide a level of failover and
load-balancing, specify a host name that maps to an
existing MX record. You can also specify IP address
Note Smart host settings are ignored if you enable the field Verify
that local domain recipients exist in the Domino Directory on the
Router/SMTP - Restrictions and Controls - SMTP Inbound Controls
tab.
8. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Enter
Domain type
Choose one:
R5 Internet Domain For Domino Release 5 and
greater SMTP servers.
R4.x SMTP MTA For Domino servers that use
the SMTP MTA to send Internet mail.
5. Click the Conversions tab, complete these fields, and then save the
document:
Field
Enter
Local primary
The primary Internet domain name that your company
Internet domain uses to represent themselves to the outside world for
example, another.com.
Additional Internet domain names that your company
Alternate
Internet domain uses for example, still.another.com, yet.another.com,
have.another.com, and so on.
aliases
Use the asterisk (*) as a wildcard to represent the names
of subdomains. Wildcard use is valid only if the
wildcard character appears as the first character of a
given entry and represents an entire subdomain name,
for example: the entry *.another.com indicates that
Domino treats any subdomain of another.com as a
local domain.
Entries that use wildcards in any other way are
considered invalid, including:
Using a wildcard in any position other than as a
leading character in the entry. For example, the
entries another.*, and still.*.com are not valid.
Using a wildcard on its own to represent an entire
domain suffix. For example, the entry * is not valid.
Using a wildcard to represent a portion of a name
only. For example, the entries *other.com and
*ill.another.com are not valid.
These fields represent the only ones you must complete if you are
using the Global Domain document solely for the purpose of
defining the internal Internet domains in an organization running
Domino Release 5 and greater.
6. Restart the server to put the changes into effect. The server reloads
information in the Global Domain document into memory only after
a restart.
For more information about DNS, see the chapter Overview of the
Domino Mail System.
If a Domino server uses ETRN to pull mail for multiple Internet domains
from another mail host, you can set up the Connection document to that
host to request mail for alternate Internet domains.
The local part of the SMTP address (that is, the part to the left of the
@ sign) only for example, Genevieve_Martin
The full SMTP address, and then if no match is found, the local part
address
When using full name matching, the Router searches the Domino
Directory for an exact match of the entire SMTP address (for example,
First_Last@Acme.com). If an exact match is not found, the Router
performs a secondary search if the domain suffix of the incoming address
is listed in the Global domain document as an Internet domain alias. For
this secondary search, the Router replaces the given domain suffix with
the domain suffix designated in the Global domain document as the
Primary domain name.
To prevent the Router from using domain aliases when looking up
addresses, do not include alternate Internet domain aliases in a Global
domain document. Instead, create multiple Global Domain documents,
each specifying a different primary Internet domain.
Restricting the Router to matching addresses on the full Internet address
only ensures that each users Internet address complies with a standard
format. Users cannot receive inbound mail addressed to their short
Setting Up Mail Routing 27-47
names, soundex names, or other name variations that exist in the $Users
view. When configuring the Router to look up users full Internet
addresses only, complete the Internet address field in all Person
documents, and Mail-in database documents for mail-in databases that
receive mail over SMTP.
To specify how addresses are looked up
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
3. Choose Configurations.
4. Select the Configuration Settings document to be edited and then
click Edit Configuration.
5. Click the Router/SMTP - Basics tab.
6. Complete these fields, and then save the document:
Field
Enter
Address lookup Specifies how the Router searches the Domino Directory
to determine the Notes recipient of an inbound Internet
message. Choose one:
Fullname then Local Part (default) The Router first
searches the Domino Directory for a match for the full
Internet address (localpart@domain.com). If no match
is found, it searches the directory again, looking for a
match for the local part of the address only.
Fullname only The Router searches the Domino
Directory for full Internet addresses only. For example,
it searches for user@domain.com but not for user.
If an exact match is not found and the domain suffix is
equivalent to an Internet domain alias defined in the
Global domain document, a secondary search is
performed using the domain suffix of the primary
Internet domain.
Local Part only The Router searches the Domino
Directory for a match of the local part of the Internet
address, that is, the part before the @ symbol. Local
part matching matches periods and underscores in the
address with spaces in the directory.
continued
Enter
Exhaustive
lookup
Choose one:
Field
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
If you configure TCP/IP to use the Domain Name System (DNS), select
Dynamic mapping only or Dynamic then local. For Dynamic mapping
only, the Router queries a DNS server to map a fully qualified host name
to an IP address.
For Dynamic then local, the Router first queries the DNS and then checks
a file on your local drive. This file, known as a hosts file, maps destination
host names to IP addresses. The Dynamic then local option can be useful
if you need to connect to internal hosts that are not listed in the DNS.
If you configure TCP/IP to use local hosts lookup, select Local lookup
only. If you use this option, the IP address and fully qualified host name
for each destination must exist in the hosts file. This option requires more
administrative attention than the Dynamic mapping only option because
you need to maintain the file.
If the DNS does not list a destination host name, the Router designates
the message as non-deliverable. If the DNS is unavailable, the Router
retries delivery up to the configured number of times as indicated in the
Initial transfer retry field on the Configuration Settings document.
Setting Up Mail Routing 27-49
Enter
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Description
Lookup Internet
address for all
Notes addresses
when Internet
address is not
defined in
document
Internet
Address Format
Address Style
Example
RFC 821
Username@IPDomain.
TopLevelDomain
Tyler_Hamilton@acme.com
RFC 822
FriendlyName
Tyler Hamilton
<Username@IPDomain. <Tyler_Hamilton@acme.com>
TopLevelDomain>
Finally, if the Router cannot obtain the senders Internet address from
either the message itself or the Person document, it will construct the
address. You can specify the rules for constructing this address in the
Global domain document, but in the absence of a Global domain
document, the Router constructs Internet addresses using the following
default format:
Full_Name/Org%DominoDomain@IPDomain.TopLevelDomain
For example, the Router on the host smtp.acme.com would construct the
following default Internet address for the Notes user Tyler
Hamilton/Sales@Europe: Tyler_Hamilton/Sales%Europe@acme.com.
Internet Address
component
Description
Full_Name
Org
DominoDomain
First_Last/ou/org%DominoDomain@Internetdomain.TopLevelDomain
For example:
Meredith_Richards/East/Acme%Acme@acme.com
Enter
Use as default Global Domain Select Yes to designate this Global Domain
(for use with all Internet
document as the default Global domain for
protocols except HTTP)
this Domino Directory.
Enter
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
8. After you set up a relay host, you can set up restrictions based on
where the message originated or the message destination.
Description
Connection
type
Choose one:
Network Dialup Choose this option for servers that
will route mail over SMTP using this dialup connection.
You can also use this option for NRPC routing.
Notes Direct Dialup Choose this option only for
servers that will use this connection to route mail over
NRPC to another Domino server.
Source server The Notes hierarchical name of the local Domino server
initiating the routing request, for example,
SMTP/East/Acme.
Source
domain
Use the LAN For Network dialup connections, enter the port name for
port(s)
the Domino TCP/IP port on the local server.
Use the
port(s)
Destination
server
Destination
domain
Field
Description
Routing
task
Router
type
Choose one:
Push/Wait Select this option when the destination server
is used for outbound mail only, and initiates the connection
to the source server. After the source server establishes the
dialup connection, it waits to receive a connection from the
destination server. When the destination server connects
and issues a pull request, the source server then pushes
any messages pending for the remote server.
Push Only (default) Select this option if the destination
server is used for outbound mail only. The source server
calls the destination server and sends messages queued for
that destination. Youll need to create a separate Connection
document to the server used for inbound mail.
Pull Push Select this option if the ISP host to which the
source server connects is used for both inbound and
outbound routing. The source server calls the destination
server, pushes, or sends, any pending messages for that
destination, and then pulls messages from the destination
server (actually, the calling server issues a request to the
other server to push messages back to it). The destination
server pushes any pending messages back to the source
server. If you select this option, you must specify whether
the source server issues the pull request using Notes routing
or SMTP.
Pull Only Select this option if the destination server is
used for inbound mail only. The source server calls the
destination server and issues a pull request (a request for
the other server to push back messages). The destination
server pushes any pending messages to the source server.
Youll need to create a separate Connection document to the
server used for outbound mail.
continued
6. On the Routing and Replication tab, complete these fields, and then
click Save & Close:
Field
Description
Pull
routing
request
protocol
Choose one:
Request
the
following
when
issuing a
pull
request
Field
Description
Pull router The number of seconds that the calling server waits for the
answering server to respond to a pull request before
timeout
disconnecting. The default is 30 seconds.
Chapter 28
Customizing the Domino Mail System
This chapter explains how to customize messaging for your Domino
system after you set up mail routing.
Customizing mail
After you set up basic mail routing, you can customize the Domino
messaging system to improve performance and meet the specific needs
of your organization. For example, you can set inbound messaging
restrictions to prevent unwanted commercial e-mail (UCE) from entering
your system; implement restrictions on message size to conserve network
bandwidth; enforce database quotas to ensure that users promptly delete
old messages; set system mail rules to automatically process messages
that meet certain criteria; and enforce security policies by encrypting
messages delivered to user mail files and restricting message transfer to
the Internet.
Before you customize your messaging system, you must:
1. Make sure that your mail system is properly set up.
2. Evaluate your customizing options and decide which you want to
implement.
Controlling messaging
After you set up basic mail routing, use Dominos administrative controls
to customize the messaging system to your environment. Using the
Domino Administrator and other tools you can change settings that
affect routing performance, protect the system from unauthorized use,
schedule message transfer, and ensure efficient use of network
bandwidth and storage space.
Some of the settings you change apply to all of the messages that the
server processes, regardless of whether a message is sent or received
using Notes routing or SMTP routing; other settings are specific to a
particular routing protocol.
28-1
Create a mail file and Person document for every user in the Domino
mail system.
For more detailed information on setting up mail routing, see the chapter
Setting Up Mail Routing.
You specify the number of MAIL.BOX databases on the Router/SMTP Basics tab of the Configuration Settings document. Changes to the
mailbox count take effect only after the next server restart.
After you configure a second MAIL.BOX database, you can use mail
statistics to determine whether additional MAIL.BOX databases are
needed.
For more information, see the topic Determining how many MAIL.BOX
databases to place on a server later in this chapter.
To create multiple MAIL.BOX databases
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab, and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Basics tab.
6. Complete this field and then click Save & Close:
Field
Description
Number of
mailboxes
Statistic name
Description
Mail.Mailbox.Accesses
Mail.Mailbox.AccessConflicts
Especially busy servers may benefit from more than two MAIL.BOX
databases. Use mailbox statistics to determine whether additional
MAIL.BOX databases are indicated. As seen in the following table,
separate statistics provide information on the number of access conflicts
and the number of total mailbox accesses.
Enter
6. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration
Enter
Logging
level
Choose one:
Minimal Domino logs all mandatory status messages
and fatal error messages.
Normal (default) Domino logs all minimal events, plus
warning messages indicating conditions that do not cause
processing to stop.
Informational Domino logs all minimal and normal
events, plus informational messages involving
intermediate storage, MAIL.BOX access, message
handling, message conversion, and transport status.
Verbose Domino logs all minimal, normal, and
informational events, plus additional messages that may
help you troubleshoot system problems.
To prevent the log file from becoming excessively large, use
Verbose logging only when troubleshooting specific
problems.
7. The change takes affect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Field
Description
Choose one:
Enabled When delivering messages to local mail
files, Domino encrypts the messages, regardless of
whether the sender encrypted the message or the
recipients mail file encrypts messages.
Disabled (default) Domino encrypts messages only
if the recipients mail file is set to encrypt received
messages.
When encryption is enabled and an external user
requests a return receipt for a message sent to a user
whose mail file is on the server, the return receipt
message that Domino generates contains a blank
message body.
Pre-delivery
agents
Pre-delivery
agent timeout
6. Complete these fields in the Delivery Controls section, and then click
Save & Close:
Field
Description
7. The change takes affect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Along with the methods the Router uses to enforce quotas, the Notes
client also displays a warning to any user who has exceeded their
designated warning threshold or quota whenever the user attempts to
send mail.
Description
Check space
used in file
when adding a
note
Method for
enforcing quotas
Description
The Router calculates the current size of a mail file from its
actual file size. Both the space occupied by messages and
white space in the database count toward the total size.
This option is more restrictive than the preceding option,
because the Router checks the quota every time it adds a
message to the mail file, regardless of whether this
results in an increase in file size.
On servers that do not use transaction logging, when
quota enforcement is enabled, select this option to
eliminate inconsistent behavior during delivery to the
mail files of users who exceed their quotas. Because the
Router always checks the current file size when
delivering a message, after a mail file reaches quota, no
new messages are delivered, even if a particular message
is small enough to fit within the available white space in
the mail file.
On servers where transaction logging is enabled,
selecting this option can prevent a user from recovering
from a quota violation, since compacting the mail file
does not reduce its size, preventing the user from getting
back under quota. An administrator must run Compact
with the -B option to reduce the size of the file.
Customizing the Domino Mail System 28-13
Message field
Description
Notification type
Message headers
Message size
Current quota
settings
For information on adding custom text to over quota and quota warning
reports, see the topic Customizing the text of mail failure messages
later in this chapter.
Users who exceed the quota for their mail file receive over quota
warnings only. If the Router is configured to send over threshold
warnings, it stops sending them to users who exceed their quota.
Message tracking is not enforced or supported for either type of warning
notification.
If Domino rejects an inbound message as the result of a quota violation, it
returns a failure message stating the reason for the failure to the sender.
Per Message Users whose mail files exceed the size limit receive a
warning notification every time MAIL.BOX receives a new message
for them.
Per time interval Users whose mail files exceed the size limit
receive a warning message at the specified interval until they reduce
the size of their mail file. If you select this option, an additional field
appears where you can specify the interval in minutes, hours, or days.
You can also specify the maximum size of messages that the Router will
hold. If a message is larger than the configured size, it is returned to the
sender as undeliverable, rather than held.
Restrictions do not apply to sent messages
Router enforcement of mail file quotas is limited to withholding new
mail from users who exceed their quotas. The Router continues to accept
outgoing mail from whose mail files are full. However, these users are
not able to save any messages to mail files on the server.
When a user who exceeds the configured warning threshold or quota
sends a message from a Notes client, the client displays a warning, but
the user can still send the message.
Setting quota controls for the Router
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - Delivery
Controls tab.
6. In the Quota Controls section, complete these fields:
Field
Enter
performance. To help ensure service quality, you can limit the number of
pending messages.
Field
Enter
Warning
Interval
Minutes
Over Quota Specifies how often the Router delivers notifications to users
Notification who exceed their quota.
Choose one:
None The Router does not deliver notifications when
mail files grow larger than the specified warning threshold.
Per Message The Router delivers a notification for
every message it delivers after the mail file exceeds the
specified quota.
Per time interval Send notifications at the specified
interval until the user deletes or archives enough
messages to bring the size of the mail file below the
specified quota. When this option is selected, an
additional field appears where you can specify an interval
measured in minutes, hours, or days.
Error
Interval
Over Quota Specifies the action the Router takes when receiving new mail
Enforcement for a user whose mail file is larger than the specified quota.
Choose one:
Deliver anyway (dont obey quotas) (Default) The Router
continues to deliver mail to a mail file that is over quota.
Non Deliver to originator The Router stops delivering
new messages to the mail file and returns a nondelivery
message to the sender reporting that the message could
not be delivered because the intended recipients mail file
was full.
Hold mail and Retry The Router stops delivering new
messages to the mail file and temporarily holds incoming
messages in MAIL.BOX until space is available in the mail
file. After a configured interval, the Router tries to deliver
the message. If the user has sufficiently reduced the size of
the mail database by the next scheduled delivery attempt,
the mail is delivered. Messages that cannot be delivered
before the configured expiration time (default =1 day) are
returned to the sender as undeliverable. If you choose this
option, the document displays additional fields where
you can specify how the server handles held messages.
To prevent an excessive number of messages from
accumulating in MAIL.BOX when this option is selected, its
best to have Domino calculate database size based on usage,
rather than file size.
28-18 Administering the Domino System, Volume 1
Field
Description
Maximum
message size
to hold
Domino stores the mail rules you create in the Configuration Settings
document. On startup, each server retrieves from the appropriate
Configuration Settings document and registers them as monitors on each
MAIL.BOX database in use.
Whenever MAIL.BOX receives a new message from any source the
SMTP process, the Router on another server, or a client depositing a
message the server evaluates the various message fields against the
registered mail rules. Each message is evaluated only once. Additional
updates occurring after a message is added to MAIL.BOX such as
updates to reflect the number of recipients handled do not cause
reevaluation of the rules.
Prioritizing mail rules
When multiple mail rules are enabled, you can set their relative priority
by moving them up and down in the list.
Putting new rules into effect
The Configuration Settings document displays new mail rules only if the
document has been previously saved. Before adding rules to a new
Configuration Settings document, save and close the document. Reopen
the document to begin adding rules.
When you add a new rule, it takes effect only after the server reloads the
mail rules. A reload is automatically triggered if the Server task detects a
rule change when performing its routine check of the Configuration
Settings document. This check occurs approximately every five minutes.
You can force the server to reload rules, using a console command.
Enter the following command at the server console:
set rules
Mail rules are not intended to serve as an anti-virus solution and should
not be considered a replacement for anti-virus software. Although you
can configure rules to quarantine messages with known virus
attachments, the available rule actions do not include typical anti-virus
features such as generating warnings upon detecting a virus or
automatically disinfecting files.
If you attempt to add a new rule before saving a new document, you
are prompted to save the configuration before proceeding.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - Rules tab.
6. Click New Rule.
7. In the Specify Conditions section of the New Rule dialog box, set the
criteria the server uses to determine whether to apply a rule to a
given message. A rule condition can include the following
components:
Condition component
Description
Message item to
examine
Logical operator or
qualifier
Condition component
Description
Value to check in
message item
Description
Action name
Description
Move to database
Description
Action name
Appointment
Delivery Report
Memo
NonDelivery Report
Notice
Reply
Return Receipt
Trace Report
Set transfer limits for example, the number of transfer threads and
the retry interval
High
Normal
Low
Field
Enter
Maximum message
size
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Total message size is equal to the sum of the message text and the
size of all attachments.
You can change the default hours for routing low-priority mail.
For more information, see the topic Setting transfer limits later
in this chapter.
You can customize the text of delivery failure messages.
For more information, see the topics Customizing the text of mail
failure messages later in this chapter and Routing mail by
priority earlier in this chapter.
On Domino SMTP servers you can use the ESMTP SIZE extension
to prevent inbound transfer of messages that exceed the specified
maximum message size. You can also use the outbound ESMTP
SIZE extension to configure Domino to honor size restrictions on a
target server when transferring outbound SMTP mail.
For information on setting the inbound and outbound SIZE
extensions, see the topics Supporting inbound SMTP extensions
and Supporting outbound SMTP extensions later in this chapter.
If a Notes client user sets the Delivery Reports option to None in the
Delivery Options dialog box.
path. Servers at successive hops can each send a delay report if delay
notifications are enabled and they each receive the message before their
configured low-priority routing time and buffer time.
Enter
Maximum
transfer
threads
Field
Enter
Maximum
concurrent
transfer
threads
Maximum
hop count
Field
Enter
In the event that mail files on certain servers become unreachable for an
extended period, consider increasing the default time-out value on other
servers. A higher time-out value decreases the likelihood of important
mail being returned because of transfer and delivery failures.
On the Internet, the time-out value for message transfer is typically five
days - that is, if the next hop server is unreachable, the connecting server
continues to retry transfer for five days before giving up and generating
a delivery failure report.
Increasing the time-out value to n days may result in senders receiving a
delivery failure report for undeliverable mail n days after the message
was sent.
Because each successive retry consumes server resources, a high volume
of undeliverable mail can place a significant extra load on the server. If
you notice an increase in the amount of pending mail in MAIL.BOX,
examine messages to determine the validity of their origins and
destinations. If a large portion of pending messages are addressed to
nonexistent users or originate from known or possible spam mailers,
consider resetting the time-out interval to a lower value. Using a lower
time-out value reduces the time before the server marks a message as
undeliverable, thereby decreasing the number of retries.
For information about managing undeliverable mail, see the topic
Managing undeliverable mail in MAIL.BOX later in this chapter.
For information about methods for rejecting unwanted mail before
servers accept it, see the topic Restricting SMTP inbound routing later
in this chapter.
For information about using mail rules to process mail automatically, see
the topic Setting server mail rules earlier in this chapter.
To set the message time-out value
1. From the Domino Administrator, open the Domino Directory and
click the Configuration tab.
2. To edit an existing Configuration Settings document, highlight and
click Edit Configuration. To create a new Configuration settings
document, highlight the server for which the Configuration Settings
document will apply, then click Add Configuration.
3. Click the NOTES.INI Settings tab.
4. Click Set/Modify Parameters.
5. In the Item field, enter:
MailTimeout
Note To specify a time-out period shorter than one day, specify the
variable MailTimeoutMinutes in the Item field in Step 5, and specify
a time-out period, in minutes, in Step 6.
7. Click Save & Close.
Enter
Ignore message
priority
Choose one:
Enabled The Router sends all messages as Normal
priority.
Disabled (default) The Router honors message
priority settings assigned by the sender or another
server process.
Do not enable this setting if you restricted Domino to
routing messages of a specified size as low priority and
want to confine routing of large messages to the
specified low priority routing time.
Dynamic cost
reset interval
6. In the Value field, enter the number of days after which Domino
returns undeliverable mail to the sender, click Add, and then click
OK.
Enter
Restrict name
lookups to
primary
directory only
Choose one:
Enabled Users can look up names and groups only
in the Domino Directory for the servers Domino
domain. Users cannot look up names and groups in
other directories that are available through Directory
Assistance.
Disabled (default) Users can look up names and
groups in any directories available from the server.
Cluster failover
Choose one:
Disabled If a recipients server is unavailable, the
Router does not automatically route mail through a
clustered server.
Enabled for last hop only (default) When the
Router detects that a recipients mail server (the last
hop in the routing path) is unavailable, it attempts to
locate a clustered server and transfer the message to
that server. For example, Server1 routes a message
addressed to Jane Doe, whose mail file is on Server3.
Server1 fails to connect to Server3, which is
unavailable. Server1 checks the Domino Directory to
see if there are any servers clustered with Server3.
Server2 is clustered with Server3, so the Router on
Server1 attempts to connect to Server2. If the
connection is successful, the Router transfers the
message to Server2.
Enabled for all transfers in this domain When the
Router detects that a server for any hop in the routing
path is unavailable, it attempts to locate a server
clustered with that hop server. If the Router can find
another clustered server, it transfers the message to
that server. For example, if the Router on Server 1
attempts to transfer to HubA but HubA is
unavailable, the Router checks the Domino Directory
to see if there are any servers clustered with HubA.
Because HubB is clustered with HubA, the Router
attempts to connect to HubB. If the connection is
successful, the Router transfers the message from
Server1 to HubB, which continues routing the
message.
continued
Field
Enter
Hold
undeliverable
mail
Release option
Description
Resend selected
dead messages to
originally intended
recipients
Return Non
Delivery Report to
sender of all
selected dead
messages
Resend selected
held messages
Resend selected
held messages for
a final time
4. Select the held or dead messages to release and click the Release
button. Choose one of the following:
Description
Text file
Text
Enter
Transfer
failure
Delivery
failure
Message
expiration
Domain
failure
Server
failure
Field
Enter
Username
failure
Size failure Size failures occur when Domino rejects a message because its
size is greater than the maximum message size (which you
can specify in the Maximum message size field on the
Restrictions and Controls - Restrictions tab of the Server
Configuration document) and generates a size failure
message.
If you specified Text in Step 6, enter text to add to the default
message for size failures; otherwise, specify the path to a file
containing the text for example,
C:\DOMINO\DATA\SIZE.TXT.
Restriction
failure
Field
Enter
Enter
Schedule
Choose one:
Enabled to use this schedule to control connections
between the specified servers.
Disabled to cause the server to ignore the schedule.
Call at times
The days of the week when the server should use this
schedule and route mail. The default is to use this
connection for each day of the week.
8. Complete these fields in the Routing section, and then click Save &
Close:
Field
Enter
Routing task
Route at once
Routing cost
Router type
9. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter Setting Up Mail Routing.
For more information on Router types, see the chapter Setting Up Mail
Routing.
Enter
Schedule
Enabled
Call at times
12:00 AM - 12:00 PM
Repeat interval
Blank
Days of week
Enter
Route at once if
1 message pending
The routing tables reside in memory and are dynamic. When you restart
the server or modify a Connection, Server, Configuration Settings, or
Domain document, the Router rebuilds the routing tables.
To override the default routing cost
You can override the default setting for the routing cost for a connection.
You can change this setting only for connections between servers in
different Notes named networks. Change the default routing cost for a
connection only if you are an experienced Domino administrator.
Improperly changing routing costs can create routing loops and disable
the Routers selection of an alternate route.
1. Make sure that you have already created the necessary Connection
documents.
For more information on Connection documents, see the chapter
Setting Up Server-to-Server Connections.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Connections.
4. Select the Connection document for the server connection you want
to configure, and click Edit Connection.
5. Click the Replication/Routing tab.
Field
Enter
Routing cost
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter Setting Up Mail Routing.
Enter
Allow mail
only from
domains
Deny mail
only from the
following
organizations
and
organizational
units
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter Setting Up Mail Routing.
Note If you specify the same entry in an Allow field and a Deny
field so there is a conflict between the two fields, Domino denies
messages for that entry. The Deny setting takes precedence for
security reasons. Avoid placing the same entry in both the Allow and
Deny fields for the same setting.
Restart the 1.
SMTP
service
2.
3.
Enter:
Click the Server - Status tab and select the
Server Tasks view.
Restart Task
SMTP
Select SMTP Server from the list of tasks.
Click Tools - Task - Restart, and then click Yes.
Stop the
SMTP
service
1.
Start the
SMTP
service
1.
2.
3.
2.
3.
4.
5.
Enter:
Tell SMTP
quit
Enter:
Load SMTP
Note The SMTP Server task is represented in the server task list by
three related subtasks. The status of all three tasks changes when you
change the status of any one of them.
As an alternative to restarting the SMTP service to incorporate
configuration updates, you can use a console command to refresh SMTP
service parameters.
For information on using a console command to refresh the SMTP
configuration, see the chapter Setting Up Mail Routing.
For information on creating and using Internet Site documents, see the
chapter Installing and Setting Up Domino Servers.
For information on creating and using Internet Site documents, see the
chapter Installing and Setting Up Domino Servers.
Changing the default port number
By default, after you enable the SMTP task, it listens for client
connections on TCP/IP port 25 on the Domino server. The default SMTP
SSL port is port 465. In some cases for example, on partitioned servers
you might need to specify a port number other than the default to
avoid conflicts. You might also change the default port to a nonstandard
port number to hide it from clients attempting to connect to the default
port or if another application uses the default port on the server.
Disabling the SMTP inbound TCP/IP port or SSL port prevents other
servers from accessing the SMTP Listener on that port.
Note On servers with multiple TCP/IP ports, by default, the SMTP
service uses the port listed first in the NOTES.INI file as the preferred
path. You can configure the service to use a different port.
For information on configuring the SMTP service on a server with
multiple TCP/IP ports to use a specific TCP/IP port, see the chapter
Setting Up the Domino Network.
Changing the default SMTP greeting
You can modify the default reply that the SMTP service sends in
response to a connecting host. By default, the Domino SMTP server
reveals its host name and software version to connecting clients. For
security reasons, you can change the default greeting so that the server
Customizing the Domino Mail System 28-61
Settings in the Server document still provide the port numbers and status
for the SMTP TCP/IP and SSL ports, and enable the SMTP ports to honor
server access restrictions.
Enter
TCP/IP port
number
TCP/IP port
status
Choose one:
Enabled (default) SMTP clients can connect to the
Domino SMTP service using the designated TCP/IP
port. Depending on the authentication options you
choose, users may have to supply a user name and
Internet password to connect.
Disabled SMTP clients cannot connect to the
Domino SMTP service using the TCP/IP port.
Enforce server
access settings
Choose one:
Yes Access to the SMTP listener is controlled by
the server access settings on the Security tab of the
Server document. Users and servers that are not
allowed to access the server cannot send mail to the
SMTP port. For this option to be effective you must
enable authentication for the port.
No (default) The SMTP listener ignores the server
access settings in the Server document. Users and
servers can send mail to the SMTP port, even if they
are denied other access to the server.
continued
Field
Enter
Authentication
options: Name &
password
Choose one:
Yes Sets the ESMTP AUTH extension for the
TCP/IP port. Domino advertises AUTH=LOGIN to
connecting SMTP clients. Clients must supply a user
name and Internet password to connect to the SMTP
service over the TCP/IP port and transfer mail.
Remote SMTP servers that do not support the AUTH
extension cannot connect to the SMTP service over
this port. When Name and password authentication
is enabled, you can specify whether authenticated
POP3 and IMAP users sending mail to the SMTP port
are subject to anti-relay enforcement.
No (default) Domino does not support
Name-and-password authentication over the TCP/IP
port. If you choose No, you must enable Anonymous
connections to allow SMTP connections to this port.
On servers supporting negotiated SSL on the inbound
TCP/IP port (STARTTLS), the setting in the SSL Name
& password field not the setting in the TCP/IP Name
& password field determines whether the server
accepts SMTP AUTH commands for SSL-over-TCP/IP
sessions. For information about enabling support for
STARTTLS, see the topic Supporting inbound SMTP
extensions later in this chapter.
Authentication
options:
Anonymous
Note If you enable the TCP port, at least one authentication option
must be set to Yes to save the document.
Note To support inbound SMTP connections, the server must have
at least one SMTP port enabled and be running the SMTP task.
4. Restart the SMTP task to put the new settings into effect.
As an alternative to restarting the SMTP service to incorporate
configuration updates, you can use a console command to refresh
SMTP service parameters.
For information on using a console command to refresh the SMTP
configuration, see the chapter Setting Up Mail Routing.
If you change the default SMTP port, inbound SMTP connections fail if
the connecting host is not configured to use the new port. See the topic
Ensuring that SMTP clients can connect to a nonstandard port earlier
in this chapter for information about configuring Domino servers to
connect to nonstandard SMTP ports.
To change inbound SMTP SSL port settings
1. Familiarize yourself with the Domino security model.
2. To secure SMTP sessions using SSL, set up SSL on the Domino
server.
3. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the SMTP
service.
4. Click the Ports - Internet Ports - Mail tab.
5. In the Mail (SMTP Inbound) column, complete these fields, and then
click Save & Close:
Field
Enter
Choose one:
Enabled SMTP clients can connect to the Domino
SMTP service using the designated SSL port.
Disabled (default) SMTP clients cannot connect to
the Domino SMTP service using the designated SSL
port.
continued
Field
Enter
Authentication
options: Name &
password
Choose one:
Yes Enables the SSL port to support the SMTP
AUTH command. POP3 and IMAP clients, and
remote SMTP servers that send AUTH, must supply
a name and password to connect to the SMTP service
over the SSL port and transfer mail. To allow remote
SMTP servers that do not send the SMTP AUTH
command to connect to the SMTP service over this
port, set Anonymous authentication to Yes.
No (default) Domino does not support name and
password authentication for hosts connecting to the
SMTP service over the SSL port. If a connecting host
sends AUTH, Domino rejects the command and
returns an error indicating that the command is not
implemented. If you choose No, you must set
Anonymous authentication to Yes to allow SMTP
connections to this port.
On servers supporting negotiated SSL on the inbound
TCP/IP port (STARTTLS), the setting in the SSL Name
& password field not the setting in the TCP/IP
Name & password field determines whether the
server accepts SMTP AUTH commands for
SSL-over-TCP/IP sessions.
Authentication
options:
Anonymous
6. Restart the SMTP task to put the new settings into effect.
As an alternative to restarting the SMTP service to incorporate
configuration updates, you can use a console command to refresh
SMTP service parameters.
For information on using a console command to refresh the SMTP
configuration, see the chapter Setting Up Mail Routing.
Customizing the Domino Mail System 28-65
If you change the default SSL port, inbound SMTP SSL connections fail
unless the connecting host is configured to use the new port.
For information about configuring Domino servers to connect to
nonstandard SMTP ports, see the topic Ensuring that SMTP clients can
connect to a nonstandard port earlier in this chapter.
For information about enabling support for STARTTLS, see the topic
Securing SMTP sessions using the STARTTLS command later in this
chapter.
Field
Enter
TCP/IP port The number of the TCP/IP port on the remote server to
which Domino attempts to connect when initiating an SMTP
number
session. The default and industry standard port for SMTP
connections over TCP/IP is 25. Specify a nonstandard port
only if this Domino server makes all of its outbound SMTP
connections over TCP/IP to a server that uses the
nonstandard port.
TCP/IP port Choose one:
status
Enabled The Domino SMTP Router connects to the
designated TCP/IP port number on a remote server to
initiate an SMTP session. If the SSL port status is also set to
Enabled, the Router attempts to use the SSL port first and
uses the TCP/IP port only if it cannot connect to the SSL
port.
Disabled (default) The Domino SMTP Router cannot
initiate an SMTP session using the TCP/IP port on a
remote server.
Negotiated SSL The Domino SMTP Router connects to
the designated TCP/IP port on a remote server to initiate
an SMTP session. If the remote server advertises
STARTTLS during the EHLO greeting, Domino issues a
STARTTLS command to request that the remainder of the
session be encrypted using SSL. If the remote server does
not support STARTTLS, an unencrypted TCP/IP session
ensues.
SSL port
number
SSL port
status
Choose one:
Enabled The Domino SMTP Router connects to the
designated SSL port number on a remote server to initiate
an SMTP session. If the Router cannot connect to the SSL
port and the TCP/IP port is also enabled on both the
Domino server and the remote server, Domino makes a
second attempt to connect, using the designated TCP/IP
port.
Disabled (default) The Domino SMTP Router cannot
initiate SMTP sessions over the SSL port of a remote
server.
Customizing the Domino Mail System 28-67
Verify and restrict who can send inbound Internet mail to your users
By host name or IP address, the remote hosts from which the server
allows and denies connections
fields, the SMTP task performs a second check, querying DNS to obtain
the host name for the given address. If the query is successful, Domino
compares the name obtained against the host names in Allow and Deny
fields.
If you create a separate Configuration Settings document for your
internal SMTP servers, you can use the inbound connection controls to
ensure that these internal servers accept SMTP connections from specific
SMTP hosts only. For example, configure servers to allow SMTP
connections only from servers that receive mail from the Internet.
Restricting connections in this way prevents users with POP3 or IMAP
clients from sending mail through the server, helps you define valid
outbound routing paths, and limits the load on the server.
In addition to these inbound connection controls, Domino provides two
other means for blocking connections: DNS blacklist filters and access to
the SMTP Listener through Domino Extension Manager (EM) services.
DNS blacklist filters enable a server to check a host against one or more
blacklists during the SMTP conversation. If a connecting host matches an
entry in a blacklist, you can configure the server to reject the connection,
tag any received messages, or record the transaction in the Notes Log.
For more information on DNS blacklist filters, see the topic Enabling
DNS blacklist filters for SMTP connections later in this chapter.
Extension Manager (EM) services allow developers to access some
functions of the SMTP Listener task. The Extension Manager (EM) allows
an executable program library, such as a dynamic link library or shared
object library, to register a callback routine that will be called before,
after, or before and after Domino performs selected internal operations.
Using EM hooks in the SMTP Listener can extend current functionality
by providing:
Interception of messages
Enter
Verify
connecting host
name in DNS
Choose one:
Enabled Domino verifies the name of the
connecting host by performing a reverse DNS lookup.
Domino checks DNS for a PTR record that matches
the IP address of the connecting host to a host name.
If Domino cannot determine the name of the remote
host because DNS is not available or no PTR record
exists, it does not allow the host to transfer mail.
Although Domino accepts the initial connection, later
in the SMTP transaction it returns an error to the
connecting host in response to the MAIL FROM
command. Internet SMTP hosts are not required to
have PTR entries in DNS. As a result, when this field
is enabled, the SMTP task may reject connections
from valid SMTP hosts.
Disabled (default) Domino does not check DNS to
verify the name of the connecting host.
continued
Field
Enter
Allow
connections only
from the
following SMTP
Internet host
names/IP
addresses
Deny
connections from
the following
SMTP Internet
host names/IP
addresses
Note Be careful not to specify the same entry in an Allow field and a
Deny field because Domino will deny messages for that entry. The Deny
setting takes precedence for security reasons.
Restricting the total number of inbound SMTP sessions
By default, the SMTP service supports an unlimited number of inbound
sessions; that is, as many connections as the servers resources physically
permit. To restrict the number of concurrent SMTP sessions that a server
accepts, set the variable SMTPMaxSessions in the servers NOTES.INI
file, where xxx is the maximum number of sessions allowed without any
buffering. When the specified number of inbound SMTP connections is
reached, the server refuses additional connections and returns the
following error:
421 Server.domain.com SMTP service not available, closing
transmission channel
Open relays
An SMTP server that indiscriminately accepts mail from outside the local
Internet domain and attempts to dispatch it to another external
destination is known variously as a spam relay, third-party relay, or
open relay host (open relay, for short). Leaving a mail server open to use
by anonymous third parties is generally considered irresponsible, largely
because open relays are often the target of Internet mass-mailers who use
them to distribute unsolicited commercial e-mail (UCE), commonly
referred to as electronic junkmail or spam. Spam vendors use open relays
as waypoints between themselves and their target recipients, allowing
them to distribute vast quantities of mail anonymously.
When someone reads a spam message that has been relayed through one
of your SMTP servers, the message appears to originate in your Internet
domain. In other words, your organization seems to be linked with the
spam source.
Not only does relaying spam reflect badly on your organization, but
there are other more serious and costly implications. Relayed mail
consumes network bandwidth and server resources, reducing your
systems ability to handle legitimate mail. As mail backs up,
administrators and help desk personnel are faced with service
interruptions and the task of sorting out the backlog of undeliverable
messages. Failure to restrict access to an open relay could result in the
server being reported on Internet blacklists. Because SMTP hosts in many
organizations will not accept mail from blacklisted servers, if your
outbound mail server is blacklisted, your organization may be unable to
transfer mail to other Internet domains.
The originating hosts from which you allow and deny relays
Enter
Allow messages to be
sent only to the
following external
Internet domains
Enter
Deny messages to be
sent to the following
external Internet
domains
Enter
7. Reload the SMTP task, or update the SMTP configuration to put the
changes into effect.
You can use an asterisk (*) to indicate all domains. For example,
putting * in an Allow field allows all hosts in all domains to
perform that operation.
Wildcards may be used in place of an entire subnet address; for
example, [127.*.0.1]. Wildcards are not valid for representing
values in a range for example, the entry [123.234.45-*.0-255] is
not valid because the asterisk is used to represent the high-end
value of the range that begins with 45.
When entering multiple addresses, separate them with carriage
returns; after the document is saved, Domino automatically
reformats the list, inserting semicolons between the entries.
When entering an IP address, enclose it within square brackets; for
example, [127.0.0.1].
How Domino resolves conflicts between settings in the inbound
relay controls
When there is a conflict between the allowed and denied relay
destinations, and the allowed/denied relay sources, the entry in the
Allow field takes precedence. Thus, a host that you explicitly allow to
relay can always relay to any destination, including denied destinations.
Similarly, if you allow relays to a given domain, all hosts can relay to that
Customizing the Domino Mail System 28-79
Entry
Results of settings
smtp.efg.com
Entry
Results of settings
relay.abc.com
Note This differs from the behavior of Domino Release 5, where if you
denied relays to a destination domain, an allowed source host could not
relay to the denied domain, and a denied source could not relay to any
destination. You can revert to the Release 5 behavior by setting the
variable in the NOTES.INI file.
For information on the NOTES.INI setting
SMTPRelayAllowHostsandDomains, which is required to make the
inbound relay controls behave as they did in Domino Release 5, see the
appendix NOTES.INI File.
Field
Entry
Description
Exclude these
connecting hosts
from anti-relay
checks
2. The server performs a reverse DNS lookup, querying DNS to find the
host name that matches the connecting hosts IP address. If the
address resolves to a name in one of the local Internet domains, the
host is considered internal. IP addresses that resolve to host names
outside the local Internet domains or that do not have DNS entries
are considered external.
3. The server checks the setting in the field Perform Anti-Relay
enforcement for these connecting hosts to determine whether
anti-relay controls are enabled, and if so, whether they apply to all
hosts or external hosts only. If connections from the sending domain
are not subject to inbound relay controls, the server allows relays for
this session.
4. If the relay controls apply, Domino next checks whether the host
name appears in the field Exclude these connecting hosts from
anti-relay checks. If the host name is found, the server allows relays
for this session.
5. If the relay controls still apply and the connecting host successfully
authenticated with the server, the server checks the field Exceptions
for authenticated users to determine whether authenticated users
are exempt from the inbound relay checks. If authenticated users are
exempt, the server allows relays for this session.
Note A connecting host provides authentication credentials only
when Domino requests them. Because Domino closes the session if
authentication is not successful, there is no case where Domino needs
to determine whether a host that could not authenticate might be
allowed to relay.
6. The SMTP listener receives RCPT TO commands from the
connecting host.
7. The server examines each recipient address to see if the message
would be a relay to an external domain. If so, the server checks the
Inbound relay controls to determine:
Whether the connecting host is allowed to relay
Whether relays are allowed to the target domain
Matching for domain is performed by looking for the restricted
domain name as a trailing substring of the recipients domain. If you
deny the domain spamme.com, you also deny the domain
you.spamme.com. Rejected recipients receive a failure status in
response to the RCPT commands.
Customizing the Domino Mail System 28-85
By searching the Internet, you can find Internet sites that provide
periodic reports on the number of entries in various DNS blacklist
services.
Hosts that are exempt from DNS blacklist checks
To avoid unnecessary DNS lookups, Domino performs DNS blacklist
checks only on hosts that are subject to relay checks, as specified in the
SMTP inbound relay restrictions. Any host that is authorized to relay is
exempt from blacklist checks. For example, by default, Domino enforces
the inbound relay restrictions only for external hosts (Router/SMTP Restrictions and Controls - SMTP Inbound Controls - Perform Anti-Relay
enforcement for these connecting hosts). If the default setting is used,
internal hosts are not subject to relay controls and thus are also exempt
from blacklist checks.
For more information on configuring relay enforcement, refer to the topic
Setting inbound relay controls to prevent unauthorized mail relaying
earlier in this chapter.
Specifying how Domino handles connections from hosts found in a
DNS blacklist
You can configure Domino to take the following actions when it finds a
connecting host on one of the blacklists:
Log only
In each case, the server records the following information in the Notes
log: the hosts IP address and host name (if a reverse DNS lookup can
determine this information) and the name of the site that listed the host.
When tagging messages, Domino adds a special Note item to messages
received from hosts found on a blacklist. After Domino determines that a
connecting host is on the blacklist, it adds the Note item, $DNSBLSite, to
each message it accepts from the host before depositing the message in
MAIL.BOX. The value of a $DNSBLSite item is the blacklist site in which
the host was found. Administrators can use the $DNSBLSite note item to
provide custom handling of messages received from hosts listed in a
blacklist. For example, you can test for the presence of the item through
Enter
DNS Blacklist
filters
Choose one:
Enabled When Domino receives an SMTP connection
request, it checks whether the connecting host is listed
in the blacklist at the specified sites.
Disabled Domino does not check whether a
connecting host is on the blacklist.
DNS Blacklist
sites
Field
Enter
Custom SMTP
error response
for rejected
messages
Enter
Verify senders
domain in DNS
Choose one:
Enabled Domino verifies that the senders
domain exists, by checking the DNS for an MX,
CNAME, or A record that matches the domain part
of the address in the MAIL FROM command
received from the sending host. If no match is
found, Domino rejects inbound mail from the host.
This can result in Domino rejecting mail from
legitimate hosts that do not have these records in
their DNS entries.
Disabled (default) Domino does not check DNS
to verify that the senders domain exists.
Allow messages
only from the
following Internet
addresses/
domains
Enter
Deny messages
from the following
Internet
addresses/
domains
Note Because enabling this setting results in messages for recipients not
found in the directory being rejected, do not use this setting in
environments that require mail to be forwarded to a smart host for
further processing.
The Allow messages setting lets you list Internet addresses that are
allowed to receive mail. If the RCPT TO command contains one of the
specified addresses, the SMTP listener accepts the message; messages for
all other recipients are rejected. The Deny messages setting lets you
explicitly deny mail to certain addresses. If the RCPT To command
contains a denied address, the SMTP listener rejects the message, but
messages for all other recipients are accepted.
Note If the server supports Local Part name lookups, users whose
addresses are listed in the Deny field may still receive mail addressed to
any alternate Internet addresses configured for them. To ensure greater
control, specify the Internet address in each users Person document and
allow users to receive inbound mail destined for their fullname addresses
only.
For information on restricting how Domino looks up recipient names, see
the chapter Setting Up Mail Routing.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound
Controls tab.
Description
Description
Allow messages
intended only for
the following
Internet addresses
Deny messages
intended for the
following Internet
addresses
Field
Enter
SIZE extension
Choose one:
Enabled (default) Domino declares its maximum
message size to connecting hosts and checks the
sending hosts estimates of message size before
accepting transfer. If the sender indicates that a
message to be transferred is larger than the
maximum size, Domino returns an error indicating
that it will not accept the message.
Disabled Domino does not advertise its maximum
message size or check inbound message size before
transfer.
For information about setting the maximum message
size, see the topic Restricting mail routing based on
message size earlier in this chapter
Pipelining
extension
Choose one:
Enabled (default) Improves performance by
allowing Domino to accept multiple SMTP
commands in the same network packet.
Disabled Domino does not accept multiple SMTP
commands in a single packet.
continued
Field
Enter
DSN extension
Choose one:
Enabled Domino supports incoming requests to
return delivery status notifications to the sender for
failed, delayed, delivered, and relayed messages.
Domino sends delay reports for low-priority
messages held until the low-priority routing time to
the sender of an SMTP message upon request.
Disabled (default) Domino does not return
delivery status notifications for SMTP messages.
8-bit MIME
extension
Choose one:
Enabled Domino accepts 8-bit messages as is,
allowing reception of unencoded multinational
characters.
Disabled (default) Domino requires inbound
messages containing 8-bit characters to be sent using
7-bit ASCII encoding.
HELP command
Choose one:
Enabled (default) In response to the Help command,
Domino displays a list of supported commands.
Disabled Domino ignores the Help command.
VRFY command
Choose one:
Enabled Domino accepts inbound requests to
verify user names.
Disabled (default) Domino denies requests to
verify user names.
EXPN command
Choose one:
Enabled Domino expands mailing lists or groups
to show individual recipient names.
Disabled (default) Domino does not expand lists
and groups.
Field
Enter
Choose one:
SSL negotiated
over TCP/IP port Enabled Domino supports the STARTTLS
command, allowing it to create an encrypted SSL
channel over the SMTP TCP/IP port.
Required Domino accepts inbound SMTP
connections over the TCP/IP port only from hosts
that issue the STARTTLS command.
Disabled (default) Domino does not allow secure
SSL connections over the SMTP TCP/IP port.
After accepting the STARTTLS command from a remote
server, Domino uses settings for the servers SSL port to
govern authentication for the sessions. For Domino to
authenticate remote hosts that use the SMTP AUTH
command, Name & Password authentication must be
enabled for the Domino SSL port.
You can control the transfer of outbound mail from your organization to
the Internet. Domino provides two methods for restricting outbound
Internet mail:
Description
Description
The outbound sender controls are not intended to control relaying. For
information on controlling message relaying, see the topic Setting
inbound relay controls earlier in this chapter.
Setting outbound recipient controls
The Outbound recipient controls let you specify the Internet domains,
and host names users are allowed to and denied from sending mail to.
The controls consist of a set of pair of lists, one specifying the Internet
domains or host names to which users can send mail and another listing
the domains and host names to which users cannot send mail.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP
Outbound Controls tab.
6. Complete these fields in the Outbound Recipient Controls section,
and then click Save & Close:
Outbound recipient controls
Field
Description
Allow messages
only to recipients in
the following
Internet domains or
host names
Description
Deny messages to
recipients in the
following Internet
domains or host
names
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter Setting Up Mail Routing.
Note For security reasons, if there is a conflict between the two fields for
a given setting, entries in the Deny field take precedence. For example, if
acme.com appears in both the Allow messages only to recipients in the
following Internet domains or host names field and the corresponding
Deny messages field, Domino denies messages sent to acme.com. Be
careful not to have the same entry in an Allow field and a Deny field for
the same setting.
Note Domino checks each address to see if it is an Internet address or a
Notes address. The Router then applies the restrictions specified for that
type of address.
Note If you are entering multiple names in a field, consider creating a
group and entering the group name in the field. Domino expands the
group into a list of members. If you update the group list in this
document or edit the group members in the Domino Directory, changes
do not take effect immediately.
Enter
SIZE extension
Choose one:
Enabled (default) If the destination SMTP host
also supports the SIZE extension, Domino declares
the estimated size of messages before transfer.
Disabled Domino does not declare message size
before transferring messages to another SMTP server.
Pipelining
extension
Choose one:
Enabled (default) If the remote SMTP host also
supports pipelining, Domino sends multiple SMTP
commands in the same network packet to improve
performance.
Disabled Domino sends each SMTP command in a
separate packet.
DSN extension
Choose one:
Enabled When sending a message to a server that
also supports the DSN extension, Domino appends a
NOTIFY parameter to the SMTP RCPT TO command to
request a particular type of delivery status notification
for the message. For messages sent from Notes clients,
Domino uses the Delivery report options specified by
the client (Confirm delivery; Trace entire path;
Delivered) to determine the type of DSN requested.
Disabled (default) Domino does not send DSN
requests.
8-bit MIME
extension
Choose one:
Enabled When sending a message to a remote server
that also supports 8-bit MIME, Domino improves
performance by sending messages containing multinational characters as is, without first encoding them.
Disabled (default) Domino encodes messages
containing 8-bit characters as 7-bit ASCII before
sending.
Mail journaling
By default, after the Router processes a message, it does not retain a copy
of the message. That is, after ServerA successfully sends a message to
ServerB, the Router on ServerA deletes the message from its MAIL.BOX
database. Likewise, when ServerB successfully transfers or delivers the
message to the next server on the routing path, the Router on ServerB
removes the message from its MAIL.BOX database.
To comply with laws or regulations that apply to your business, your
organization may be required to save a copy of every message processed
by the local mail system and permanently store or otherwise process the
message copies. For example, government agencies such as the Securities
and Exchange Commission (SEC) require a business to retain all
messages related to the transactions they undertake.
Mail journaling enables administrators to capture a copy of specified
messages that the Router processes by the Domino system. Journaling
can capture all messages handled by the Router or only messages that
meet specific defined criteria. When mail journaling is enabled, Domino
examines messages as they pass through MAIL.BOX and saves copies of
selected messages to a Domino Mail Journaling database
(MAILJRN.NSF) for later retrieval and review. Mail journaling works in
conjunction with mail rules, so that you create a journaling rule to specify
the criteria for which messages to journal. For example, you can journal
messages sent to or from specific people, groups, or domains. Before
depositing messages in the Mail Journaling database, the Router encrypts
them to ensure that only authorized persons can examine them.
Journaling does not disrupt the normal routing of a message. After the
Router copies a message to the Mail Journaling database, it continues to
dispatch the message to its intended recipient.
Domino mail journaling differs from message archiving. Journaling
works dynamically, making a copy of each message as it passes through
MAIL.BOX to its destination and placing the copy in the Mail Journaling
database. A copy of the message is retained, even if the recipient, or an
agent acting on the recipients mail file, deletes it immediately upon
delivery. Archiving is used to reduce the size of an active mail file
database by deleting messages from one location and moving them to an
Customizing the Domino Mail System 28-105
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Description
Journaling
Field
Description
Database
name
Mail
destination
Encrypt on
behalf of
user
Database
For local Mail Journaling databases, the entry in this field
Management specifies how Domino controls the size of the Mail Journaling
- Method
database. When the database management method in effect
calls for Domino to create a new Mail Journaling database, on
the day that it creates the new database, it does so at
approximately 12:00 AM. Choose one of the following methods:
Periodic Rollover (default) When the current Mail
journaling database reaches the age specified in the
Periodicity field, Domino renames the existing Mail
Journaling database and creates a new Mail Journaling
database with the original name.
None Domino does not automatically control the size
of the Mail Journaling database. If you do not use one of
the available methods for controlling database size
automatically, be sure to monitor the database size and
use appropriate tools to archive the journal data.
Purge/Compact Domino deletes documents from the
database after the number of days specified in the Data
Retention field and then compacts the database.
Size Rollover When the current database reaches the
size specified in the Maximum size field, Domino renames
the database and creates a new Mail Journaling database
with the original name.
continued
28-108 Administering the Domino System, Volume 1
Field
Description
Periodicity
Data
Retention
Maximum
size
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter Setting Up Mail Routing.
For information on Mail-in database documents, see the chapter Rolling
Out Databases.
For more information on the different journaling and database
management methods, and on securing the Mail Journaling database, see
the topic Managing the Mail Journaling database later in this chapter.
Security settings
The users name is preserved in the ACL during daily rollovers and size
rollovers, but if you remove the Mail Journaling database, the next time
the server starts, it automatically creates a new database using the
original ACL. You must add the ID used for encryption to the database
ACL again.
Enabling encryption for remotely journaled messages
By default, mail-in databases do not encrypt incoming mail. To ensure
privacy when sending journaled messages to a mail-in database, enable
the mail-in database to encrypt incoming mail. When enabling
encryption for a mail-in database, you select a user whose Notes certified
public key Domino uses to encrypt messages stored in the database.
For more information on setting up a mail-in database, see the chapter
Rolling Out Databases.
No encryption of previously encrypted messages
A message that Notes has previously encrypted for its recipients is not
re-encrypted with the certified public key of the specified Journal user.
As a result, when depositing encrypted messages in the Mail Journaling
database, Domino preserves the original encryption, so that the message
content cannot be decrypted with the ID of the designated Mail
Journaling user, unless, of course, that user was included in the original
recipient list. A Mail Journaling user who was not on the recipient list
can view header information only.
Providing access to the Mail Journaling database for users who are not
server administrators
Domino encrypts journaled messages with the user ID specified on the
Router/SMTP - Advanced - Journaling tab of the Configuration Settings
document. The ID you specify can be the ID of an existing server
administrator or another user ID. By default the ACL of the Mail
Journaling database includes only users listed in the Administrators field
of the Server documents Security tab. If the ID for encrypting messages
does not belong to a server administrator, you must add this user to the
database ACL before the user can access the database.
Size Rollover
These methods for controlling database size are not available if you use a
mail-in database for journaling messages. If you select this method of
journaling, be sure to monitor the database size and use appropriate tools
to archive data to another location.
By default, the Mail Journaling database does not appear in the Open
database dialog box. You can open the database by specifying its file
name for example MAILJRN.NSF in the Filename field in the Open
Database dialog box. To list the database in the Open Database dialog
box, check Show in Open Database dialog on the Design tab of the
Database properties dialog box.
Description
By
Hierarchy
By Sender
By Size
By Date
View name
Description
By Form
Description
Return
Receipts
Choose one:
Enabled to allow the sender of a message to receive a return
receipt.
Disabled to prevent the sender of a message from receiving a
return receipt.
Choose one:
Return
Receipt Use Disposition-Notification-To (default) When converting
Mapping
an outbound Notes message that includes a return receipt
request into MIME format, the server converts the Notes
ReturnReceipt item into the MIME header item
Disposition-Notification-To.
Use Return-Receipt-To When converting an outbound
Notes message that includes a return receipt request into
MIME format, the server converts the Notes ReturnReceipt
item into the MIME header item Return-Receipt-To.
This field appears only if you enable Return Receipts.
Note Domino does not map the Return Receipt request to one of the
MIME headers if the address specified in the
Disposition-Notification-To or Return-Receipt-To header does not
match the senders address. Domino sends return receipts only to the
sender.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter Setting Up Mail Routing.
Enter
Primary character
set group
Secondary
character set
groups
8. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter Setting Up Mail Routing.
Arabic
Baltic Rim
Windows-1257
Central Europe
Cyrillic
KO18-R, ISO-8859-5,
Windows-1251
English
US-ASCII
Greek
Hebrew
Windows-1255,
ISO-8859-8, ISO-8859-8-I
Japanese
ISO-2022-JP
Korean
Header - EUC-KR,
ISO-2022-KR
Body - ISO-2022-KR,
EUC-KR
Thai
TIS-620
Turkish
Unicode
UTF-8, UTF-7
Vietnamese
Windows-1258, TCVN3
Western
ISO-8859-1, ISO-8859-15,
Windows-1252
group, the default character set language code and encoding are the
same for message bodies and headers unless otherwise indicated.
Description
Attachment
encoding
method
Field
Description
Attachment
encoding
method
(continued)
Message
Content
Field
Description
Message
Content
(continued)
(Default = 75) The maximum line length from left to right for
the body of outbound messages; useful when a message
contains long lines of text without spaces for example,
URLs.
If there is a table or forwarded mail headers, then the line
length default is doubled so no line break occurs until 150.
Lookup
Internet
address for
all Notes
addresses
when
Internet
address is
not defined
in document
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter Setting Up Mail Routing.
Enter
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter Setting Up Mail Routing.
Inbound settings specify font options that control how the text of a MIME
message using a given character set tag displays in Notes. Outbound
settings determine the character set tag and encoding to apply when
converting Notes rich-text messages to MIME.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Basics tab. If it is not already selected, select the field
International MIME Settings for this document.
6. Click the MIME - Settings by Character Set Groups tab.
7. Complete the following fields and then click Save & Close:
Field
Enter
MIME settings by
character set group
These fields allow you to override default values for character sets,
fonts, and so on, for individual character set groups.
Enter
HTML
Proportional
HTML
Mono-spaced
HTML Size
Plain text
Note The font list displays every font available to the client system.
However, when converting messages, Domino uses the Default
fonts (Default Serif, Default Sans Serif, Default Monospace, and
Default Multilingual) only. If you select a font other than one of the
four Default fonts, Domino converts the text in all incoming
messages to Default Monospace.
6. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Choose
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter, Setting Up Mail Routing.
Description
Resent headers
take precedence
over original
headers
Field
Description
Remove group
names from
headers
Choose one:
For non-MIME
messages or
MIME
messages with
an unknown
character set,
8-bit character
set is assumed
to be
Character set
name aliases
6. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
5. Complete the following fields, and then click Save & Close:
Field
Enter
Field
Enter
RFC822 phrase
handling (continued)
Field
Enter
Enter
Field
generic icon; it can be launched from within Notes only if its name
ends in JPG and the user has an application association set up for the
JPG extension. In all cases, the image can be viewed from within
Notes by using the Attachment - View function.
You configure this address format using the RFC822 phrase handling
field in the Configuration Settings document, under the MIME Advanced - Advanced Outbound Message Options tab.
The Router adds phrases to Internet addresses both when taking the
address from a Person document in the Domino Directory and when
constructing the address from rules in the Global domain document.
This setting applies to messages sent over SMTP to another host or
exported to the IMAP or POP3 service. It does not apply to messages
delivered to mail files on the server or messages transferred over Notes
routing.
The options for this field are as follows:
You can have Domino add a phrase to the senders address on outbound
SMTP mail and specify the name component to use as the address
phrase. By default, addresses do not include phrases. If you choose not to
support phrase-style addresses, you can specify that Domino remove any
user-added phrases in the recipient fields of outbound messages.
and MIME subtype jpeg. Domino servers and Notes clients use the
information in the File Identification documents to map file types to file
extensions and vice versa on inbound and outbound mail.
This ensures that the contents of attached files are correctly interpreted
by the recipients mail client. Upon opening the message in a
MIME-aware mail program, the recipient can open the attached
document from within the message, provided that the mail program
recognizes the MIME type and the associated application is installed on
the recipients computer.
You can add, modify, or delete File Identification documents from the
Domino Directory. Add new documents to support additional file types.
When adding a new File Identification document, you must know the
MIME type for the application and the file extension associated with the
application. Modify a File Identification document in the event that a
default mapping is incorrect or later standards dictate a change. You
might also edit a File Identification document to specify which of
multiple MIME types and subtypes Notes and Domino assign to files
with a given file extension when sending outbound mail.
How Domino uses File Identification documents when processing
inbound mail
When receiving an inbound MIME message that includes a file
attachment, Domino reads the MIME headers to determine the name and
type of the attached file. If, however, the MIME headers do not specify
the name of the attached file, Domino must assign a name to the file that
is both unique within the document and includes the appropriate file
extension. To determine the file extension to use in creating the file name,
Domino refers to the File Identification documents in the Domino
Directory.
For example, if Domino receives a message that has a MIME header
indicating that it contains a Microsoft Word attachment (MIME
type/subtype of application/ms-word), but neither the content-type
header or content-disposition header specify a file name, the server has
to provide a name for the attachment. To ensure that Domino creates a
name using the correct file extension for a file of this type, the server
checks the Domino Directory for a File Identification document for this
file type and subtype, and then checks the Extension field of the
matching document. Because, by default, the only document that
matches files with the MIME type application/ms-word indicates that
the file uses the extension DOC, Domino creates a file name using this
extension.
In the case of both servers and client, if more than one File Identification
document applies to a given file extension, the setting in the Outbound
field of the documents determines which MIME type and subtype to
assign to file attachments with this extension when sending mail.
To create or modify a File Identification document
1. From the Domino Administrator, click the Configuration tab and
expand the Messaging view.
2. Click File Identifications.
3. To add a new File Identification document, click Add File
Identification.
To edit an existing File Identification document, select it from the
documents listed, and click Edit File Identification.
4. Complete the following fields:
Field
Description
MIME type
MIME subtype
File extension
Description
Use this field to specify the type of file or the name of the
application used to create and open the file.
continued
Field
Description
Outbound
Chapter 29
Setting Up Shared Mail
This chapter describes setting up and managing shared mail databases.
If a server has less than 1000 active databases configured, it can continue
to reference a number of inactive shared mail databases up to the
maximum of 1000. Inactive databases no longer receive new mail, but
store previously received messages. A server can support as many as 40
inactive shared mail directories, As with active shared mail directories,
each of these inactive directories can contain a maximum of 100 shared
mail databases. A single shared mail directory can contain both active
and inactive databases.
A shared mail database is automatically set to inactive if the parent
directory exceeds the maximum size you specify for it in the Server
document.
When a server has multiple active shared mail databases, user mail files
on the server may contain links to any or all of them, as well as to
inactive shared mail databases. If you create additional shared mail
databases, Domino distributes a portion of all new incoming messages to
each of them. Previously received messages continue to reside in the
shared mail databases where Domino originally stored them.
Using multiple shared mail databases reduces the amount of shared mail
that could be lost or become temporarily inaccessible as a result of
database corruption. You can enable transaction logging for shared mail
databases, so that databases corrupted as the result of a server crash or
power outage can be automatically recovered at server startup. Enabling
transaction logging frees you from the need to restore shared mail
databases manually.
If transaction logging for shared mail is not enabled, to protect shared
mail databases against data loss, install a backup utility that can back up
and verify open NSF files and back up all shared mail databases at least
once a day. Because security settings on shared mail databases prevent
replication, you cannot replicate shared mail databases to provide
backup.
For more information on restoring shared mail databases, see the topic
Restoring a shared mail database later in this chapter.
You can configure the server to use as many as ten active shared mail
directories at one time. Each configured shared mail directory can
contain as many as 100 shared mail databases, to a maximum of 1000
total shared mail databases per server.
The access control list (ACL) of a shared mail database is set so that
only the servers ID can access the database. The servers ID has
Manager access, and the user type is Server. Even if an unauthorized
user obtains the server ID, the user cannot use the server ID to access
a shared mail database from a Notes workstation and cannot create a
replica of the database on another server.
The shared mail database does not appear in the Open Database
dialog box.
Enter
Shared Mail
Choose one:
None The server does not use shared mail.
Delivery The server uses shared mail for messages
delivered to multiple local recipients. Selecting this
option sets the value of the variable Shared_Mail in
the NOTES.INI file to 1.
Transfer and delivery The server always uses
shared mail. Selecting this options sets the value of the
variable Shared_Mail in the NOTES.INI file to 2.
Field name
Enter
Directory
Number of
files
Maximum
directory size
5. For each shared mail directory you want to create, complete the
following fields and then click Save & Close:
Field name
Enter
Availability
6. To put the new configuration into effect, restart the server or enter
the following command at the server console:
Show SCOS
For more information about using the SHOW SCOS command, see
the appendix Server Commands.
Using shared mail for delivery only or for transfer and delivery
There are two ways of setting up shared mail. One is for delivery only,
and the other is for transfer and delivery. When shared mail is enabled
for delivery only, the Router places the body of an incoming message in
the shared mail database only if there are multiple local recipients.
Messages for a single local user are delivered as complete messages. The
server uses its normal transfer mechanism for messages being routed
through the server to another destination; that is, messages in MAIL.BOX
that are awaiting transfer to another server always remain intact.
In contrast, when shared mail is enabled for transfer and delivery, the
server splits every message it receives (that is, the content goes to the
shared mail database and the header goes to MAIL.BOX), regardless of
the number of recipients. Then, during delivery, the Router merges the
header and content together, examines the recipient list, and either
transfers the message to the next server, or delivers it to the local
recipients (with the content staying in the shared mail database and the
header going to the users mail files).
In the end, both settings provide similar disk space savings, but because
the transfer and delivery setting always places the message body
directly in the object store, rather than in MAIL.BOX, it provides faster
delivery for local users by eliminating the transfer time required to move
mail from MAIL.BOX to the object store.
The shared mail setting that you decide to use depends on your situation.
In general, use shared mail for transfer and delivery on servers that have
mostly deliveries and few transfers to other servers. Because most
incoming messages are likely to be for local delivery, its efficient to have
the server automatically place all incoming messages in the object store.
On the other hand, on servers such as hub servers, which perform mostly
transfers and have few local mail file deliveries, use shared mail for
delivery only. Because incoming messages on these servers are likely to
be transferred to another server, its counterproductive to have the server
absorb the cost of preparing mail for the object store.
Whether you extend the size of current directories or add new ones
depends on whether physical space or concurrent usage is the limiting
factor.
If your existing shared mail directories reach their size limit, and theres
still adequate space on the current disk, increase the maximum size of the
existing directories. If the amount of additional space on the current disk
is limited, create another shared mail directory on a separate disk that
has more space.
If database contention (too many users accessing the database at the
same time) is affecting performance, and space allows, increase the
number of databases (not the size) within the existing shared mail
directories or create new shared mail directories on the same disk or a
separate disk.
Use the Shared Mail tab on the Server document to change the directory
settings. In addition, you can also use the SET SCOS command to change
the status of individual shared mail databases within a directory. For
more information about using the SET SCOS command, see the appendix
Server Commands.
To change directory settings for shared mail
1. From the Domino Administrator, click the Configuration tab and
then expand the Server section.
2. Select the Server document to be edited it and then click Edit Server.
3. Click the Shared Mail tab.
4. To create an additional shared mail directory, complete the following
fields:
Field name
Enter
Directory
Delivery status
Choose one:
Open The server can access any active shared mail
databases in this directory for delivery. Individual
databases may be closed to delivery.
Closed The server cannot access any shared mail
databases in this directory.
continued
Field name
Enter
Availability
For more information about using the Show SCOS command, see the
appendix Server Commands.
Display
Shared mail Database name and names of the parent directory and
shared mail server
database
File name and database title of each mail file that
references the shared mail database
Number of messages each mail file references in the
shared mail database
Size (in bytes) of all message bodies a given mail file
references in the shared mail database
Total size (in bytes) of all messages bodies in the shared
mail database
continued
29-14 Administering the Domino System, Volume 1
For each
Display
Shared mail Total size (in bytes) of the message bodies contained in the
directory
included shared mail databases. This value may be less than
the true total, if you generated statistics for a subset of the
databases in a directory.
Shared mail Total size (in bytes) of the message bodies contained in the
server
included shared mail directories and databases. This value
may be less than the true total, if you generated statistics for a
subset of the databases in a directory.
where USERMAIL is the name of the directory containing user mail files.
Running this command links messages in the specified user mail files to
the configured shared mail databases in a distributed fashion. You
cannot link a mail file to a specific shared mail database.
To link a mail file without compacting it
By default, if linking a mail file results in more than five messages being
moved to the shared mail database, the Object Store Manager compacts
the users mail file. To link a mail file without compacting it, use the
-Nocompact option.
Enter this command at the console:
Load Object Link -Nocompact USERMAIL -ALL
For each mail database in the directory, the results indicate whether the
mail file is set to use shared mail and currently has links to messages
shared in any shared mail databases:
12/06/2001 03:45:03 PM Object Store Manager:
mail\gthiers.nsf is not an object store
where USERMAIL.NSF is the full path for a mail file or a directory that
contains mail files.
For example:
Load Object Set -Never C:\LOTUS\DOMINO\DATA\MAIL\RBOWKER.NSF
sets the mail file RBOWKER.NSF to never use shared mail on the server.
The process has no effect on existing messages.
To include a previously excluded mail file
If you previously excluded a mail file from shared mail and then want it
to use shared mail again, you can re-enable the mail file to use shared
mail for new messages. The process has no effect on existing messages.
Enter this command at the console:
Load Object Reset -Never USERMAIL.NSF
where USERMAIL.NSF is the full path for a mail file or a directory that
contains mail files.
For example:
Load Object Reset -Never C:\LOTUS\DOMINO\DATA\MAIL\
resets all mail files in the MAIL directory that were previously excluded
from using shared mail so they use the object store for new mail.
Enable the new replica to use the object store on the new server for
messages received from the primary mail file during future
replications
Enable the new replica to use the object store on the new server for
existing messages
Use these steps on each cluster member server that hosts replica mail
files. Once activated, Domino clustering (not the Domino Router task)
automatically splits any replicated messages into their header and
content portions, saving the headers in the individual mail databases and
the content portions in the shared mail database on the target server.
You can also use this same procedure for mail file replicas located on
servers not in a cluster that is, servers kept synchronized by standard
Domino replication.
Moving users or mail files between servers that use shared mail
You may need to move mail files when you need more space on a server
or when users change jobs. When moving a mail file from a server that
uses shared mail, the Administration Process (AdminP) automatically
unlinks the existing mail file from any shared mail databases to which it
may be linked, creates the new mail file, replicates mail to the new mail
file, and deletes the old mail file. When using the Move Users tool to
move a mail file, you can specify whether to use shared mail on the new
server.
For more information on moving mail files, see the chapter Setting up
and Managing Notes Users.
that replica to use shared mail on the local server. Each server in the
cluster must have shared mail enabled.
2. At the console, enter the Push command to push changes from the
backup shared mail database to the current shared mail database.
For example, after downloading the backup copy of the shared mail
database into the directory h:\backup, enter this command at the
console:
Push Manufacturing h:\backup\SHARE1.NSF
For more information about using the Show SCOS command, see the
appendix Server Commands.
After you disable shared mail, the Router stops adding new
messages to shared mail databases. However, users whose mail files
remain linked to the shared mail database can still access previously
received messages.
Chapter 30
Setting Up the POP3 Service
This chapter describes how to set up the POP3 service on a Domino
server and how to set up POP3 users.
30-1
Optionally, you can configure the POP3 TCP/IP port to run from an
alternate port number, and to accept SSL connections.
For more information on enabling and configuring POP3 ports, see
the topic Enabling and configuring the POP3 service port later in
this chapter.
2. Start the POP3 task on the Domino server.
provide the port numbers and status for the POP3 TCP/IP and SSL ports,
and enable the POP3 ports to honor server access restrictions.
To determine whether the use of Internet Site documents is enabled for a
server, check the value of the following field on the Basics tab of the
Server document: Load Internet configurations from Server\Internet
Sites documents. If this field is set to Enabled, the server uses Internet
Site documents to configure all of its Internet protocols (POP3, IMAP,
SMTP, and so forth).
If the server uses Internet Site documents, then you must use Site
documents to configure all Internet protocols on the server. If a POP3 Site
document is not present in the Domino Directory, or the authentication
options in a configured POP3 Site document are set to No, users cannot
connect to the POP3 service. In each case, POP3 clients receive the
following error when attempting to connect to the POP3 service:
This site is not enabled on the server.
For information on creating and using Internet Site documents, see the
chapter Installing and Setting Up Domino Servers.
To enable the POP3 TCP/IP port
1. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the POP3
service.
2. Click the Ports - Internet Ports - Mail tab.
3. To enable the default TCP/IP port, in the Mail (POP) column, change
the value of the TCP/IP port status field to Enabled.
4. Click Save and Close or edit additional settings, as directed in the
following procedure.
Note On servers with multiple TCP/IP ports, by default, the POP3
service uses the port listed first in the NOTES.INI file as the preferred
path. If you want the service to use a port other than the default one, you
can configure it to use a specific port.
For information on configuring an Internet service to bind to a specific
TCP/IP port, see the chapter Setting Up the Domino Network.
To configure the POP3 TCP/IP port
1. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the POP3
service.
2. Click the Ports - Internet Ports - Mail tab.
Field
Enter
TCP/IP port
number
TCP/IP port
status
Choose one:
Enabled (default) Allows POP3 clients to connect
to the Domino server without using SSL. Users must
provide their name and Internet password to
connect.
Disabled Prevents POP3 clients from connecting
to the Domino server, unless they can connect using
SSL.
Enforce server
access settings
Choose one:
Yes Access to the POP3 service is controlled by
the server access settings on the Security tab of the
Server document. Users who are not allowed to
access the server cannot access mail through the
POP3 service.
No (default) The POP3 service ignores the server
access settings in the Server document.
4. Restart the POP3 task to put the new settings into effect.
To enable and configure the POP3 SSL port
1. Familiarize yourself with the Domino security model and set up SSL
on the Domino server.
2. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the POP3
service.
3. Click the Ports - Internet Ports - Mail tab.
3. In the Mail (POP) column, complete these fields, and then click Save
and Close:
4. In the Mail (POP) column, complete these fields, and then click Save
and Close:
Field
Enter
Choose one:
Enabled Allows POP3 clients to connect to the
POP3 service over SSL.
Disabled (default) Prevents client connections
over SSL.
Authentication
options: Client
certificate
Authentication
options: Name &
password
5. Restart the POP3 task to put the new settings into effect.
Performing additional POP3 configuration
In addition to configuring the POP3 service port, you can customize the
operation of the POP3 service by setting variables in the servers
NOTES.INI file. Variables used to configure the POP3 service begin with
the prefix POP3.
For more information on setting variables in the NOTES.INI file, see the
appendix NOTES.INI File.
4. Click the Basics tab, complete these fields, and then click Save &
Close:
Field
Description
First name
Last name
User name
Internet
password
Mail system
Domain
Mail server
Mail file
The path for the users mail file, relative to the Domino
data directory for example: MAIL\AJONES.
Forwarding
address
Leave this blank for users who access mail files on the
Domino server from a POP3 client.
Internet address
Description
Format
preference for
incoming mail
Choose one:
Field
When receiving
unencrypted
mail, encrypt
before storing in
your mail file
Enter
Server
The Domino mail server that stores the users mail file.
Title
The name of the clients mail file for example, Alan Jones
Mail.
File name
The full path to the mail file, relative to the Domino data
directory for example, MAIL\AJONES.NSF.
4. From the list of template names, select Mail (R6) with the filename
MAIL6.NTF, and click OK.
5. After Domino creates and opens the mail file, determine what level
of access is appropriate for both the user and you, as the
administrator. Then, edit the Access Control List (ACL) as follows:
a. Choose File - Database - Access Control.
b. From the Access Control List dialog box, create an ACL entry for
the user by clicking Add and then selecting the users name from
the Domino Directory.
c. Set the user type to Person and select the level of access. Users
require at least Editor with Delete document access.
d. (Optional) Select your name from the ACL and click Remove. As
the administrator, you can choose to retain Manager access,
particularly for users who do not have Notes client access.
e. Click OK to save the entry and close the ACL.
6. Complete the procedure Configuring POP3 client software.
Description
Password
Automatically delete
mail documents from
the POP3 server after
the client copies them
locally.
Field
Description
E-mail address
Chapter 31
Setting Up the IMAP Service
This chapter describes how to set up a Domino server to use the IMAP
service and how to set up IMAP users.
Retrieve messages from the Domino mail server and store them
locally
Copy messages for offline use and then later synchronize with mail
on the server
IMAP stores message information within its own set of attributes. For a
Domino mail file to be used with IMAP, Notes/Domino items in the mail
file have to be translated into IMAP attributes. In addition, the mail file
must be set up so that all future messages delivered to it store attribute
information in IMAP format.
To enable IMAP clients to access Domino mail files, run the mail
conversion utility. The conversion process places information about each
message, such as its message ID and folder location, into the messages
IMAP attributes, and sets a flag in the mail file that notifies the Router to
add these IMAP attributes when delivering future messages.
You can run the conversion utility manually to convert mail files before
users log in to the IMAP service, or set up the IMAP service so that it
converts mail files automatically the first time a user logs in.
Note To avoid possible conversion delays, run the conversion utility
before users log in.
Before running the conversion utility, you may first need to prepare the
mail file. For more information, see the topic Preparing a mail file for
IMAP access later in this chapter.
Additional IMAP attributes for improving client download of
message headers
When an IMAP client opens an IMAP-enabled mail file, it issues a
FETCH command to the server, requesting information that enables it to
display message headers. To improve performance for IMAP clients
downloading message headers, the Router adds these IMAP attributes to
messages delivered to an IMAP-enabled mail file:
$Content_Type
IMAP_BodyStruct
IMAP_RFC822Size
Note The Router adds these attributes only if the recipients Person
document specifies MIME as the preferred mail storage format. The
attributes are not added to messages delivered in MIME format to a user
whose storage preference is set to Keep in senders format.
These attributes contain summary information about the MIME content
type, structure, and size of a message. Exactly how the attributes are
used depends on the client. Almost all clients request size information. In
addition, some request type and body structure information. If these
summary attributes are present, when the IMAP service returns message
headers in response to a client FETCH request, it uses the attribute
Setting Up the IMAP Service 31-3
Thread use
For information on creating and using Internet Site documents, see the
chapter Installing and Setting Up Domino Servers.
To enable the IMAP TCP/IP port
1. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the IMAP
service.
2. Click the Ports - Internet Ports - Mail tab.
3. To enable the default TCP/IP port, in the Mail (IMAP) column,
change the value of the TCP/IP port status field to Enabled.
Enter
TCP/IP
port
number
Choose 143 (default) to use the industry standard port for IMAP
connections over TCP/IP. You can specify a different port, but
143 works in most situations. When specifying a nonstandard
port, make sure the port is not reserved for another service. Port
numbers can be any number from 1 to 65535.
TCP/IP
port status
Choose one:
Enabled (default) - Allows IMAP clients to connect to the
Domino server without using SSL. Users must provide
their name and Internet password to connect.
Disabled - Prevents IMAP clients from connecting to the
Domino server, unless they can connect using SSL.
Redirect to SSL - Denies access to clients connecting to the
IMAP TCP/IP port, but returns a message indicating that
they must connect over SSL. You can specify the contents of
the message.
To support IMAP clients, either the IMAP TCP/IP port or the
IMAP SSL port must be enabled, and the IMAP task must be
running on the server.
Enforce
server
access
settings
Choose one:
Yes - Access to the IMAP service is controlled by the server
access settings on the Security tab of the Server document.
Users who are not allowed to access the server cannot
access mail through the IMAP service.
No - (default) The IMAP service ignores the server access
settings in the Server document.
Enter
SSL port number Choose 993 (default) to use the industry standard port
for IMAP connections over SSL. You can specify a
different port, but 993 works in most situations. When
specifying a nonstandard port, make sure the port is not
reserved for another service. Port numbers can be any
number from 1 to 65535.
SSL port status
Choose one:
Enabled - Allows IMAP clients to connect to the
IMAP service over SSL.
Disabled - (default) Prevents client connections over
SSL.
Authentication
options: Client
certificate
5. Restart the IMAP task to put the new settings into effect.
31-8 Administering the Domino System, Volume 1
Enter
Maximum
number of IMAP
sessions
IMAP session
timeout
Enter
Choose one:
Enable
IMAP
Enabled - (default) The IMAP service automatically
during login
converts mail files to Lotus Domino Release 6 IMAP
format the first time a user logs in from an IMAP client.
Disabled - Administrators must manually convert mail
files for IMAP use before users can access mail from an
IMAP client.
For information about enabling IMAP namespace support, see the topic
Enabling the IMAP service to automatically display all accessible mail
folders later in this chapter.
For information about delegating access to a mail file, see Lotus Notes 6
Help, which is available from the Documentation Library at the Lotus
Developer Domain at http://www.lotus.com/ldd/doc.
Note To provide IMAP users with access to other users mail files, you
must use a Notes client or iNotes client to delegate mail file access. You
31-12 Administering the Domino System, Volume 1
Other users personal mail files to which the user has been delegated
access
Public mail files, such as mail-in databases, to which the user has
access, and which are set up as IMAP public folders.
For information about delegating access to a mail file, see Lotus Notes 6
Help.
Note To provide IMAP users with access to other users mail files, you
must use a Notes client or iNotes client to delegate mail file access. It is
not sufficient to add the names of users to the ACL of the mail file.
Enabling clients that do not support the NAMESPACE extension to
access shared folders
By default, only IMAP clients that support the NAMESPACE extension
can display mail files other than the users personal mail file. However,
you can configure the IMAP service so that it presents public and others
users folders even if the users IMAP client does not have built-in
Setting Up the IMAP Service 31-13
can not delegate access by adding names to the ACL of the mail file. To
enable IMAP access to other users mail files, the Domino Administration
Process (AdminP) must process an IMAP delegation request, which is
only generated in response to a user setting delegation preferences from
a Notes or IMAP mail client.
Enter
Choose one:
Enabled - (default) In addition to presenting an IMAP
client with the current users mail folder, the IMAP
service also presents any public folders and other
users mail files that the current user has access to.
Disabled - The IMAP service does not present IMAP
clients with public and other users mail folders. The
IMAP client can access the current users personal
mail file only.
For information on how to restart the IMAP service, see the topic
Starting and stopping the IMAP service earlier in this chapter.
For information on setting the NOTES.INI variable
IMAP_Config_Update_Interval to control the IMAP update interval,
refer to the appendix NOTES.INI.File.
Use the mail conversion utility to enable the database for IMAP use
Specify the appropriate level of access for users in the database ACL,
including the Maximum Internet name and password access.
The IMAP service does not automatically enable databases other than the
users personal mail file for IMAP use. To enable a mail-in database for
IMAP use, run the mail conversion utility.
Users access to a shared database is defined by their entries in the
database ACL. Before users can access a public folder, an administrator
must explicitly grant them access to the database by editing the ACL. If
the database ACL does not grant a user access to an IMAP public folder,
when the user logs in from an IMAP client, the client displays the folder,
but does not display the folder Inbox.
To designate a Notes database as an IMAP public folder, copy its
database link and paste it into the Configuration Settings document.
Note To be configured as a public folder, a database must be created
from a Notes mail template. The IMAP service does not support the use
of NNTP or discussion databases as IMAP public folders.
To configure Notes databases for use as IMAP public folders
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Notes client or Domino Administrator client, select a
database that has been enabled for IMAP access to be designated as
an IMAP public folder and copy it as a database link.
For example, from the Files tab of the Domino Administrator client,
double-click the database icon to open it, and then click Edit - Copy
As Link - Database Link to copy the database as a link.
3. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
Setting Up the IMAP Service 31-15
4. Click Configurations.
5. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
6. Click the IMAP - Public and Other Users Folders tab.
7. Complete the following field and then click Save & Close:
Field
Description
Public folder The name of the virtual root folder Domino uses to organize
the hierarchy of Notes mail databases configured as IMAP
prefix
public folders. When an IMAP client connects to the server it
displays the public folders available to the user as subfolders
of this folder.
Unless you have a specific reason to change the folder prefix,
accept the default name to ensure IMAP clients can access
public folders on the server.
Public folder Database links for IMAP-enabled Notes mail databases you
want to designate as IMAP public folders. Paste the database
database
link copied in Step 2 into this field.
links
For example, insert the cursor in the field and click Edit Paste. The Notes database represented by the link is now
designated as an IMAP public folder. Users with the
appropriate access privileges can open the database from an
IMAP client.
Specifying IMAP users who can change other users unread marks
Specifying IMAP users who can change other users unread marks
By default, the only user allowed to change unread marks in a mail file is
the Notes user with primary access to the file. If a secondary user
accesses the mail file, any documents opened are marked as read for the
secondary user, but not for the primary user. This is similar to what
happens in a discussion database, where multiple users can read
documents and each maintain their own set of unread marks.
Some organizations employ third-party messaging services that run in
conjunction with the Domino IMAP service to provide users with
alternate means for accessing their mail files. For example, a unified
messaging service might connect to the IMAP service to access the
Domino mail server, acting, in effect, as an IMAP client. Users connecting
to the third-party service can open, read, send, and forward mail. To
ensure that the unread marks in users mail files are properly
maintained, the third-party service must have the ability to change
unread marks on the users behalf, as if it were the mail file owner.
To provide a third-party application with access to a mail file, at
minimum, the mail file ACL must grant the application Designer access.
To configure IMAP support for access to Other Users folders
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the IMAP - Public and Other Users Folders tab.
6. In the Other Users Folders section, complete the following field and
then click Save & Close:
Field
Enter
Other users
folder prefix
Other users
domain
delimiter
IMAP users
who can
change other
users unread
marks
The change takes effect after the next IMAP service update. You can
restart the IMAP service to force an immediate update to the IMAP
service configuration.
7. To provide other another user with access to a personal mail file,
instruct the mail file owner to delegate access from a Notes client.
For information about delegating access to a mail file from a Notes
client, see the topic Delegating mail access if you have installed
Lotus Notes 6 Help. Or, visit the Documentation Library in the Lotus
Developer Domain at http://www.lotus.com/ldd/doc to download
or view Lotus Notes 6 Help.
Note To provide IMAP users with access to other users mail files,
you must use a Notes client or iNotes client to delegate mail file
access. It is not sufficient to add the names of users to the ACL of the
mail file.
31-18 Administering the Domino System, Volume 1
IMAP service continues to function properly, its best to use the default
thread pool settings and modify these settings only at the direction of a
qualified IBM support representative.
The IMAP thread pool consists of three types of worker threads as shown
in the following table:
Thread type
Description
FETCH thread
FETCH response
thread
None
Available threads become active when the main session thread queues a
request.
To specify IMAP thread use
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to restrict mail on, and click Edit Configuration.
5. Click the IMAP - Advanced tab.
6. In the Worker thread pool section, complete the following:
Field
Description
Field
Description
6. In the Greeting section, enter the text for the IMAP service to display
to connecting clients and the click Save & Close:
Field
Enter
Default
IMAP
server
greeting
The greeting
the IMAP
service sends
to clients
connecting
over TCP/IP.
5. (Optional) Create a full-text index of the mail file so the IMAP user
can search for information in the file. When you create the index,
choose the Index attachments option to allow the user to search for
information in attachments that are in MIME format.
4. Click the Basics tab, complete these fields, and then click Save &
Close:
Field
Enter
First name
Last name
User name
Internet
password
Mail system
Domain
Mail server
Mail file
The path for the users mail file, relative to the Domino
data directory for example, MAIL\AJONES.
Forwarding
address
Leave this blank for users who access mail files on the
Domino server from an IMAP client.
Internet address
Enter
Format
preference for
incoming mail
Choose one:
Field
When receiving
unencrypted
mail, encrypt
before storing in
your mail file
Enter
Server
The Domino mail server that stores the users mail file.
Title
The name of the clients mail file for example, Alan Jones
Mail.
File name
The full path to the mail file, relative to the Domino data
directory for example, MAIL\AJONES.NSF.
4. From the list of template names, select Mail (R6) with the filename
MAIL6.NTF, and click OK.
5. After Domino creates and opens the mail file, determine what level
of access is appropriate for both the user and you, as the
administrator. Then, edit the Access Control List (ACL) as follows:
a. Choose File - Database - Access Control.
b. From the Access Control List dialog box, create an ACL entry for
the user by clicking Add and then selecting the users name from
the Domino Directory.
c. Set the user type to Person and select the level of access. Users
require at least Editor with Delete document access.
d. (Optional) Select your name from the ACL and click Remove. As
the administrator, you can choose to retain Manager access,
particularly for users who do not have Notes client access.
e. Click OK to save the entry and close the ACL.
6. Complete the procedure Preparing a mail file for IMAP access.
IMAP mailboxes. Also, hidden and private folders are not visible to
IMAP clients. And finally, IMAP clients do not display views that are
part of the Notes mail file template, such as the Draft and Sent view.
The Domino IMAP service does not support renaming of the Inbox folder
in a Notes mail file from an IMAP client.
For users who access their mail files from both an IMAP client and a
Notes client, Domino synchronizes unread message marks between the
two. Thus, a message marked as read in Notes is also marked as read for
an IMAP client, and vice versa.
IMAP clients cannot read messages that use Notes encryption. IMAP
clients do not have access to the Notes private key needed to decrypt
messages encrypted with a users Notes public key certificate. As a
result, when a user opens an encrypted Notes message from an IMAP
client, only the unencrypted header information is available. The server
replaces the blank message body with the following text:
[Portions of this MIME document are encrypted with a Notes
certificate and cannot be read.]
To compact all mail files in the MAIL directory, enter the name of the
MAIL directory as the database path, for example:
Load compact MAIL
Note You can also enter Step 4 directly at the console on a server.
After you run compact on the mail file, continue preparing the file for
IMAP users by running Fixup.
where path is the database path relative to the Domino data directory
and mailfile is the name of the mail file database. For example, to run
Fixup on the mail file database USER.NSF in the DATA\MAIL
folder, enter:
nFixup mail\user.nsf
Running the mail conversion utility to enable a mail file for IMAP
Note If you used the Domino Release 6 registration process to add a
user account, and set the users mail system type to IMAP, Domino
automatically enables the mail file for IMAP use.
After you run Fixup on the mail file, run the mail conversion utility (the
Convert task) to enable IMAP-specific features in the mail file. The
conversion utility sets an option bit in the database indicating that this
database is IMAP enabled. After you enable a mail file for which the
format preference is set to MIME, the Router automatically adds special
IMAP attributes to new messages delivered to the database. These
attributes provide IMAP clients with summary information which
enables them to download message headers more efficiently. To ensure
the best performance, after the initial conversion completes run the
conversion utility a second time, using the -h option to add these
attributes to messages that were already in the mail file at the time of the
initial conversion.
For users with multiple mail file replicas for example, users with mail
files on clustered servers you must independently enable each replica
for IMAP access. Because Domino does not replicate IMAP database
items between databases, by default, when you create a new replica of an
IMAP-enabled mail file, it is not enabled for IMAP use.
After the conversion utility enables a mail file for IMAP, the following
information is added to the bottom of the Information tab of the mail
files Database Properties dialog box:
Database is IMAP enabled
You might also choose to run the conversion utility manually if many of
your first-time IMAP users access the server over slow modem
connections, particularly if a large proportion of them would be logging
in at the same time. The reason for this is related to the way the IMAP
service allocates threads to perform automatic conversions. The IMAP
service dedicates a single conversion thread for each conversion and it
draws this conversion thread from the same thread pool that provides
the threads responsible for servicing other IMAP client requests, such as
logging in users or retrieving messages. Because mail file conversions can
require a significant amount of time, with conversion times increasing as
connection speeds decrease, a conversion thread typically remains busy
longer than other thread types. As a result, an IMAP service flooded with
conversion requests can experience a thread shortage. This shortage
affects not only the users awaiting conversion, but current IMAP users,
too, who encounter unexpected delays attempting to log in and retrieve
messages. When the conversion utility is run manually on the mail
server, the operation completes in a very short time, even if the mail file
is relatively large.
Finally, you must run conversions manually to enable mail files in the
other users and public folders namespaces. Automatic mail file
conversion can occur only for the personal mail file of the currently
authenticated user.
To manually convert mail files for use with IMAP
You can run the mail conversion utility on a single mail file or on all mail
files in a directory.
1. At the server console of the Domino server on which you want to
enable mail files, shut down the Router by entering:
tell router quit
This prevents Domino from routing mail to the mail files while they
are being converted. Mail is stored in MAIL.BOX while you upgrade
Setting Up the IMAP Service 31-31
Although the IMAP service can automatically convert mail files, consider
manually converting them before users first log in to the IMAP server to
ensure that mail files are properly converted. By performing conversions
ahead of time, you can ensure that users are not confronted with
conversion errors that they are unable to recover from. For example,
because the conversion utility requires that a mail file be at least at ODS
version 41, for mail files that use an earlier ODS version you must run
Compact before converting the mail file; using automatic conversion
would fail. Similarly, in databases where some type of internal
corruption has occurred (for example, an invalid note, or corrupt meta
data), you must run Fixup against the mail file before running the
conversion utility.
the mail files. After you have converted the mail files and loaded the
Router task again, the Router processes and delivers the mail in
MAIL.BOX.
2. Load the mail conversion utility by entering the following command:
load convert -e maildirectory\mailfilename
3. After you finish enabling mail files for IMAP on this server, load the
Router by entering:
load router
Use
-e
-h
-o
-e-
This prevents Domino from routing mail to the mail files while they
are being converted. Mail is stored in MAIL.BOX while you upgrade
the mail files. After you have converted the mail files and loaded the
Router task again, the Router processes and delivers the mail in
MAIL.BOX.
2. Load the mail conversion utility by entering the following command:
load convert [-h /-o] maildirectory\mailfilename
users mail file. The maildirectory path describes the path relative to
the servers Domino data directory. For example, to add IMAP
attributes to the mail database USER.NSF in the \MAIL subdirectory
of the Domino data directory, enter:
load convert -h mail\user.nsf
Caution When the conversion utility is run with the -h option, the
conversion operation can take a long time to complete. The exact
time depends on server processing speed and memory, as well as on
the size and composition of the mail file. To ensure that you can
complete conversions in the available time, run a test with a single
mail file before using a wildcard to run multiple conversions.
3. After you finish enabling mail files for IMAP on this server, load the
Router by entering:
load router
To run Fixup
1. From a command prompt, change to the Domino program directory.
For example, if you installed Domino in the default location, enter:
cd c:\lotus\domino
Note If transaction logging is on, run Fixup with the -j switch, for
example:
nFixup -j mail\user.nsf
Description
Incoming mail
(IMAP) server
Outgoing mail
(SMTP) server
Authentication
required to send
outbound mail
Account/Login
name
Password
E-mail address
Example
INBOX-PATH {East.Acme.com}INBOX
Folder configuration
Description
None.
4.6x, 5.x,
Without this 6.x
setting,
Domino
checks for
updates
every 2
minutes.
continued
For more information on determining the login names that a server will
accept, see the chapter Setting Up Name-and-Password and
Anonymous Access to Domino Servers.
Variable name
Description
IMAP_Convert_Nodisable_
Folder_Refs
Specifies whether
the mail conversion
utility (CONVERT)
preserves folder
references when
updating mail files
for use with the
Domino Release 6
IMAP service.
None.
6.x
Without this
setting,
Domino
removes
folder
references
during
conversion.
IMAP_Session_Timeout
None.
4.6x, 5.x
Without this
setting,
Domino
drops idle
sessions after
30 minutes.
When this
6.x
variable is
not present,
or is set to 0,
updates
occur
immediately
after a new
message is
received.
This allows
users to
search new
messages.
IMAPDisableMsgCache
When this
6.x
variable is
not present,
or is set to 0,
the IMAP
service
caches the
most
recently
retrieved
message.
Specifies whether
the IMAP service
caches the last
message retrieved
from a users mail
file.
continued
Description
IMAPGreeting
Specifies a custom
greeting to send to
IMAP clients
connecting over
TCP/IP.
None
IMAPMaxSessions
Specifies the
None
maximum number
of concurrent IMAP
sessions the server
allows.
5.0.3 and
later 5.0.x
releases
IMAPRedirectSSLGreeting
Specifies a custom
None
greeting to send to
IMAP clients
attempting to
connect a TCP/IP
port configured to
redirect connections
to the SSL port.
4.6x, 5.x
IMAPShowIdleStatus
IMAPSSLGreeting
Specifies a custom
None
greeting to send to
IMAP clients
connecting over SSL.
4.6x, 5.x
When this
6.x
variable is
not present,
or is set to 0,
the SHOW
TASKS
command
does not
return the
number of
IMAP idle
threads.
5.6x, 5.x
Variable name
Chapter 32
Setting Up iNotes Web Access
This chapter describes how to set up iNotes Web Access so that Notes
client users can use a Web browser to access their Lotus Notes mail and
calendar. It provides configuration document settings and NOTES.INI
settings to control and customize iNotes Web Access for users. In
addition, this chapter describes how iNotes Web Access works with
Sametime and Domino Off-Line Services to provide users with instant
messaging and the ability to work offline.
Security
iNotes Web Access requires user log-on and logout security. When a user
logs onto iNotes Web Access, they must enter their name and Internet
password, as specified in their Person document. The login names that
the server accepts as valid depend on the setting in Internet
authentication field on the Security tab of the Server document.
32-1
Secure - This option deletes all traces of the users personal use of
iNotes Web Access and any Web pages that they may have browsed,
but keeps iNotes Web Access program elements (this boosts
performance when the next person logs on).
More secure - This option deletes all traces of iNotes Web Access and
all other Web pages in the temporary Internet files folder.
You can also redirect users to a specific Web page after they logout.
For more information, see the topic Redirecting users to a Web page
after logout later in this chapter.
User name
Internet password
The default URL displays the Welcome Page. However, you can give
users a URL that will initially display other views. Appending the
following text to the URL with a specific keyword (see following table)
will cause iNotes Web Access to initially display a different view:
.../username.nsf/inotes/keyword/?OpenDocument&ui=inotes
To display
Mail Inbox
Calendar
calendar
To Do List
todo
Contact List
contacts
Notebook
notebook
Inbox
Calendar
To Do List
Notebook
Contact List
URL syntax for an iNotes Web Access portal showing just the mail Inbox:
.../username.nsf/inotes/mail/?OpenDocument&ui=portal
Note that you can place all of iNotes Web Access within a portal page by
using the normal iNotes URL and not using the &ui=portal parameter.
Action
Minimum alarm
polling time
Mail
Minimum mail polling Enter a number to specify how often, in minutes,
time
the iNotes Web Access client checks the server for
new mail. Default is 5 minutes. Increase this
number to improve server performance.
When sending mail, set Choose Plain text, or Let user decide. This setting
allows you to restrict outgoing mail to plain text
format to:
only. Plain text messages can be read by most
legacy mail applications. Allowing the user to
decide lets the user pick the format for every
outgoing mail message.
continued
5. Change any of the configuration settings and then save the document
and restart the Domino server.
Setting
Action
Offline
Encrypt offline mail
files
Setting
Action
Archiving on server
Modification of
Internet password
Calendar printing
3. In the field Alternate name languages, choose languages from the list.
Chapter 33
Monitoring Mail
This chapter describes how to track messages to determine if they
reached the recipients and how to generate mail usage reports.
33-1
Meaning
Delivered
Delivery failed
In queue
Transferred
Transfer failed
Group expanded The message was addressed to a group, and the group
was expanded on this server.
Unknown
Mail usage reports provide important information that you can use to
resolve problems and improve the efficiency of the mail network. In
addition, this information is valuable when you plan changes or
expansions to the mail network. For example, you can generate reports
that show the 25 users who received the most mail over a given period of
time (a day, a week, a month, and so forth), or the volume of mail sent by
a specified user over some interval. With this information, you can
identify users who might be misusing the mail system. Other reports
show the most frequently used next and previous hops, enabling you to
assess compliance with mail use policies.
Enter
Server
Title
Reports
File name
REPORTS.NSF
Template server
Template
REPORTS.NTF
continued
MTC operation
If mail tracking is enabled on the Router/SMTP Mail Tracking tab of the Configuration Settings
document, the MTC task collects data from mail
tracking log files at the interval specified in the
Message tracking collection interval field. If there
is new data to report, it creates an entry in the
MailTracker Store database. To instruct the MTC task
to collect data immediately, enter the following
command at the server console:
tell mtc process
If mail tracking is enabled on the Router/SMTP Mail Tracking tab of the Configuration Settings
document, the MTC task collects data from mail
tracking log files at the interval specified in the
Message tracking collection interval field. If there
is new data to report, it creates an entry in the
MailTracker Store database. To specify a different
interval, enter the following command at the server
console:
tell mtc interval value
MTC operation
Compact the
MailTracker Store
database
Enter
Message tracking
Choose one:
Enabled to log message-handling activity
information in the Mail Tracking Store database.
Disabled (default) to not log any
message-handling information.
Dont track messages The names of users and/or groups whose messages
will not be logged and, therefore, cannot be tracked.
for
This field applies only to messages sent by the
specified person or group.
For example, to prevent administrators from
tracking messages sent by the Manager of Human
Resources, enter the managers name in this field.
If you leave this field blank (default), authorized
administrators can track messages for all users and
groups on all servers that are enabled for mail
tracking.
On servers running the ISpy task to test mail
connectivity, this task sends trace messages at
5-minute intervals. To prevent the Domino
MailTracker Store database from filling up with
entries for these trace messages, enter the name of
the ISpy mail-in database on the server in this field,
for example, ISpy on MailHub1.
continued
Field
Enter
Allowed to track
messages
Allowed to track
subjects
Enter
From
To
Sent
Choose one:
Today
Yesterday
Last week
Last 2 weeks
Last month
All times
To increase the likelihood of finding messages, choose a long
time period.
Start
Choose one:
Senders home server (default) Select this option if you
know the sender of the message.
Current server Select this option if you dont know the
sender of the message and you leave the From field blank.
If you manage multiple servers, you can select a different server
by clicking its name from the Servers bookmark to the left of the
Domino Administrator.
Subject
5. From the Messages Found pane, select a message and then click
Track Selected Message.
6. Expand the Message tracking results folder, and select a server to
view more information about what happened to the message on that
server. Domino displays the following information:
Field
Description
Delivery status
Mailbox status
This server
Previous server
Next server
Msg priority
Outbound
message ID
Inbound
originator
Outbound
originator
Inbound
recipient
Field
Description
Outbound
recipient
Subject
Disposition time Indicates the time when the Router changed the status of
the message to the value in the Delivery status field.
There can be a delay between the arrival of a message
and when the Router processes it.
Message arrival The time when the current server received the message.
time
Message size
(bytes)
Description
Description
Report Type
Time Range
Choose one:
Today
Yesterday
Over the last week (default)
Over the last two weeks
Over the last month
All available information
Each choice refers to the specified time period up to the
current day. For example, if you choose Yesterday, the
report includes information from yesterday and today.
Report should be Specifies where the server places report results. Choose
one:
Saved (default)
Mailed
Saved & Mailed
continued
Field
Description
Mail Recipient
Note The Earliest Message Found and Latest Message Found fields
are filled in automatically when you run the report. They display the
date and time of the earliest and latest message found.
7. (Optional) To narrow the scope of a report, complete any of these
fields:
Field
Enter
Senders Name
Recipients
Name
2. In the Server field, specify the name of the server where the database
resides.
3. Choose Reports for Servername from the list of available databases,
and then click Open.
To open the Reports database in the Domino Administrator
1. From the Domino Administrator client click, the Mail tab.
2. Select the Reports for Servername view.
Viewing report results
1. Expand the Report Results or Scheduled Reports folders.
2. From either folder, expand the category for the report you want to
view.
For example, from the Report Results folder, click the By Schedule
view, and then in the Results panel, expand the category Once to see
the results of all saved reports that were run one time only, rather
than on a repeating schedule.
3. To open a report, double-click it in the Results panel.
Note For scheduled reports, the user is the server running the report;
for reports that an administrator runs manually, the user is the
administrator.
Chapter 34
Setting Up the Domino Web Server
Web-E/East/Acme
running the HTTP task
1. Request page
Notes document
2. Convert to HTML
Browser client
3. Return page
HTML
34-1
Web
Support for Java applets that are referenced using passthru HTML or
embedded in a document.
Support for CGI programs that are referenced using passthru HTML
in a document. CGI supports EXE, CMD, and BAT files and scripts
written in Perl, Python, and PHP.
Support for multiple Web sites with separate DNS names to exist on
a single server machine.
Web
Web-E/East/Acme
running the HTTP
task
Webstage-E/East/Acme
replicates with Web-E
1. Request page
Notes document
2. Convert to HTML
Browser client
3. Return page
HTML
Firewall
Note When the HTTP task starts up, a server console message indicates
the Domino Directory view the task is using for Web configuration
information (Servers\Internet Sites or Servers\Web Configurations).
For more information on server commands and NOTES.INI settings, see
the appendices Server Commands and NOTES.INI File.
Web
6. Decide on an HTTP port strategy. You can enable ports for TCP/IP,
SSL, or for both. In the Server document, click Ports - Internet Ports Web, and enable one or both: TCP/IP port status and SSL port
status.
Action
TCP/IP port
number
TCP/IP port
status
Choose one:
Enabled To configure the server to listen for HTTP
requests on the specified TCP/IP port.
Disabled To prevent the server from listening for
HTTP requests on the specified TCP/IP port.
Redirect to SSL To redirect any HTTP requests that
come into the TCP/IP port to the SSL port.
Enforce server
access settings
Choose one:
Yes To enforce server access settings for this
protocol on the server. Server access settings are
found on the Security tab of the Server document,
and specify the names of authenticated users who
have been granted access to this server, and those
who have not.
No To not enforce server access settings for this
protocol.
Choose one:
Enabled To configure the server to listen for
HTTPS requests on the specified SSL port.
Disabled If you do not want to use SSL for this
server.
Action
Bind to host
name
Choose one:
Choose one:
Enabled To have Domino look up the DNS name
of the requesting client. The Domino log files and
database contain host names corresponding to the
machine used by the Web client.
Disabled (default) To not look up the DNS name of
the requesting client. The Domino log files and
database contain IP addresses.
Choosing Disabled improves the performance of the
Domino server because the server does not use
resources to perform the DNS name lookup.
Note The majority of browser users connect to the
Internet through Internet server providers (ISPs), so the
host names returned by DNS lookup are those of the
ISPs proxy servers, not the individual user machines.
DNS lookup
cache
Choose one:
Enabled To have Domino cache the results of a
DNS lookup for faster retrieval.
Disabled To not have Domino cache DNS lookup
results.
DNS lookup
cache size
DNS lookup
cache found
timeout
Web
Action
Maximum URL
length
Maximum
number of URL
path segments
Maximum
number of
request headers
Maximum size of Enter the total length, in KB, of all the headers in the
request headers request. The default is 16KB.
Maximum size of Enter the total amount of data, in MB, that can be
contained in a request. The default is 10MB. The two
request content
most common ways for users to send data to the server
is by submitting forms or by uploading files. If none of
the applications on the server allow users to upload
large files, you can probably set this to a much lower
value.
Action
IP address
Specify which IP address list Allow or Deny
allow/deny priority takes priority if an incoming IP address is listed in
both the allow list and the deny list (this can happen
when both lists contain wildcards).
The default is that the Allow list takes priority.
IP address allow list List the IP addresses that are allowed to access the
ports.
IP address deny list
Note If a client IP address does not match either list, then the
connection is allowed.
Web
IP address allow/deny
priority: Allow
IP address allow list: <blank>
IP address deny list: <blank>
Deny access to
everyone
IP address allow/deny
priority: Deny
IP address allow list: *
IP address deny list: *
Deny access to a
particular Web
crawler
IP address allow/deny
priority: Deny
IP address allow list: *
IP address deny list:
123.45.6.78
IP address allow/deny
priority: Deny
IP address deny list: 123.45.*;
95.123.4.*
IP address allow list: *
IP address allow/deny
priority: Allow
IP address allow list:
123.45.6.78; 123.45.6.79
IP address deny list: *
Comment
Enter
TCP/IP port
number
The name of the port the Domino IIOP task listens on.
Do not change this port unless you have assigned port
number 63148 (the default) to another task.
The default on Linux servers is 60148 because of an
operating system restriction.
TCP/IP port
status
Choose one:
Enabled (default) To allow communication over
this port.
Disabled To prevent communication over this port.
Enter
Number of
threads
Enter
Run restricted
The name that the applet or application uses to access
Java/Javascript/ the server. Applet or application names entered in this
COM
field are allowed to run programs created using a
restricted set of Java and JavaScript features. If the applet
or application logs on anonymously, enter the word
Anonymous in this field.
Run unrestricted The name that the applet or application uses to access the
Java/Javascript/ server. Applet or application names entered in this field
are allowed to run programs created using all Java and
COM
JavaScript features. If the applet or application logs on
anonymously, enter the word Anonymous in this field.
For information on this setting, see the topic Customizing Web server
setup.
Web
Action
Does this (Domino 5.0x servers only) Specify whether this server uses the
server use Microsoft IIS stack instead of the native Domino HTTP stack.
IIS?
Note This setting is used only if the server is Domino 5.0x or
earlier; Domino 6 servers always generate IIS-compatible links.
Protocol
Host name Indicate the fully-qualified host name to be used in URL links
to this server; for example, www.acme.com.
Port
number
Action
Java
servlet
support
Choose one:
None (default) To not load the Java Virtual Machine
(JVM) or the servlet manager when the HTTP task starts.
Domino Servlet Manager To load the JVM and the
servlet manager that comes with Domino.
Third Party Servlet Support To load the JVM, but not the
Domino servlet manager. This lets you use a servlet
manager other than Domino, such as IBM WebSphere.
Servlet
URL path
Enter the path in a URL that signals Domino that the URL
refers to a servlet. The default is /servlet.
continued
Web
Field
Action
Class path Enter one or more paths that the Servlet Manager and JVM
search to find servlets and dependent classes. The standard Java
libraries installed with Domino are automatically in the class
path. This setting allows you to add additional paths. You may
specify directories, JAR files, and ZIP files. Paths may be
absolute or relative to the Domino data directory. For example:
domino\servlet specifies files in the
c:\lotus\domino\data\domino\servlet directory
c:\apps\myservlets specifies files in the
c:\apps\myservlets directory
c:\javamail\mail.jar specifies the mail.jar file in the
c:\javamail directory
domino\servlet\sql.zip specifies the sql.zip file in the
c:\lotus\domino\data\domino\servlet directory
The default is domino\servlet.
Servlet file Enter a list of URL file extensions that signal Domino that a
extensions URL refers to a servlet. You must map each extension to a
single servlet by a directive in the servlets.properties file. The
default is no extensions.
Session
state
tracking
Choose one:
Enabled (default) To have the Domino servlet manager
check periodically the user activity of all HttpSession
instances. Sessions that are idle for the period of time
specified in the Idle session timeout field are automatically
terminated. The servlet manager calls the method
HttpSession.invalidate() to inform the servlet that the session
will be terminated.
Disabled Does not check for user activity.
Domino uses this setting and the settings below only if the
servlet uses the Java Servlet API HttpSession interface. The
HttpSession interface support is completely separate from the
Domino HTTP session authentication feature.
Idle
session
time-out
Field
Action
Setting up WebDAV
WebDAV (Web-based Distributed Authoring and Versioning) is a set of
extensions to the HTTP/1.1 protocol which allow users to collaboratively
edit and manage files on remote Web servers.
WebDAV support in the Domino Web Server enables accessing file
resource type design elements in a Domino database. This allows
application designers to work with design elements such as HTML files,
images and other file based resources using web based authoring and
development tools.
The WebDAV implementation in the Domino Web Server supports, and
has been tested with, the following clients; Macromedia Dreamweaver
4.01, Microsoft Office 2000, Microsoft Internet Explorer 5.0x and 6.0,
Windows Explorer on NT4, Windows 98, Windows XP, and Windows
2000.
You must be using Web Site documents to configure and manage the
Web sites on your server in order to use WebDAV.
Be aware that enabling WebDAV also enables the following HTTP
methods for the web site: PUT, DELETE, GET, HEAD, OPTIONS.
Web
Choose one:
Session
persistence Enabled To save session data to a disk file called
sessdata.ser in the Domino data directory when the HTTP
task exits. Domino saves the data in the Domino data
directory in a file named sessdata.ser. Domino reloads the
session data when the HTTP task restarts. Domino also
saves objects that the servlet has bound to sessions if the
objects implement the java.io.Serializable interface.
Enable session authentication on the Web Site for which you have
WebDAV enabled.
Create a File Protection document for the Web site that restricts access
to the HTML root directory. If a File Protection document is preventing
access to the HTML directory (\domino\data\domino\html), then
some WebDAV clients will not be able to connect to or access the
WebDAV database when accessing this Web Site. The server console
displays one of these error messages:
You are not authorized to perform this operation
[_vti_inf.html]
You are not authorized to perform this operation
[_vti_bin/shtml.exe/_vti_rpc]
Enabling WebDAV
Before you can use WebDAV (Web-based Distributed Authoring and
Versioning), it must be enabled.
1. From the Domino Administrator, choose Configuration - Web Internet Sites.
For detailed information about using WebDAV, see the book Application
Development with Domino Designer.
Web
Lotus Domino 6
Server document
Virtual server
URL Mapping/Redirection
document
Rule
File Protection
Realm
Authentication Realm
If you are using virtual servers or hosts, create one Web Site document
for each virtual site. If you provided a default site in the Release 5 server
record, you must either make one of the Web Site documents the default
site, or create a document for the default site.
To convert from the Web Server Configurations view to the Internet
Sites view
If you do not have virtual servers or hosts, follow these steps to convert
to the new view:
1. Create a Web Site document.
2. Select the Web Site document and choose Edit Document.
Web
You set up each virtual server with a network connection with its own
separate, permanent numeric IP address or map multiple host names to
the same IP address. The number of virtual servers is dependent only on
your operating system and the system hardware. See your operating
system documentation and hardware documentation for more
information.
3. Click the Web Site button and create the corresponding documents in
Lotus Domino 6: Rule (URL Mapping/Redirection), File Protection
(File Protection), or Authentication Realm (Realm).
4. Open the Server document.
5. Click Basics and check Enabled for Loads Internet configurations
from Server\Internet Sites documents.
6. Save the document, and restart the HTTP server task to use the new
view.
Configuring HTML, CGI, icon, and Java files for Web Site documents
Domino looks for individual HTML, CGI, and icon files in specific
directories on the servers hard drive. You can change the URL path for
icons and CGI program files. The URL path is where Domino looks for
icons or CGI programs when it encounters a reference in the HTML code
to one of these.
Specifying icon and CGI URL paths is useful if you change the directory
location of icons or CGI programs and you do not want to modify HTML
code that references the previous location of these files.
1. From the Domino Administrator, choose Configuration - Web Internet Sites.
2. Choose the Web Site document you want to edit and click Edit
Document.
Home
URL
HTML
directory
Icon
directory
Enter the directory where icon files are located. You can
specify the path for the icon directory using either the fully
qualified path or a relative path. Default is domino\icons.
Service providers: This directory is relative to the main
Domino data directory, not to the hosted organizations data
directory.
Icon URL
path
Enter the URL path that is used to map to the icon directory.
The default is /icons.
For example, the URL http://servername/icons/abook.gif
returns the file c:\lotus\domino\data\domino\icons\abook.gif.
CGI
directory
CGI URL
path
Enter the URL path that is used to map to the default CGI
directory. The default is cgi-bin.
For example, the URL http://servername/cgi-bin/test.pl runs
the CGI program
c:\lotus\domino\data\domino\cgi-bin\test.pl.
Java applet Enter the directory where the Domino Java applets are located.
directory The default is domino\java.
Java URL
path
Enter the URL path that is used to access files in the default
Java directory. The default is /domjava.
Note If you are using the Web Server Configuration view, open the
Server document, choose Internet Protocols - HTTP, and complete the
fields in the Mapping section.
Setting Up the Domino Web Server 34-21
Web
Field
Action
DSAPI filter file Enter the name of one or more DSAPI filter files.
names
Service providers: Each DSAPI filter applies to the entire
server; therefore, if the services must be different for
individual hosted organizations, the DSAPI filter itself
must be coded to handle those differences for each
individual hosted organization.
continued
Field
Action
Methods
WebDAV
GET (default)
HEAD (default)
POST (default)
OPTIONS (default)
TRACE (default)
PUT
DELETE
Note If you are using the Web Server Configurations view, use the
Server document.
Web
2. Choose the Web Site document you want to edit, and click Edit
Document.
3. Click the Domino Web Engine tab. Under HTTP Sessions, in the
Session authentication field, do one of the following:
Choose Multiple Servers (SSO) to allow a Web user to log on once
to a Domino server, then access any other Domino server in the
same domain without logging on again. Under Web SSO
configuration, enter the name of the Web SSO configuration
document.
Choose Single Server to use cookies for a single server only. This
option applies only when users access this Web site. Under Idle
session timeout, enter the time (in minutes) when the cookie will
expire and the session will be deactivated. Default is 30 minutes.
Choose Disabled (default) to prevent cookies from being used by
the Domino server for authentication.
4. In the Maximum active sessions field, enter the maximum number of
active, concurrent user sessions on the server. Default is 1000.
5. Save the document.
For more information about session authentication and single sign-on,
see the chapter Setting Up Name-and-Password and Anonymous
Access to Domino Servers.
Image conversion
format
Interlaced rendering
Choose one:
Enabled (default) To display each line of the
image individually.
Disabled To wait for the entire image to
download before displaying the image.
Enter
Image conversion
format
Progressive
rendering
Choose one:
Enabled (default) To display the image
incrementally in several passes.
Disabled To wait for the entire image to
download before displaying the image.
JPEG image quality A percentage between 5 and 100 to indicate the level
of image quality. The larger the value, the larger the
file, the longer the files take to transmit, and the
better the image quality.
The default is 75.
Note If you are using the Web Server Configuration view, open the
Server document and click the Internet Protocols - Domino Web Engine
tab.
Web
Field
Enter
Note If you are using the Web Server Configuration view, open the
Server document and click the Internet Protocols - Domino Web Engine
tab.
Default search
result limit
Maximum search
result limit
Web
Field
Enter
Redirect to resolve
external links
Choose one:
Disabled (default) To prevent the server from
accepting Redirect URL commands and to
prevent the server from generating Redirect URL
commands as a result of a domain search.
By Server To look up the server name specified
in the URL in the Domino Directory on the Web
server. The Web server searches for the server
name in both the Host names field on the Internet
Protocols - HTTP tab or in the Fully qualified
Internet host name field on the Basics tab.
By Database To find the database in the
Domino Directory on any available server.
Domino locates the database in the domain
catalog, if available, or in the servers local
catalog. Make sure the domain catalog contains
up-to-date information on the location of
databases.
By choosing this option, resolving links take more
time than the By Server option since the Web server
searches for the database on an available server,
instead of just the server presented in the URL. The
By Database option however, may resolve more
links since the Web server tries to resolve the link
using a replica of the database on servers in addition
to the server presented in the URL. Use this option
on the server that runs the domain search so more
links are resolved for the user.
Since By Server and By Database both rely on the
information in the Domino Directory, make sure the
server information in the Domino Directory is
complete and correct.
Note If you are using the Web Server Configuration view, open the
Server document and click the Internet Protocols - Domino Web
Engine tab.
The Web Site document contains two additional settings that control
POST and PUT methods that target a database (for example, filling in a
form or uploading a file attachment). Formerly available in the Server
record, for Domino 6 these settings been moved to the Web Site
document so that you can specify different values for each Web site.
To restrict the amount of data that can be sent to a Domino
database
1. From the Domino Administrator, click the Configuration tab, expand
the Web section and click Internet Sites.
2. Choose the Web Site document you want to edit and click Edit
Document.
3. Click the Domino Web Engine tab. Under POST Data complete
these fields:
Field
Action
Web
The HTTP POST and PUT methods allow users to send data to the
Domino server. The Server record field Maximum size of request
content is new for Domino 6, and sets a limit on the amount of data that
can be sent using either POST or PUT. This limit is enforced for all POST
and PUT methods, whether the target is a database, CGI program, or
Java servlet, and applies to all Web sites.
Note If you are using the Web Server Configuration view, open the
Server document and choose the Internet Protocols - Domino Web
Engine tab.
Action
Choose one:
Disabled Users cannot customize their
regional preferences
Single Server Cookies for customized
preferences are generated for current Web
site/server only
Multi-server Cookies for customized
preferences are generated for the DNS domain
to which the current Web site/server belongs
Default regional locale Use this field for those cases in which a user does
not have any custom regional settings enabled for
their browser, and the format option for regional
setting fields is set to users setting. This
information is needed for formatting date, time,
number, and currency fields.
Server locale Use servers operating system
settings.
Browsers accept-language (default) Use
browsers accept-language. By default, both
Internet Explorer and Netscape send HTTP
requests with the accept-language header in the
users preferred language(s).
Note If you are using Server document settings and the Web Server
Configurations view, you can enable these settings in the Server
document in Internet Protocols - Domino Web Engine, under Web user
preferences.
34-30 Administering the Domino System, Volume 1
Action
Default string
resource language
Additional string
resource languages
Note If you are using Server document settings and the Web Server
Configurations view, you can enable these settings in the Server
document in Internet Protocols - Domino Web Engine, under
Language.
Web
The Web server uses language string resource modules to render Web
pages in different languages. The Domino 6 Web server can support
multiple languages and be configured to handle them on the fly. The
language in which a Web server generates a Web page is based on the
Accept-Language setting in the headers of client HTTP requests. For
example, a Web server with English and French resource modules will
generate a Web page in French if a Web client sends an HTTP request
with Accept-Langage:fr (French) in its headers.
3. Click the Domino Web Engine tab. Under Character Set Mapping
complete these fields:
Field
Enter
Default character
set group
Convert resource
strings to
Choose one:
Yes To generate pages using UTF-8.
No (default) To generate pages using the
character set mapping you select.
Choose one:
Yes (default) To add the character set to the
Content-Type HTTP header of an HTML page. If
you select Yes, then the browser finds the character
set before rendering the page.
No To exclude the characters from the HTTP
header of an HTML page. Use this option if you use
early versions of browsers that do not understand
the character set tag in the HTTP header.
4. In the fields that display the character set group names, select one of
the available choices for character set mapping.
5. Save the document.
Mapping choices
Western
This set includes Windows and
ANSI characters.
US-ASCII
ISO-8859-1 (default)
ISO-8859-15
Windows-1252
Central European
ISO-8859-2
Windows 1250 (default)
Japanese
SJIS (default)
JIS(ISO-2022-JP)
EUC-JP
Traditional Chinese
Big5 (default)
EUC-TW
Simplified Chinese
GB
Korean
KSC5601(EUC)
Cyrillic
ISO-8859-5
Windows-1251
KOI8-R (default)
Greek
ISO-8859-7
Windows-1253 (default)
Turkish
ISO-8859-9
Windows-1254 (default)
Thai
Windows-874
Baltic
Windows-1257
Arabic
Windows-1256 (default)
ISO-8859-6
Hebrew
ISO-8859-8 (default)
Windows-1255
Vietnamese
Windows-1258
Web
Substitution
Redirection
Directory
Substitution rules
A substitution rule replaces one or more parts of the incoming URL with
new strings. Substitution rules should be used when you want to
reorganize your Web site, and you dont want to have to rewrite all the
links in the site, or when you want to provide user-friendly aliases for
complex URLs.
Redirection rules
Redirection rules redirect incoming URLs to other URLs. There are two
types of redirection rules: external redirection and internal redirection.
An external redirection rule causes the server to inform the browser that
a file or other resource requested by the browser is located at another
URL. If the incoming URL path matches an external redirection rule, the
HTTP task generates a new URL based on the redirection pattern and
immediately returns that URL to the browser. Using external redirection
rules allows existing links and bookmarks to keep working, but insures
that new bookmarks point to the new location.
An internal redirection rule acts like a substitution rule, as the HTTP task
generates a new URL and then re-normalizes it. There are two
differences, however. First, the redirection table is searched recursively,
so you can create and nest multiple redirection rules. Second, an internal
redirection rule does not require the use of a wildcard character. Thus,
you can choose to use an internal redirection rule instead of a
substitution rule if you want to force an exact match on the URL path.
If the incoming URL path matches an internal redirection rule, the HTTP
task generates a new path, normalizes the path, and searches the
redirection rule table again. Because the HTTP task does a recursive
search through the redirection rule table, you can write broad redirection
rules that capture URLs no matter what substitution or redirection has
been applied.
Note Having a recursive search means that there is the potential for
getting into an infinite loop if you write redirection rules that match each
other. To eliminate this possibility, the HTTP task has a built-in recursion
limit of ten.
Wildcards are allowed in redirection rules, but are not required.
Directory rules
A directory rule maps a file-system directory to a URL pattern. When the
Web server receives a URL that matches the pattern, the server assumes
that the URL is requesting a resource from that directory.
Setting Up the Domino Web Server 34-35
Web
Directory rules can only be used to map the location of files that are to be
read directly (such as HTML files and graphic files) and executable
programs to be loaded and run by the operating system (such as CGI
programs). Directory rules cannot be used to map the location of other
types of resources, such as Domino databases or Java servlets.
When you create a Directory Web Site rule, you specify read or execute
access to a file-system directory. It is critically important to choose the
right access. Only directories that contain CGI programs should be
enabled for Execute access. All other directories should have Read access.
If you specify the wrong access level, unexpected results will occur. For
example, if you mark a CGI directory for Read access, when a browser
user sends a URL for a CGI program, the server will return the source
code of the program instead of executing it, which could be a serious
security breach.
Directory rules cannot override file-access permissions enforced by the
operating system.
Note Access level is inherited by all subdirectories under the specified
directory.
HTTP response header rules
Every HTTP browser request and server response begins with a set of
headers that describe the data that is being transmitted. An HTTP
response header rule allows an application designer to customize the
headers that Domino sends such as an Expires header or custom
headers to HTTP responses with responses to requests that match the
specified URL pattern.
The most important use of response rules is to improve the performance
of browser caching. An application designer can add headers that
provide the browser with important information about the volatility of
the material being cached.
You can also use response rules to customize headers. For example, you
can create response rules for custom headers that display specific error
messages for example, when a user is not authorized to access an
application.
Unlike other Web site rules, response rules are applied to the outgoing
response, just before the HTTP task transmits the response to the
browser. For response header rules, the pattern is matched against the
final form of a URL, after substitution and redirection rules have been
applied to it. For example, if you have a substitution rule that transforms
/help/* to /support.nsf/helpview/* and you want to create a response
rule to match the response, the pattern for the response rule should be
/support.nsf/helpview/*.
The pattern can include one or more asterisks as wildcard characters. For
example, the pattern /*/catalog/*.htm will match the URLs
/petstore/catalog/food.htm, /clothing/catalog/thumbnails.htm, and so
on. A wildcard is not required in a response rule. This allows you to
create a rule that matches a specific resource, for example,
/cgi-bin/account.pl. Also, as with all rules, the incoming pattern cannot
contain a query string.
Response header rules are different from other rules in that not only do
they have to match a URL pattern, they also have to match the HTTP
response status code. You need to specify one or more status codes in the
HTTP response codes field.
Web
Global Web Settings document and associated Web Site rule documents
are not automatically created. If you want to use the Global Web Settings
document and Web Site rules in your Web environment, you need to
manually create them.
Action
Description
Type of Rule
Choose one:
Directory To allow a server file-system directory to
be accessed by a URL path.
Redirection Resource identified by the URL has
been moved to a different location or Web site.
Substitution To replace a string in the URL with
another string.
HTTP response header To add an Expire header or
custom headers to HTTP responses that match
specified URL patterns and response codes.
Incoming URL
pattern
Field
Action
Replacement
pattern
Target server
directory
Access level
HTTP response (HTTP Response Header only) Enter the HTTP response
codes
codes to which you want your response headers applied.
Expires header (HTTP Response Header only) Choose one:
Dont add header Files in the directory are
displayed in the browser or downloaded.
Add header only if application did not Files in the
directory are CGI files to be executed on the server.
Always add header (override applications header)
Note If you choose to add a header, you must specify an
expiration period either by specifying the number of
days for which you want to enable this header, or a date
after which you want to disable this header.
Custom header (HTTP Response Header only) For each custom header
you want to use, specify:
Name The name of the response header.
Value The value of the response header.
Override Override applications header
Web
Redirect to this (Redirection only) Enter the new URL location. If the URL
URL
pattern in this field starts with a slash, the rule is treated
as internal redirection. Otherwise, the rule is assumed to
be external redirection.
The pattern for an external redirection needs to start with
an Internet protocol string that the browser understands,
such as http: or ftp.
Action
Description
Type of Rule
Select Directory
Incoming URL
pattern
Enter :/php-bin
An example of an incoming URL would
be:http://<server>/php-bin/PHP.EXE/<php-scripts>
Target server
directory
Access level
Click Execute.
Action
Domino servers that host this List all the servers in the domain that will
site
host this Web site
File protection does apply, however, to files that access other files for
example, HTML files that open image files. If a user has access to the
HTML file but does not have access to the JPEG file that the HTML file
uses, Domino does not display the JPEG file when the user opens the
HTML file.
You can create a File Protection document for a directory or for an
individual file. Protection defined for a directory is inherited by all of its
subdirectories. You must set up File Protection documents for all
Setting Up the Domino Web Server 34-41
Web
Descriptive name for this site Enter a name for this Web site.
directories accessible to Web users. Files and file directories that do not
have File Protection documents can be accessed by anyone using a Web
browser.
Note You do not need to use a file protection document to protect a
database (.NSF) file; instead, you use a database ACL.
Examples of controlling Web browser access to server files
Specifying these settings in fields in the File Protection document allows
all users in the Web User Group to open files and start programs in the
c:\notes\data\domino\html directory.
Path: c:\notes\data\domino\html
Access: Web User Group (GET)
Access: - Default - (No Access)
The file secret.htm resides in the notes\data\domino\html
subdirectory. You can deny access to this file to members of the Web
User Group and allow access only to user Joe Smith. To do this, create an
additional File Protection document with the following settings:
Path: c:\notes\data\domino\html\secret.html
Access: - Default - (No Access)
Access: Joe Smith (GET)
Creating file protection for Web Site documents
In Domino 6, you create a file protection document for a specific Web
Site. This file protection documents then only applies to that specific Web
Site.
File protection documents provide limited security. Use Domino security
features, such as database ACLs, to protect sensitive information.
To create file protection for a Web Site document
1. From the Domino Administrator, choose Configuration - Web Internet Sites.
2. Open the Web Site document for which you want to create file
protection.
3. Click Web Site and choose Create File Protection.
Description
Directory or
file path
Specify the directory or file path that you want to which you
want to restrict access. It should be either in the
fully-qualified path format, which includes the drive letter
for example, c:\lotus\domino\data\domino\cgi-bin,
or enter the path relative to the servers data directory for
example,domino\cgi-bin.
Current
Access
Control List
Displays the users and groups who can access the file or
directory you specified, and the type of access they are
allowed. Similar to a database ACL, the access control list is
always created with a -Default- entry, set to No Access,
which you can modify. As with a database ACL, those not
listed in the Access List receive the default access level.
Set/Modify
Access
Control List
Web
Field
Action
Applies to
Path
4. Click Access Control, complete this field, and then save the
document:
Enter
Current access
control list
Web
Field
The realm string also applies to requests mapped to paths that have the
specified path as their root, provided that the child paths of the root do
not already have a specified realm. For example, the realm string
specified for D:\NOTES\DATA also applies to a request mapped to
D:\NOTES\DATA\FINANCE, if the latter does not have a realm
specification.
If there is no realm specification for a given path, Domino uses the path
from the request as a realm string.
If you are using Web Site documents, you can create a Web Site
Authentication Realm document for a specific Web Site document. The
Authentication Realm document appears as a response document to the
Web Site document in the Internet Sites view.
If you are using the Web Server Configurations view, or a virtual server
(Domino 5), you create a Web realm. The Web Realm document appears
as a response to the Server document which can be seen in the Web
Server Configurations view.
To create a Web Site authentication realm document
1. From the Domino Administrator, choose Configuration - Web Internet Sites.
2. Choose the Web Site document for which you want to create an
authentication realm, and click Edit Document.
3. Click Web Site and choose Create Authentication Realm.
4. Click the Basics tab and complete the following fields:
Field
Action
Description
Directory or
file path
Realm label
returned to
browser
Enter
IP Address
Path
Realm returned to Enter a text string that describes the location on the
server or any other descriptive string, which will be
browser when
access is denied used as the realm that is displayed to the user and
stored by the browser. This string should not contain
any accented or international characters, because they
will not be displayed correctly by the browser.
The browser displays the text string whenever there is
an authentication or authorization failure at the location.
The text appears in the browsers authentication dialog.
5. Enter this command at the console so that the settings take effect:
tell http restart
Web
The user is not authorized to access one of the databases that is part
of the Web site on the server.
The user attempts to change their Internet password and that is not
allowed.
In addition, you can specify a general message that appears for all other
types of errors or responses that occur on the Web server.
Note The general error message will not be generated for errors that
occur when accessing non-database files. This type of custom error
message only works when errors are encountered while accessing .NSF
files.
If you enabled session-based name and password authentication,
Domino displays an HTML page you specify to request name and
password information from the user. Domino does not use customized
error pages to display errors when authenticating with the server or
accessing a database if session-based name and password authentication
is enabled.
Database designers also have the ability to create custom error messages
for individual databases that reside on Domino servers. These types of
custom error messages are stored within the database and will only be
generated when errors occur while accessing that specific database.
Web-E/East/Acme
2. Get message
page
Domino
Configuration
database
(DOMCFG.NSF)
3. Find message
form
Any database
(ANYDB.NSF)
1. Request page
4. Display message
Browser client
You can create custom error pages that apply to the entire server, a
specific Web site, or specific databases. If you have a custom error page
configured for a specific database, it overrides the server-wide Web site
specific custom error pages. If you have a Web site specific custom error
page configured, it overrides the server-wide custom error message.
Creating custom Web server messages
Complete these procedures:
1. Create the Domino Configuration database.
2. Customize the Web server messages.
Web
In this example, the form for the message exists in the database
ANYDB.NSF and is returned to the user when the user encounters an
error.
Web
11. In the ACL for the database that contains the forms, assign Author
access to the server that stores the database.
Specify whether more than one Web application agent can run at one
time, as well as the timeout period for all Web application agents.
Restrict the amount of data that users can send to the server using
the HTTP POST command.
Action
Maximum cached
designs
Action
Maximum cached
users
Cached user
expiration interval
Action
HTTP
persistent
connection
Web
Field
Field
Action
HTTP
persistent
connection
(continued)
Maximum
requests per
persistent
connection
Persistent
connection
timeout
Request
timeout
Input timeout Enter the time, in seconds, that a client has to send a
request after connecting to the server. The default is 15
seconds. If no request is sent in the specified time interval,
then the server terminates the connection. If only a partial
request is sent, the input timer is reset to the specified time
limit in anticipation of the rest of the data arriving.
Output
timeout
CGI timeout
mechanism for the routine shutdown of agents. When the server shuts
down an offending agent, resources that the agent was using (such as
disk files) may be left open.
To run Web application agents
1. Open the Server document you want to edit.
Field
Enter
Choose one:
Enabled To allow more than one agent to run on
the Web server at the same time (asynchronously)
Disabled (default) To run only one agent at a
time (serially)
Web agent timeout The maximum number of seconds (elapsed clock time)
for which a Web application agent is allowed to run. If
you enter 0 for the value (default value), Web
application agents can run indefinitely.
Note This setting has no effect on scheduled agents
or other types of server or workstation agents.
Web
Chapter 35
Setting Up Domino to Work with Other Web Servers
35-1
Web
The following features are supported for the Domino back-end servers:
core Domino database functionality, Lotus iNotes Web Access, Lotus
Domino Off-Line Services (DOLS), Lotus Discovery Server. Additional
Domino products may also be supported; refer to the product
documentation for details.
4. On the IHS server, edit the IHS configuration file httpd.conf (on a
default installation this file is located at
/usr/HTTPServer/conf/httpd.conf). Add the following lines to the
bottom of the file:
LoadModule ibm_app_server_http_module
/usr/WebSphere/AppServer/bin/mod_ibm_app_server_http.so
Web
WebSpherePluginConfig
/usr/WebSphere/AppServer/config/plugin-cfg.xml
9. Right click the machine name in the tree on the left and select
Properties.
10. On the Internet Information Services tab, select WWW Service in
the Master Properties drop down box and click Edit.
11. In the WWW Service Master Properties window, click the ISAPI
Filters tab.
13. In the Filter Name: field, type iisWASPlugin.
14. In the Executable: field, click Browse. Open the WebSphere bin
directory and select iisWASPlugin_http.dll.
15. Close all open windows by clicking OK.
16. Open the Windows registry file and create the following key path:
HKEY_LOCAL_MACHINE - SOFTWARE - IBM - WebSphere
Application Server - 4.0. Select 4.0 and create a new string value
Plug-in Config. Set the value for this variable to the location of the
plugin-cfg.xml file (C:\WebSphere\AppServer\config\
plugin-cfg.xml)
17. To enable the plug-in for additional Web sites, repeat Steps 4
through 8.
To configure the WebSphere plug-in
The WebSphere configuration file WebSphere\AppServer\config\
plugin-cfg.xml controls the operation of the plug-in. In order for the
plug-in to relay requests to the target Domino server, you must add
directives to plugin-cfg.xml to define a transport route to the server, and
pattern rules for the URL namespaces that identify requests which are to
be relayed to Domino. The plug-in will only relay requests that match a
namespace rule. All other requests will be handled by the front-end Web
server.
Web
To configure plugin-cfg.xml
1. Open plugin-cfg.xml in Notepad.
2. Modify the <Transport> element to target the appropriate Domino
server. To do this, change the Hostname and Port parameters to the
proper values required for the plug-in to reach your backend servers
HTTP task. For example:
<! Server groups provide a mechanism of grouping
servers together. >
<ServerGroup Name=default_group>
<Server Name=default_server>
<! The transport defines the hostname and
port value that the web server
plug-in will use to communicate with the
application server. >
<Transport Hostname=mydomino.server.com
Port=81 Protocol=http/>
</Server>
</ServerGroup>
SSL
Web
This setting enables the Domino HTTP task to process the special headers
added by the plug-in to requests. These headers include information
about the frontend servers configuration and user authentication status.
As a security measure, the HTTP task ignores these headers if the setting
is not enabled. This prevents an attacker from mimicking a plug-in.
If you want a user to access secure resources, the Web user must be a
registered Domino user and the user must have an Internet
password.
If Domino finds the name in a Domino Directory, then Domino uses the
primary name in the Person record for authorization (ACL checking). If
Domino does not find the name, then Domino uses the pre-authenticated
name as-is for authorization.
In both cases, Domino builds the users group list from the set of groups
in the Domino Directory which include the user as a member, and
Domino also adds the special group -WebPreAuthenticated- to the
group list. You may use -WebPreAuthenticated- as a group entry in
database ACLs and other access lists.
Note If you want to list IIS users by name in database ACLs, you must
be careful to use the correct form of the name. Use the primary name if
the user is listed in the Domino Directory, or the IIS pre-authenticated
name if the user is not in the directory. Remember that if a user is listed
by name in an ACL and is also a member of a group in the ACL
(including -WebPreAuthenticated- or any other group), the name entry
takes precedence over the group entry.
In summary, Basic Authentication uses the following guidelines:
Web
Basic Authentication
When using Basic Authentication, IIS verifies the user credentials that the
browser sends as a valid NT user account. If Basic Authentication is the
only IIS authentication method enabled, IIS requires all browser requests
to have credentials anonymous access is not allowed. Whenever a user
sends a Domino request, the IIS plug-in passes the user name to Domino
and informs Domino that the user has been authenticated by IIS. Such a
user is called a pre-authenticated user. The plug-in passes the
pre-authenticated name exactly as the user entered it in the browser.
Domino then attempts to look up that name in its directories. Since IIS
has already verified the users password, Domino does not use the
Internet password stored in the users Person document or LDAP entry.
IIS server. When a user makes a Domino request, the IIS plug-in passes
to Domino the users Windows name and Domino processes the
pre-authenticated name as described above for Basic authentication.
Windows account names use the form domain\username or
machinename\username for example, SALES\JSmith. If Domino is
using Person documents in the Domino Directory to authenticate the
Windows users, the documents must contain the exact Windows account
names as aliases. For example, if Joe Smith has a Notes ID in the
CorpSales domain and a Windows user account in the SALES
Windows domain, the User name field in Joe Smiths Person document
needs to contain:
Joe Smith/CorpSales
SALES\JSmith
This allows Domino to authenticate the Windows user SALES\JSmith as
the Domino user Joe Smith/CorpSales.
In summary, integrated Windows authentication uses the following
guidelines:
SSL
If you enable SSL on a Web server, IIS handles the actual SSL connection.
However, if a Web user provides a client certificate, the IIS plug-in
passes the certificate to Domino and Domino uses the certificate to
authenticate the user. If Domino cannot find a certificate for the user,
then Domino will downgrade the user to Anonymous access.
Chapter 36
Setting Up the Web Navigator
Web
This chapter describes how to set up the server that runs the Web
Navigator and how to manage the information retrieved from the
Internet.
36-1
The following diagram shows the process the Web Navigator uses to
retrieve a page that a Notes client requests from a Web site.
2. Server requests page
from WWW.ACME.COM
1. Notes client requests
page from
WWW.ACME.COM
Web-Navig/East/Acme
running the Web task
Notes client
Notes
document
Start the Web Navigator automatically Edit the ServerTasks setting in the
NOTES.INI file to include the
when you start Domino
command web.
Enter tell web quit at the console.
Enter
HTTP proxy
FTP proxy
Gopher proxy
SSL Security
proxy
Web
Field
Enter
HTTP Tunnel
proxy
SOCKs proxy
No proxy for
these hosts and
domains
6. Complete the procedure Editing the Server document for the Web
Navigator.
Enter
InterNotes server The hierarchical name of the server running the Web
task. This is the default server to use if the InterNotes
server field in the users Location document is blank.
Enter
Internet browser
Notes
Retrieve/open
pages
Enter
InterNotes server The hierarchical name of the server running the Web
task. The server you specify in this field takes
precedence over the server specified in the InterNotes
server field on the Server document.
Web
You must specify the Web Navigator as the Internet browser for each
user. You can specify the browser in a policy, or you can set it
individually for each user.
Set up the Web Navigator to retrieve pages from sites that are
secured by SSL
Click the Server Tasks - Web Retriever tab, complete this field, and
then save the document:
Field
Enter
Concurrent
retrievers
There is an implied [*] in the Allow access field at all times. This [*]
allows access to all sites by default, unless you enter settings in the
Deny access field to override this default.
Enter
Allow access to
these Internet
sites
Deny access to
these Internet
sites
Same as above.
Enter
Services
Web
Store the Web sites SSL certificate in the Domino Directory on the
Web Navigator server.
Enter
Choose Yes.
Field
Enter
Services
Choose HTTPS.
To view certificates
1. From the Domino Administrator, click the Configuration tab, and
choose Miscellaneous - Certificates.
2. Look at the Internet Cross Certificates category.
Enter
SMTP Domain The name of the foreign domain of the SMTP mail
gateway.
Web
3. Click the Server Tasks - Web Retriever tab, complete this field, and
then save the document:
Database access
The default user access for the Web Navigator database is Editor, which
allows users to create HTML forms, Recommendation documents, and
Web tours. Domino adds the administrator names listed in the
Administrators field in the Server document for the Web Navigator
server to the ACL for the Web Navigator database and gives them
Manager access with the WebMaster role.
Administration document
The Administration document is stored in the Web Navigator database
and controls default settings for the database. You must have the
WebMaster role to access the document. Open WEB.NSF and access the
document from the Actions menu.
Agents
The Web Navigator database contains three agents that administrators
can use to manage documents in the database. The Purge agent removes
documents that meet the criteria you specify. Regularly purging
documents keeps the size of the Web Navigator database manageable.
Web
The Refresh agent updates the contents of pages stored in the Web
Navigator database with the Web site content from which they were
originally retrieved. Pages in the database are not automatically updated
after they are retrieved; therefore, the page content may quickly become
outdated unless you use this agent.
1. Make sure you have the WebMaster role in the ACL of the Web
Navigator database.
2. Using the Notes client, open the Web Navigator database using a
network connection to the server.
3. Choose View - Go to and select All Documents.
Field
Enter
URL links
Anchors
Underline/Blue
Courier
The font size is defined by
the Body Text field.
Fixed
Courier
The font size is defined by
the Body Text field.
Listing
Courier
The font size is defined by
the Body Text field.
Listing
Courier
The font size is defined by
the Body Text field.
Times
The font size is defined by
the Body Text field.
Web
Enter
Web Navigator
database
Enter
Your user name so that you can run agents that use a
Run restricted
LotusScript/Java subset of the LotusScript features and run agents
created with Java
agents
Run unrestricted Your user name so that you can run agents with the full
LotusScript/Java set of LotusScript features and run agents created with
agents
Java
Enter
Web
Caution The options you set in the Server document affect all agents
that run on the server.
Using the Purge agent to manage the size of the Web Navigator
database
As users open Web pages, the Web Navigator database gets larger. To
manage the database, use the Purge agent.
The Purge agent uses settings in the Web Navigator Administration
document, which is in the Web Navigator database (WEB.NSF), to
determine what and how much to purge. Each night at 1 AM, the Purge
agent goes through the database three times, each time purging
documents according to the criteria you specify. As soon as the database
size you specify is obtained, the Purge agent stops and queues to run the
following night.
The Purge agent purges the database in three passes:
First pass Checks the Expired header on each Web page. If the
Web page has expired, deletes that page.
Third pass Checks for pages that are larger than the size you
specify, and then deletes them.
Maximum
database size
Purge agent
action
Web
Field
2. Click the Server Tasks - Web Retriever tab, complete this field, and
then save the document:
Field
Enter
Update
cache
Choose one:
Every time To check each time the user opens a page that is
already in the database
Web
Index
Symbols
$AdminP View
creating, 15-30
$Revisions fields
size, 61-7
$UpdatedBy fields
size, 61-7
$Users view
in Domino Directory, 27-47
@Certificate
recertification and, 5-80
@Else command
described, I-2
@EndIf command
described, I-2
@If command
described, I-2, I-12
<ECLOwner>
Administration Execution
Control List, 41-14
8-bit MIME
default character set for, 28-131
ESMTP extension, 28-96,
28-103 to 28-104
A
Abstract object classes
described, 21-2
Accelerator keys. See Shortcut keys
Access
anonymous, 38-13, 40-8,
42-25 to 42-26
denying, 28-90, 38-7, 40-6
Access control list. See ACL
Access level privileges
ACL, 40-16
database, 7-7
Access levels
ACL, 40-1, 40-15
assigning, 40-11
database, 7-5
servers, 7-6
troubleshooting, 63-19 to 63-20
Access protocols
mail, 26-5
Accessed (in this file) property
performance and, 61-5
Accessibility
Domino Off-Line Services
and, 11-23
information about, H-1
shortcut keys, H-1
Accounts
LDAP, 18-5
ACL, 40-1
access for Web users, 40-30
access level privileges, 40-1, 40-16
access levels, 40-13, 40-15
adding names to, 40-23
aliases in, 40-7
brackets in, 40-20
concurrent changes to, 40-25, 58-9
configuring, 40-11
creating, 49-4
database libraries, 51-1
database security, 40-23
default entries, 40-2
deletions, 7-7
directory, 18-7, 19-10
Domino Change Control
database, 54-51 to 54-52
enforcing on replicas, 40-28
extended, 25-1
for mail database moves, 54-53
format for entries, 40-4
group names, 40-5
in a hosted
environment, 13-5, 14-4
in mail files, 26-13
LDAP users and, 40-7
managing, 40-22
modifying for Administration
Process, 15-13
modifying multiple
ACLs, 40-11, 40-25
monitoring, 40-27
order of evaluation for
entries, 40-10
precedence of, 38-4
Index-1
Index-2
extended, 15-33
for databases, 15-6
options, 15-4
Administrator approval
administration requests, 15-21
Administrator ID-recovery
information
changing, 39-21
Administrators
allowing access to Web
Administrator, 16-20
full access, 38-8
restricted system, 38-8
restricting access, 38-8
server access, 59-1, 38-8
system, 38-8
Administrators field
Domino Directory, 19-12
AdminP Mail Notification
Agent, 5-57
ADSync
options, 17-29
Advanced controls
setting, 28-46
Advanced user registration, 5-13
Agent log
troubleshooting with, 63-13
Agent Manager
capacity, 60-8
performance, 60-6
Tell commands, A-47
troubleshooting, 63-12 to 63-13
viewing status of, 60-9
Agents
activity logging, 57-3
Averaging, 36-19
controlling on servers, 28-9
creating, 40-17
for deleting and archiving
documents, 61-27
Purge, 36-15
Refresh, 36-18
restricting, 40-18
scheduling, 60-8
Server.Load, 62-4
setting time-out for mail, 28-9
SNMP, 53-1
troubleshooting, 63-12
Web Navigator database, 36-11
Agents, uses for
in Domino Off-Line
Services, 11-19
offline applications and, 11-19
AIX
configuring partitioned
servers, 2-50
configuring SNMP Agent
for, 53-12
Alarms
for Server Health Monitor, 54-10
Alias dereferencing
Directory Assistance documents
and, 23-48
Aliases
in ACL, 40-7
in DNS, 2-18
Allow_Access setting
described, C-3
Allow_Access_portname setting
described, C-3
Allow_Passthru_Access setting
described, C-4
Allow_Passthru_Callers setting
described, C-4
Allow_Passthru_Clients setting
described, C-5
Allow_Passthru_Targets setting
described, C-5
Alternate Language Information
document
creating, 20-31
viewing, 20-31
Alternate languages
described, 5-38
LDAP service, 20-29
Alternate names
adding to a user ID, 5-40
certifier IDs and, 5-39
changing, 5-62, 5-57
deleting, 5-57
in ACL, 40-7
AMgr_DisableMailLookup setting
described, C-5
AMgr_DocUpdateAgentMinInterval
setting
described, C-6
AMgr_DocUpdateEventDelay
setting
described, C-6
AMgr_NewMailAgentMinInterval
setting
described, C-7
AMgr_NewMailEventDelay setting
described, C-7
AMgr_SchedulingInterval setting
described, C-7
AMgr_UntriggeredMailInterval
setting
described, C-8
AMgr_WeekendDays setting
described, C-8
Analysis report
for decommissioning a
server, 59-3
Anonymous access
in a hosted environment, 14-4
Internet/intranet users, 42-25
LDAP service and, 20-16 to 20-17,
20-20
setting up, 38-13, 38-16
SSL, 46-15
virtual servers, 3-42
Web users and, 40-8
Anti-relay controls
effect on message transfer, 28-85
setting, 28-81
Anti-spam controls
settings for, C-101
API
creating event notification, 52-16
AppleTalkNameServer setting
described, C-8
Application design element
security, 37-15
Application security, 37-14
Application templates
table of, D-1
Applications
for hosted environments, 12-15
Approve persons name change
request, F-5
Archive criteria
for policies, 9-28
Archive policy settings
creating, 9-25
Archives, database
accessing, 61-26
Archiving
agents for, 61-27 to 61-28
databases, 58-37
deleted documents, 61-25
documents, 61-20
policies for, 9-22
policy settings example, 9-24
transaction log files, 55-5
viewing document Archiving
Log, 61-27
Assign Policy tool
using, 9-40
Attachments
compressing, 61-6
Domain Index and, 10-12
format for sending from
Macintosh clients, 28-133
Attributes
adding to LDAP schema, E-20
adding to schema, 21-13
described, 21-1, 21-4
Authentication
described, 38-1
examples, 42-21
IMAP port, 31-5
Internet/intranet
clients, 42-3, 42-27
of hosted organizations, 14-4
overview, 38-1
password checking with, 39-4
POP3 port, 30-2 to 30-3
session-based, 42-6
SMTP AUTH
command, 28-62, 28-69
SMTP port, 28-59
SSL, 46-15
SSL client, 46-25, 47-18
SSL server, 47-3
troubleshooting, 63-104
user names, 40-7
Web Administrator, 63-109
Web clients and, 42-19, 42-23
IMAP service
and, 28-60, 31-2, 31-6,
Author access
actions, 40-14
privileges, 40-16
Authors
displaying for Server Web
Navigator, 36-12
Authors field
updating, 40-29
AutoDialer task
Network dialup connections
and, 4-40
Notes Direct Dialup and, 4-44
setting up, 4-42
AutoLogoffMinutes setting
described, C-9
Automated client installation, 5-45
Autoscale
scaling statistics, 52-37
Auxiliary object classes
adding to schema, E-17
described, 21-2
Index-3
Availability threshold
setting, C-91
Averaging agent
enabling, 36-19
B
Backing up
databases, 55-2
servers, 63-7
Basic password authentication
setting up, 42-3
SSL, 46-15
Basic user registration, 5-11
Batch file installation
clients, 5-46
BatchRegFile setting
described, C-9
BeginCrit command
described, I-4
BeginLoop command
described, I-4
BeginLoop2 command
described, I-5
Benchmarks
server performance, 60-2
Billing
in a hosted environment, 12-14
BillingAddinOutput setting
described, C-9
BillingAddinRuntime setting
described, C-10
BillingAddinWakeup setting
described, C-10
BillingClass setting
described, C-10
BillingSuppressTime setting
described, C-11
Binary tree topology
replication and, 4-9
Bindery Service
Domino and, 2-30
server names and, 2-31
Binding
port-to-IP address, 2-46 to 2-47
Bookmarks
search forms and, 10-18, 10-20
Break command
described, I-5
Broadcast command
described, A-12
using before restarting the
server, A-23
Index-4
C
CA key ring
displaying, 45-7
exporting, 45-7
CA policy information
storing in Domino Directory, F-62
CA process
adding certifiers, 44-7
creating certifiers, 44-8
described, 44-1
Tell commands, A-48
viewing certifiers list, 44-24
Cache
setting for Server Web
Navigator, 36-18
Cal command
described, I-5
Calendar and scheduling
collecting detailed user
information, 8-20
collecting user calendar
information, 8-20
described, 8-1
example, 8-2
Holiday documents, 8-17
profile command, I-26
Server.Load script command, I-5
Call waiting
disabling, 63-49
Capacity planning
tools, 60-2
Catalog task
Domain Catalog
database, 10-2, 10-6
Catalog, Domain. See Domain
Catalog
Catalogs, database
for servers, 51-4 to 51-5
cconsole, A-8
deleting, 47-12
described, 39-3
displaying, 39-3
in a hosted environment, 13-5
Internet, 45-2, 47-10, F-4
managing server, 46-20
merging server, 46-12
renewing, 46-21
revoking, 44-2, 44-23
self-certified, 46-22
signing and adding to Domino
Directory, 47-7
SSL and S/MIME, 47-5
SSL server
authentication, 47-3
troubleshooting and, 63-83
trusted root, 46-9, 47-3
Certificates, SSL
adding for Server Web
Navigator, 36-8
creating a Certificate
Authority, 45-2
expired, 46-21
self-certified, 46-22
setting up, 47-3
viewing information, 46-20
viewing requests for server, 46-21
Certification
described, 39-2
Certification Log
Administration Process
requirements, 15-3
described, 3-28
Certifier documents
modifying, 44-22
Certifier IDs
migrating to CA process, 44-5
modifying, 44-21
organization, 3-34
organizational unit, 3-35
overview, 1-7
recovering, 44-25
CertifierIDFile setting
described, C-12
Change Control database
location, 54-34
Change HTTP password in Domino
Directory request, F-6
ChangeTo command
described, I-6
Channel encryption option
directory assistance, 23-43
Character encoding
LDAP service, 20-32
Character sets
aliases for, 28-131
enabling auto-detection of, 28-126
language codes and encoding
for, 28-120
specifying for MIME
messages, 28-118, 28-126
Web, 34-31, 34-33
Checkpoint records
activity logging and, 57-2
Client authentication
directory assistance
and, 23-3, 23-14
directory catalogs and, 24-9, 24-11
directory search order, 18-15
SSL, 46-1
Client information
updating in Person record, F-64
Client installation, 5-41
setting up for users, 5-41
single user, 5-43
Clients
setting up for S/MIME, 47-13
setting up for SSL client
authentication, 47-18
Clients, mail
POP3, 30-11
routing protocols and, 27-3
types of, 26-15
ClockType setting
described, C-13
Close command
described, I-8
Clrepl_Obeys_Quotas setting
described, C-13
Cluster failover
configuring for mail
routing, 28-40
directory assistance and, 23-21
Cluster Replicator
monitoring, C-86
quotas and, C-13
Tell commands, A-51
Cluster_Replicators setting
described, C-13
Clusters
Domino Off-Line Services
on, 3-12
Free Time database, 8-2
port setting, C-91
removing servers, F-49
replication topology and, 4-8
workload balancing and, 60-4
Collector task
overview, 52-1
Command line installation, 5-47
Commands
capturing output to file, A-2
Controller, A-3
custom, A-6
entering from the UNIX
command line, A-8
help for, I-12
modem command file, 63-48
shell, A-3
table of, A-10
Common Gateway Interface, 34-2
time-out setting, 34-53
Common names
Internet, 45-2
renaming, 5-57
server IP name and, 2-16, 2-22
Communication ports
options, 4-47
setting up, 4-34, 4-46
COMnumber setting
described, C-14
Compact task
archiving documents with, 61-20
IND file, 61-22
options, 61-17
renaming databases, C-74
running, 61-16
scheduling, 61-23
specifying database path, 61-22
upgrading database format, 31-28
with file reduction, 55-2
Compact_Retry_Rename_Wait
setting
described, C-14
Compacting
databases, 61-13, 61-16,
61-21 to 61-23
Companies, external
communicating with, 39-27
Compound document format. See
Notes rich text format
Compressing
attachments, 61-6
network data, 2-42
performance and, 61-6
Concurrent retrievers
Server Web Navigator, 36-6
Concurrent transfer threads
maximum, 60-11
Condensed Directory Catalogs
client authentication and, 24-10
Index-5
described, 24-2
full-text indexes, 24-25
multiple, 24-33
performance settings for, 24-30
planning, 24-29
replicating, 24-32
servers using, 24-5
setting up, 24-34 to 24-35
sorting, 24-29
Soundex and, 24-30
Configuration Directories
changing to primary, 19-6
configuring remote primary
directory, 19-7
described, 19-2
directory assistance and, 23-26
Extended Directory Catalogs
and, 19-4
managing, 19-5
planning, 18-2, 19-4
showing remote primaries
for, 19-9
Configuration document
Cross-domain, 15-9 to 15-10
Configuration Settings document
creating, 27-18
editing NOTES.INI file with, C-1
host names, 27-49
LDAP settings, 20-9, 20-17
for SMTP mail routing, 27-38
Configuring
activity logging, 57-12
mail routing, 27-37
offline applications, 11-11
Connect scripts. See Login scripts
Connection documents
described, 4-1
Internet servers, 4-22
LAN, 4-15
mail routing
and, 26-20, 28-36, 28-50
Network Dialup, 4-36, 4-46
Notes Direct Dialup, 4-35
passthru server, 4-29
port order and, 2-40
for replication, 7-20
scheduling mail routing, 28-50
troubleshooting, 63-39
Connections
mail routing, 27-2
restricting SMTP inbound, 28-71
routing cost and, 28-39, 28-53
SSL, 46-18
tracing, 63-37, 63-77, A-59
Index-6
Create_Replica_Access setting
described, C-17
CRL. See Certificate revocation lists
Cross-certificates, 39-29, 39-38
accessing servers with, 39-27
adding, 39-29, 39-33 to 39-34,
39-36, 47-15
creating, 39-29, 39-37 to 39-38
described, 39-27
displaying, 39-38
examples, 39-27, 39-31
in a hosted environment, 13-5
Internet, 39-28, 47-4
Person documents and, 39-37
S/MIME messages and, 39-27
Cross-domain administration
requests
described, F-70
Cross-domain Configuration
document
creating, 15-9 to 15-10
replicas and, 7-9
Cross-domain processing
administration requests, 15-8
benefits of, 15-10
setting up, 15-9
CSRV50.NTF
setting up, 46-3
CTF setting
described, C-18
Custom Welcome Page
creating, 5-87
Customer support
contacting, 63-4
Customized client installation, 5-47
D
Data
overwriting, 61-5
storing for a hosted
organization, 13-7
Data directory
certifier IDs and, 1-9
for a hosted organization, 13-5
restricting access, 49-4
Database access
for SSL clients, 46-19
troubleshooting, 63-17,
63-19 to 63-20
Database activity
monitoring, 58-11
reporting, 58-13
statistics, 58-12
Index-7
Default_Index_Lifetime_Days setting
described, C-19
Delay notifications
generating for low-priority
mail, 28-30
Delegate mail file on administration
server
administration request, F-10
Delete command
described, I-9
Delete database
administration requests, F-10
Delete hosted organization
administration requests, F-14
Delete Person administration
requests
described, F-78
Delete resource
administration request, F-21
Delete Server administration
requests
described, F-25, F-78
hierarchical server names, F-81
Deletion stubs
described, 63-90
purging, 7-12
Deletions
replication and, 7-7
Deletions, soft
defined, 61-8
effect on quotas, 28-11
performance and, 61-8
Delivery
configuring for mail, 28-8
Delivery controls
setting, 28-9
Delivery Failure Reports
troubleshooting, 63-36
Delivery failures
customizing message for, 28-46
quotas and, 28-16
Delivery status notification
enabling, 28-96, 28-103 to 28-104
Delivery threads
setting maximum
number, 28-9, 60-11
Demand sets
and database moves, 54-55
Deny_Access setting
described, C-19
Deny_Access_portname setting
described, C-20
Deployment
certifier IDs, 1-7
Index-8
Index-9
Index-10
Domains
communication between, 39-27
directory assistance, 23-18
DNS, 2-11
finding user names in, 5-85
mail routing
and, 26-19, 26-21, 27-20
multiple DNS, 2-16, 2-19, 2-22
planning, 1-5
restricting mail in, 28-36, 28-55
verifying in DNS, 28-90
Domains, external
connecting to, 4-18
DOMCFG.NSF, 34-48
creating, 34-49
Domino 5 certificate authority
setting up, 45-1
setting up SSL on the CA
server, 45-5
signing server certificates, 45-7
Domino 5 IMAP Initialization
Workload script
sample, J-5
Domino 5 IMAP Workload script
sample, J-6
Domino Administrator
Broadcast command, A-12
Configuration tab, 16-15
configuring mail routing, 27-18
creating groups with, 6-2
creating replicas, 7-9
disk space information, 58-5
displaying directory
contents, 58-3
displaying files, 58-2
Domino Console, Domino
Controller and, 16-28
Drop command, A-14
entering server commands, A-1
file information, 58-3
Files tab, 16-13, 58-2
installing, 16-1
Load command, A-15
managing databases with, 58-4
managing files with, 58-2
managing folders with, 58-5
Messaging tabs, 16-15
monitoring events with, 52-22
monitoring statistics with, 52-31
overview, 16-1
password protecting the
console, A-26
People and Groups tab, 16-13
quitting a task from, A-46
Index-11
Index-12
E
ECL
administration, 41-6, 41-11
creating a workstation, 41-12
described, 41-1
guidelines for creating, 41-6
Java applets and, 41-4
JavaScript and, 41-4
security access options, 41-3
updating a workstation, 41-13
workstation security and, 41-3
EditExpnumber setting
described, C-31
EditImpnumber setting
described, C-32
Editing
concurrent, 58-8, 63-91
shortcut keys, H-6 to H-8
Editor access
actions, 40-14
privileges, 40-16
EDNI document
creating, 4-18
updating, F-65
Effective access
extended ACLs and, 25-30
Effective policies
described, 9-3
determining, 9-36
viewing, 9-37 to 9-38
EmptyTrash setting
described, C-32
Enable_ACL_Files setting
described, C-33
EnableBiDiNotes setting
described, C-33
Encrypted fields
indexing, 50-2
Encryption, 43-1
certificates, 2-41
defined, 43-4
dual Internet certificates
and, 47-17
Internet transactions and, 40-31
mail, 43-4, 43-7
mail journaling and, 28-111
network data, 46-1
outbound mail routing, 24-14,
C-90, C-100 to C-101
performance and, 43-4
SSL settings, C-108
EndCrit command
described, I-10
End-to-end topology
replication and, 4-8
End-user installations
with Transform files, 5-50
Entries command
described, I-10
Error messages
Administration
Process, 15-36, 63-8
Agent Manager and agents, 63-13
Domino Off-Line Services, 11-24
IPX/SPX network, 63-73
mail, 28-46
mail routing, 63-38
meetings and resources, 63-45
modems and remote
connections, 63-50
network dialup
connections, 63-74
OS/2, 63-100
partitioned servers, 63-78
replication, 63-82
server access, 63-91 to 63-93, 63-95
server crashes, 63-98
TCP/IP, 63-57, 63-61
Web Administrator, 63-108
Web Navigator, 63-107
Web server, 63-104
ErrorDelay command
described, I-10
Escrow agent
troubleshooting, 63-16
ESMTP
supporting inbound
extensions, 28-96
supporting outbound
extensions, 28-103
ETRN extension
enabling for inbound SMTP
connections, 27-61, 28-96
Event filters
creating, 52-19
viewing, 52-20
Event generators
creating, 52-13
database, 52-5
defined, 52-3
disabling, 52-12
Domino server, 52-6
mail routing, 33-3, 52-7
statistic, 52-9
task status, 52-10
TCP server, 52-11
viewing, 52-14
Event handlers
creating, 52-13, 52-17, 52-23
defined, 52-3, 52-14
disabling, 52-18
notification
methods, 52-15 to 52-16
viewing, 52-20
Event messages
viewing, 52-20
Event Monitor server task
overview, 52-1, 52-3
Event task
monitoring replication, 63-80
Events
filtering, 52-19
from SNMP traps, 53-4
logging, 52-21
monitoring, 52-2, 52-22
notification methods, 52-15
severity levels, 52-4
types of, 52-16
viewing, 52-20
Examples
directory assistance, 23-51 to
23-53, 23-55
extended ACL, 25-19
Extended Directory
Catalogs, 23-53, 23-55
LDAP service write
operations, 20-26
ldapsearch utility, 22-6
registering a hosted
organization, 13-8
replication, 7-19
xSP server in a hosted
environment, 12-16
Execution Control List. See ECL
Execution Security Alert dialog
box, 41-2
trusting signatures, 41-2, 41-13
Exit command
described, A-14
Expired certificates
renewing, 46-21
Explicit policies
adding, 9-40
assigning, 9-40
changing, 9-40
described, 9-2
removing, 9-40
Extended accelerator keys. See
Shortcut keys
Extended access
disabling, 25-31
enabling, 25-23
Extended ACLs
activity log for, 25-31
changing, 25-28
described, 25-1, 25-3
directory, 18-7
disabling, 25-31
effective access and, 25-30
enabling, 25-23
examples of, 25-19
Extended Directory Catalogs
and, 24-7
in a hosted environment, 13-6
LDAP and, 20-20, 25-6
other database security and, 25-2
planning, 25-22
privileges for, 25-2 to 25-3, 25-5
restoring, 14-11
schema database and, 25-7
setting up, 25-22, 25-24
subjects in, 25-9, 25-17
target scope, 25-14, 25-17
targets in, 25-12 to 25-13
troubleshooting, 25-30, 63-34
Extended administration servers
removing, 15-34
setting up, 15-33
Extended Directory Catalogs
benefits of, 24-5
central directory architecture
and, 19-4
client authentication
and, 23-3, 24-10
directory assistance and, 23-6,
23-8, 23-22, 23-33, 24-26
examples, 23-53, 23-55
full-text indexes, 24-26
groups for database
authorization, 24-27
integrated into primary
directory, 24-28
LDAP service, 23-10
multiple, 24-33
native documents, 24-7
planning, 24-26
replicating, 24-45
setting up, 24-41 to 24-42
size of, 24-26
Extended key usage
public keys, 44-13
Extension manager
Administration Process
and, 15-30
in a hosted
environment, 12-5
External companies
communicating with, 39-27
External Domain Network
Information document. See
EDNI document
External Internet mail
preventing relaying, 28-75
External servers
access levels for, 7-7
ExtMgr_AddIns setting
described, C-34
F
Failover
directory assistance, 23-20, 23-22
for mail routing, 28-40
Fault recovery, 55-10
cleanup script, 55-11
enabling, 55-11
operating systems and, 55-10
Fields
customizing in Domino
Directory, E-2
directory catalogs and, 24-22
LDAP attributes and, 21-4
Fields, database
increasing number of, 61-29
performance and, 61-6
File format
database, 61-17
mail, 31-28
File names
key ring, 45-2
File protection, 34-42
File Protection documents, 34-41
described, 34-44
example, 34-42
File systems
searching, 10-9
FileDlgDirectory setting
described, C-34
Files
compressing when uploading to
Web, 34-29
displaying, 58-2
displaying information
about, 58-3
downloading from Web
server, 34-56
managing, 58-2
preferences, 16-7
Index-13
Index-14
customizing in Domino
Directory, E-2
HTML, 36-5
performance and, 61-3
Forwarding address
in Person document, 27-42
Forwarding rules
enabling and disabling support
for, 28-9
FQDN
as servers common name, 2-19
specifying in Connection
document, 2-17
specifying in Server
document, 2-16, 2-22
Frame types
IPX, 63-70
TCP/IP, 63-68
Free Time database
described, 8-1
troubleshooting, 63-45
Free-time lookups, 8-5
in non-adjacent domains, 8-6
FT_DOMAIN_DIRECTORY_NAME
setting
described, C-35
FT_DOMAIN_IDXTHDS setting
described, C-35
FT_Index_Attachments setting
described, C-36
FT_Intl_Setting setting
described, C-36
FT_Max_Search_Results setting
described, C-36
FT_No_Compwintitle setting
described, C-37
FT_Summ_Default_Language setting
described, C-38
FTG_No_Summary setting
described, C-37
Full-text indexes
creating, 50-2
deleting, 50-7
described, 50-1
directory catalogs and, 24-7, 24-25
disabling, C-115
Domain Search and, 10-2
LDAP service and, 20-15
security and, 50-2
size, 50-3
updating, 50-3, 50-5 to 50-6
G
Gateways
routing mail to, 27-30
GetAll command
described, I-12
GIF files
Web server and, 34-24
Global Domain documents
default, 27-55
in a hosted organization, 13-5
LDAP service and, 20-5
Global domains
configuring, 27-44
defining multiple, 27-55
Global Web settings document, 34-40
creating, 13-21, 34-40
described, 13-19, 34-34
editing, 13-22
Gopher Internet service
controlling access to, 36-7
Graphics
Web server format, 34-24
Group documents
editing, 6-10
object classes for, 21-5
Group members
registering in Notes, 17-18
Group names
finding, 6-15, F-29
in Internet message
headers, 28-131
Groups
adding and deleting
members, 6-6
adding to Notes, 17-20
Administrator, 13-7
assigning a policy to, 6-9
creating and modifying, 6-2
creating with Domino
Administrator, 6-2
creating with Web
Administrator, 6-4
database authorization, 18-16,
23-6, 24-27
deleting, 6-14, 17-42
Deny List Only, 6-8
described, 6-1
directory catalogs and, 24-19 to
24-20, 24-35, 24-42
editing, 6-10
finding members, 6-18
mail, 28-32
managing, 6-8, 6-16
registering, 17-39
renaming, 6-10, 17-41, F-50
renaming immediately
throughout domain, 6-13
troubleshooting, 63-20
Windows NT, 17-16
H
Headers
resent, 28-131
Headline monitoring
controlling, 38-16
performance and, 61-6
Health reports
for servers, 54-11 to 54-12,
54-14 to 54-15
for servers, purging, 54-12
Health_Report_Purge_After_N_Days
setting
described, C-38
Help
customer support, 63-4
Help command
described, A-15, I-12
Hierarchical IDs
cross-certification by phone, 39-33
cross-certification through Notes
mail, 39-36
cross-certification through postal
service, 39-34
Hierarchical names
converting flat names
to, 59-10, F-84
creating scheme for, 1-3
deleting servers with, F-81
Domino Directory and, 18-8
server registration and, 3-29
Hierarchical organizations
certification and, 39-27
communication between, 39-27
Holding undeliverable mail
in MAIL.BOX, 28-40
Holiday documents
creating, 8-17
modifying, 8-20
Home pages
for virtual servers, 3-42
Web server, 63-106
Host names
DNS and, 26-25
mail routing and, 26-12, 27-49
restricting inbound connections
by, 28-71
specifying in Server
document, 2-16, 2-22
Hosted environments
Domino features in, 12-4
example, 12-16
server options, 12-2
Hosted organizations
access to Web sites, 14-12
anonymous access to
databases, 14-4
deleting, 14-3, F-14
disabling services, 14-4
distribution of data, 12-9
Internet Site documents
for, 13-18, 13-20
loopback addresses, 13-17
mail addressing to, 14-16
maintaining, 14-1
managing users, 14-14
managing users and
groups, 14-16
moving to other servers, 14-5
on multiple servers, 14-2
policies for, 9-7, 13-4
registering, 13-5, 13-8, 13-11
registration, F-48
removing from an additional
server, 14-10
security and, 12-3
server crash recovery in, 14-11
server environments for, 12-1
setting up Domino Certificate
Authority for, 13-3
setup checklist, 13-3
using the Resource Reservations
database, 14-12
using the Web
Administrator, 14-15
viewing, 14-14
viewing Web Site and Internet
Site documents, 13-20
Web Site documents for, 13-18,
13-20 to 13-21
HostedOrganizationAdmin
group, 13-7
Hosting
Java applets, 34-10
Hosts files
system settings for, 2-13
HP OpenView
and SNMP traps, 53-21
HTML
displaying source for Server Web
Navigator, 36-13
passthru, 34-2
HTML login form
customizing, 42-10
HTML preferences
in Server Web Navigator, 36-12
HTTP
activity logging, 57-4
HTTP proxy
connecting Server Web Navigator
through, 36-3
HTTP server task
running, 34-5
HTTP servers
Domino working with the IBM
HTTP Server, 35-2
setup mode setting, C-99
HTTP service
binding to an IP address, 2-49
controlling access to, 36-7
in a hosted environment, 12-13
HTTP sessions
tracking, 34-13
HTTPEnableConnectorHeaders
setting
described, C-39
HTTPLogUnauthorized setting
described, C-39
HTTPS
controlling access to, 36-7
SSL and, 46-18
Hub-and-spoke topology
example of, 4-10
limitations of, 4-8
replication and, 4-6
Hunt group connection document
creating, 4-31
Hunt groups
described, 4-23, 4-31
I
IBM HTTP Server
setting Domino to work with,
35-2
IBM Office Vision
scheduling and, 8-6
IBM Tivoli Analyzer
Activity Trends, 54-17
installing, 54-6
overview, 54-1
ICL. See Issued Certificate Lists
ICMNotesPort setting
described, C-40
Index-15
Icons
Administration Requests
database, 15-23
ID recovery
administration request, F-30
ID table
Note IDs, I-12
Idle Workload script
described, 62-14
running, 62-14
sample, J-4
IDs
defined, 39-1
displaying certificates, 39-3
IMAP users and, 31-23
multiple-password, 39-6
password protection, 39-4
passwords for, 39-13
recovering, 39-14,
39-17 to 39-18, 39-20
security and, 37-16
server, recertifying, 59-9
IDs, certifier, 1-7, 3-34 to 3-35
Ignore message priority
setting for mail routing, 28-39
IIOP
in a hosted environment, 12-13
setting up, 34-10
Image display
performance and, 61-3
Web server and, 34-24
ImailCheckForNewMail command
described, I-13
ImailCloseMailbox command
described, I-13
IMAILExactSize setting
described, C-40
ImailFetchEntry command
described, I-13
ImailFetchOld command
described, I-14
ImailGetLastEntries command
described, I-14
ImailGetNewMail command
described, I-14
ImailHelp command
described, I-14
ImailListMailboxes command
described, I-14
ImailLogin command
described, I-15
ImailLogout command
described, I-15
Index-16
ImailOpenMailbox command
described, I-15
ImailPostMessage command
described, I-15
ImailSetSeen command
described, I-16
IMAP
activity logging, 57-4
IMAP attributes
adding to IMAP-enabled mail
files, 31-3
IMAP delegation
administration request, F-7
IMAP Initialization Workload script
sample, J-5
IMAP protocol
Domino mail server
and, 26-5, 31-1
in a hosted environment, 12-13
IMAP public folders
designating, 31-15
IMAP service
and shared mail files, 31-12
authenticating options, 31-5
binding to an IP address, 2-47
changing default port
information for, 31-6
configuring internal thread
use, 31-19
customizing, 31-5
greetings, 31-21
limiting sessions, 31-9
logging in to server, I-15
logging out of server, I-15
mail commands, I-13 to I-16
NAMESPACE
command, 31-12 to 31-13
setting up, 31-4
starting, 31-5
time-out setting, 60-12
IMAP users
allowing SMTP relays from, 28-82
creating mail files for, 31-26
enabling mail files for, 31-2, 31-10,
31-27, 31-30
setting acceptable login names
for, 31-24
setting up, 31-22
setting up Person documents
for, 31-23
IMAP_Config_Update_Interval
setting
described, C-40
IMAP_Convert_Nodisable_Folder_
Refs setting
described, C-41
IMAP_Session_Timeout setting
described, C-43
IMAPDisableFTIImmedUpdate
setting
described, C-42
IMAPDisableMsgCache setting
described, C-42
IMAPGreeting setting
described, C-42
IMAPNotesPort setting
described, C-43
IMAPRedirectSSLGreeting setting
described, C-43
IMAPShowIdleStatus setting
described, C-44
IMAPSSLGreeting setting
described, C-44
Inactive documents
deleting, 61-25
Inbound connections
restricting for SMTP, 28-71, 28-86
Inbound mail routing
restricting, 28-70, 28-75, 28-90
Inbound relay controls
enforcement of, 28-81
and message transfer, 28-85
Inbox folder
adding documents to, J-2
Incoming Mail Sound setting
described, C-44
Index command
described, I-16
Index entries
searching, I-11 to I-12
Index, Domain. See Domain Index
Indexes
creating, 50-2
deleting, 50-7, 58-23
described, 50-1
Domain Search and, 10-2, 48-7
encrypted fields, 50-2
replicating, 50-1
security and, 50-2
size, 50-3
troubleshooting and, 63-99
updating, 50-3, 50-5 to 50-6, 58-14
Indic languages
support for, 3-17
INET_Authenticate_with_Secondary
setting
described, C-45
cross-certification, 39-37
enforcing encrypted
transactions, 40-31
name-and-password
authentication, 42-1, 42-6
security, 38-2, 38-4
Internet address
changing, 5-73
Internet addresses
adding senders in outbound
mail, 27-50
formats for, 28-134
LDAP service and, 20-5
outbound mail, 27-54
as reply addresses, 27-52
Internet addresses, inbound
looking up in the Domino
Directory, 27-47
Internet certificates
adding, F-4
adding to Domino Directory, 47-7
creating, 47-14
creating with Domino
Directory, 47-10
deleting, 47-12
dual, 47-17
in a hosted environment, 12-4
signing, 47-7
SSL and S/MIME, 47-5
Internet clients
name variations accepted for
login, 31-24
Internet cross-certificates
creating, 47-4
described, 39-28
Internet domains
primary vs. aliases, 27-55
Internet mail, 27-38
restricting inbound, 28-90
restricting
outbound, 28-98 to 28-99
restricting relays, 28-75
restricting who can receive, 28-92
routing, 26-23, 27-6, 27-34,
27-37 to 27-38, 36-9
troubleshooting, 63-107
Internet passwords, 42-24
security and, 42-24
user registration and, 42-3
Web Administrator, 16-19
Internet protocols
setting up passwords for, 42-3
Internet services
accessing, 36-7
Index-17
J
Java agents
restricting, 40-18
Java applets
hosting, 34-10
on Web server, 34-2
Java servlets
managing, 34-13
JavaEnableJIT setting
described, C-46
JavaJITName setting
described, C-46
JavaMaxHeapSize setting
described, C-46
JavaMinHeapSize setting
described, C-47
JavaNoAsyncGC setting
described, C-47
JavaNoClassGC setting
described, C-47
JavaScript
on Web server, 34-2
JavaStackSize setting
described, C-48
JavaUserClasses setting
described, C-48
JavaVerbose setting
described, C-48
JavaVerboseGC setting
described, C-49
Journaling
mail, 28-105
methods, 28-109
Index-18
retrieving journaled
messages, 28-113
setting up, 28-106
JPEG files
Web server and, 34-24
K
Keep alive headers
sending to Web server, 34-53
Key ring files
changing the password for, 46-22
creating a test version, 46-22
creating for internal CA, 45-2
displaying, 45-7
entering for server, 46-15
exporting, 45-7
merging a certificate from an
external CA, 46-9
merging server certificates
into, 46-12
naming, 45-2
viewing certificates, 46-20
Key usage extensions
public keys, 44-12
Keyboard shortcuts. See Shortcut
keys
KeyFileName setting
described, C-49
Keys
private, 43-1
public, 43-1
KitType setting
described, C-50
L
LAN Connection document
creating, 4-15
LANA numbers
NetBIOS ports and, 2-58
Language codes
specifying for a character set
group, 28-120
Language groups
configuring font options
for, 28-126
Languages
choosing default for Web, 34-31
Domain Search and, 10-1
LDAP service tags, 20-29
LANnumber setting
described, C-50
LANs
connecting servers on, 4-15
integrating Domino with, 2-2
network compression and, 2-42
setting up servers on, 2-32
troubleshooting, 63-55
LDAP accounts
compared to directory
assistance, 23-9
planning, 18-5
LDAP activity logging
information logged, 57-4
limiting information
logged, 57-13
LDAP directories
alias dereferencing and, 23-48
authenticating SSL clients, 46-25
authenticating Web clients
with, 42-23
authenticating Web users
with, 40-7
connecting using SSL, 47-23
described, 23-1
directory assistance, 23-3, 23-6,
23-9, 23-11, 23-37, 23-43
failover, 23-22
LDAP service referrals to, 20-33
lookup command, I-17
Notes distinguished names
in, 23-49
search filters and, 23-46
server passwords for
connecting, 23-44
LDAP features
overview, 18-3
LDAP migration tool, 20-2
LDAP operations
extended ACLs and, 25-6
LDAP schema
checking, 21-18 to 21-19
described, 21-1
Domino, 21-2
Domino LDAP Schema
database, 63-34
extending, 18-19, 21-10, 21-16 to
21-17, E-3, E-7 to E-9,
E-16 to E-17, E-20
retrieving, 21-20
root DSE searches, 21-20
viewing, 21-9
LDAP service
anonymous search
access, 20-16 to 20-17, 20-20
binding to an IP address, 2-47
LDAPBatchAdds setting
described, C-51
LDAPConfigUpdateInterval setting
described, C-51
LDAPGroupMembership setting
described, C-52
LDAPLookup command
described, I-17
LDAPNotesPort setting
described, C-53
LDAPPre55Outlook setting
described, C-54
ldapsearch utility
described, 22-1
examples, 22-6
operational attributes and, 22-5
parameters, 22-2
planning, 18-6
search filter operators, 22-5
search filters, 22-4
ldapsearch.exe
retrieving schema with, 21-20
Leased-line connections
connecting to the Internet by, 4-21
Librarians
assigning, 51-3
database libraries, 51-2
Libraries. See Database libraries
License tracking
described, 5-85
License tracking information
updating in Domino
Directory, F-65
Linux
configuring partitioned
servers, 2-50
configuring SNMP Agent
for, 53-13
Listener task
Server document, 27-41
SMTP, 27-41
Live console
Web Administrator and, 16-26
LNSNMP service
removing, 53-11
LNSNMP.INI file
configuring, 53-9
Load command
described, A-15
Load server command
running server tasks, B-1
troubleshooting, 63-91
LocalDomainAdmins group
described, 6-2
LocalDomainServers group
access level, 7-6, 40-3
described, 6-1
directory catalogs and, 24-20
Location documents
Internet addresses in, 27-53
Location setting
described, C-54
Log file
accessing, 56-5
activity logging
information, 57-1, 57-13
Agent Manager and agents, 63-12
analyzing, 56-5
compacting, 56-1
Domino server, 56-1
Domino Web server, 56-12
extended ACL, 25-31
logging modem I/O in, 63-48
NOTES.INI settings, 56-2
NSD, 63-96, 63-101
passthru connections and, 63-79
replication events, 58-8
replication views, 63-80
Results database, 56-5
Schedule Manager errors in, 63-47
searching, 56-5
selecting level of
logging, 28-7, 56-3
troubleshooting with, 63-2
using commands to record
information, 56-3
viewing the Domino server, 56-3
Log filters
for events, 52-15
Log setting
described, C-55
for log file size, 56-1
LOG.NSF, 28-7
introduced, 56-1
monitoring servers and, 52-3
Log_AgentManager setting
described, C-55
Log_Authentication setting
described, C-56
Log_Connections setting
described, C-57
Log_Console setting
described, C-57
Log_DirCat setting
described, C-58
Log_Replication setting
described, C-59
troubleshooting and, 63-80
Index-19
Log_Sessions setting
described, C-59
Log_Tasks setting
described, C-60
Log_Update setting
described, C-60
Log_View_Events setting
described, C-61
LogFile_Dir setting
described, C-58
Logging
configuring for Domino Web
server, 56-12
to the console, 52-21
informational, 28-7
internal server errors, 56-10
phone calls, C-76
replication, 63-80
Web server requests, 56-8
Logging level
selecting, 28-7
Login names
authentication for Internet
clients, 31-24
Login scripts
editing, 4-51
making a call with, 4-50
Lookup command
described, I-17
Loopback addresses
creating, 13-17
Lotus NDS Manager
administering Windows clients
with, G-3
for IPX/SPX setup, G-1
Lotus Organizer
scheduling and, 8-6
Lotus Support Services
contacting, 63-4
Web site, 63-4
LotusScript agents
restricting, 40-18
Low-priority mail
generating delay notifications
for, 28-30
LSCHEMA.LDIF
described, 21-2, 21-5
M
Mail
blocking, 28-20
encrypting, 28-9, 43-4, 43-7, 47-13,
47-15, C-90
error messages, 28-46
Index-20
held, 28-16
limiting the size of
messages, 28-28
pending, 28-16
polling, I-19
restricting, 28-70, 28-90
routing from Web page, 36-9
security, 29-4
shortcut keys, H-7 to H-8
signing, 43-9, 43-11, C-90
tracing connections, 63-37
virus protection, C-71
Mail activity logging
information logged, 57-6
Mail addresses
formats for Internet, 28-134
Mail addressing
directory assistance and, 23-8
directory catalogs and, 24-4, 24-29
domain names and, 63-40
format for sending to another
Domino domain, 26-21
and groups, 28-32
for hosted environments, 14-16
Mobile Directory Catalogs
and, 24-3
type-ahead, 28-6
Mail agents
controlling, 28-9
Mail clients
POP3, 30-11
supported, 26-15
Mail connections
routing and, 27-2
Mail conversion utility
enabling mail files for IMAP, 31-2
Mail databases
archive criteria, 9-28
archive log, 9-24
archiving, 9-22, 9-25
IMAP service and, 31-2
moving, 54-53
overview, 26-12
sharing IMAP, 31-13
Mail delivery
configuring, 28-8
shared mail and, 29-8
Mail encryption administration
request, F-31
Mail file quotas
enforcing, 28-14, 28-28
shared mail and, 29-4
soft deletions and, 28-14
MAIL6EX.NTF
using, 32-11
Mailboxes
setting number of, 60-12
setting up multiple, 28-3 to 28-4
MailCharSet setting
described, C-61
MailCompactDisabled setting
described, C-63
MailCompactHour setting
described, C-63
MailConvertMIMEonTransfer setting
described, C-63
Mail-in Database document
creating, 48-5
statistics, 52-35
Mail-in statistics
using, 52-35
MailServer setting
described, C-64
MailSystem setting
described, C-65
MailTimeout setting, 28-37
described, C-66
MailTimeoutMinutes setting
described, C-66
Mailto
setting up, 36-9
Maintain Trends database record
request, F-30
Manage Groups tool
using, 6-16
Manager access
actions, 40-14
privileges, 40-16
Map_Retry_Delay setting
described, C-66
Maps
replication topology, 7-34
Master Address Book. See Directory
assistance
Maximum concurrent transfer
threads
setting, 28-33
Maximum delivery threads, 28-9
Maximum hops
setting, 28-33
Maximum message size
setting, 28-28
Maximum transfer threads
setting, 28-33, 60-11
Maximum Transmission Unit.
See MTU setting
Index-21
Meetings
troubleshooting, 63-45
Memory
displaying, A-32
Memory requirements
for servers, 60-3
Memory_Quota setting
described, C-67
Message caching
disabling, C-73
Message conversion
mail routing and, 27-1
Message delivery
configuring, 28-8, 60-11
Message filtering
using mail rules for, 28-20
Message headers
MIME, 28-131, 28-134
Message journaling. See Mail
journaling
Message priority level, 28-27
disregarding during
routing, 28-39
Message size
restricting, 28-28
Message tracking
configuring servers for, 33-8
controlling, 33-5
from the Domino
Administrator, 33-10
overview, 33-1
in Web Administrator, 16-27
Message transfer
controlling, 28-26, 28-33
Message validation
SSL, 46-1
Messages
disabling, A-22, A-44
encrypting for delivery, 28-9
MIB
overview, 53-7
using with SNMP, 53-21
Microsoft Active Directory
deleting users and groups, 17-42
directory assistance search
filters, 23-46
mapping containers to Notes
certifiers and policies, 17-32
mapping fields with Domino
Directory, 17-31
registering existing users, 17-35
registering new groups, 17-39
registering new users, 17-33
renaming users and groups, 17-41
Index-22
N
NABRetrievalPOP3Mail command
described, I-18
NABUpdate command
described, I-18
NAMAGENT.NSF
Server.Load agents, 62-4
Name and Address Book. See
Domino Directory
Name change
refusing, F-56
Name lookups
restricting, 27-47
restricting to primary
directory, 28-40
Name resolution in IPX
troubleshooting, 63-72
Name resolution in NRPC
described, 2-4
ensuring DNS resolves, 2-16 to
2-17, 2-19, 2-22
over IPX/SPX, 2-30
over NetBIOS, 2-28
over TCP/IP, 2-11, 2-15, 2-44
troubleshooting, 63-66
Name services
Microsoft, 2-13
NetWare, 2-30 to 2-32,
2-61 to 2-62
Notes, 2-4
Name-and-password
authentication, 42-8, 46-15
customizing, 42-3
directory assistance and, 23-3
Internet/intranet clients
and, 28-60, 31-2, 42-1
LDAP service and, 20-12, 20-31
level, 42-19
session-based, 42-6, 42-8, 42-10
setting up users, 42-3
virtual servers, 3-42
Names
changing, 5-56 to 5-57
for Policy documents, 9-32
for servers, 2-15, 2-17, 2-19,
2-22, 59-10,
Internet authentication and, 31-24
NDS, 2-62
NetWareSocket setting
described, C-70
NetWareSpxSettings setting
described, C-70
Network Address Translation.
See NAT
Network connections
dropping, I-9
testing, 63-77
tracing, 63-77, A-59, C-76
Network Dialup
encrypting Connection
documents, 4-46
setting up servers to use, 4-36
troubleshooting, 63-74
Network ports
adding, 2-36, 2-60
binding to IP
addresses, 2-46 to 2-47
compressing data on, 2-42
configuring, 2-35, 2-58
deleting, 2-40
disabling, 2-34
encrypting, 2-41
fine-tuning, 2-34
renaming, 2-38
reordering, 2-39, 2-45
Server Setup program and, 2-2
TCP/IP, 2-12, 2-22
Network protocols
compatible with Domino, 2-2
defined, 2-1
specifying, 4-16
Networks
integrating Domino
with, 2-1, 2-10, 2-26, 2-29
name resolution, 2-4, 2-11
NOTES.INI settings, 2-64
security, 2-6 to 2-7
NewMail command
described, I-19
NewMailInterval setting
described, C-70
NewMailTune setting
Incoming Mail Sound
setting, C-44
NewReplicateDB command
described, I-19
NewUserServer setting
described, C-71
NIS
preventing problems with, 2-56
NNN. See Notes named networks
Index-23
No access
assigning, 40-14
privileges, 40-16
No_Force_Activity_Logging setting
described, C-72
NoDesignMenu setting
described, C-71
NoExternalApps setting
described, C-71
NoMailMenu setting
described, C-72
NoMsgCache setting
described, C-73
Nonroaming users
change to roaming, 5-70
Normal logging, 28-7
Note ID
finding documents by, 63-20
table of, I-12
NoteAdd command
described, I-20
Notes
registering Windows NT users,
17-1, 17-8, 17-12, 17-14
synchronizing with
Windows NT, 17-2 to 17-3
Notes client
authentication with directory
assistance, 23-6
authentication with directory
catalogs, 24-11
connecting to servers, 4-55
directory servers, 19-15
directory services, 18-10
installation in a shared
directory, 5-43
LDAP service and, 20-34
Notes Direct Dialup
Connection documents, 4-35
described, 4-34
setting up, 4-44
Notes domains. See Domino domains
Notes IDs
about, 39-1 to 39-2
Notes items
sending in Internet message
headers, 28-134
Notes mail
condensed Directory Catalogs
and, 24-29
directory assistance and, 23-8
directory catalogs and, 24-1,
24-3 to 24-4, 24-14
Index-24
NRPC service
binding to an IP address, 2-46
default TCP port, 2-55
described, 2-2
encrypting, 2-41
name resolution in, 2-4, 2-11, 2-15
to 2-17, 2-19, 2-22, 2-28, 2-30
NSD log file
troubleshooting
and, 63-96, 63-101
NSF_Buffer_Pool_Size setting
described, C-73
NSF_DbCache_Disable setting
described, C-74
NSF_DbCache_Maxentries setting
described, C-74
Null modems
troubleshooting, 63-51
Num_Compact_Rename_Retries
setting
described, C-74
NWNDSPassword setting
described, C-75
NWNDSUserID setting
described, C-75
O
Object class hierarchy
described, 21-1
Object classes
adding to schema, 21-14
described, 21-1, 21-3
extending, 21-11
for Group documents, 21-5
for Person documents, 21-4
Object collect task
use in generating shared mail
statistics, 29-13
use in resynchronizing mail
files, 29-22
Object Link command
use in managing shared mail, 29-15
Object Request Broker. See Domino
ORB
Object store
defined, 29-1
managing growth
of, 29-10 to 29-11
Offline Security Policy document
creating, 11-7
Offline Subscription Configuration
profile document
creating, 11-11
editing, 11-11
Offline subscriptions
overview, 11-1
Offline users
security, 11-7
tracking, 11-22
OID for LDAP
described, 21-12
On-demand cross-certificates, 39-32
Online Meeting Place
in the Resource Reservations
database, 8-9
Open command
described, I-20
Open relays
defined, 28-76
preventing, 28-76
OpenView for Windows
and SNMP traps, 53-21
ORB. See Domino ORB
Organization certifier IDs, 1-8
creating, 3-34
Organization hierarchy
moving user names in, 5-61
Organizational policies
described, 9-2
Organizational unit
certifier IDs, 1-8
creating, 3-35
Organizational units
Internet, 45-2
restricting mail based
on, 28-55
Organizations
restricting mail based
on, 28-55
OS/2
error codes, 63-100
troubleshooting, 63-100
OS/390. See zOS
OtherDomainServers group
access level, 7-6, 40-3
described, 6-1
directory catalogs and, 24-20
Over quota enforcement
configuring, 28-17
P
Packing density
condensed Directory
Catalogs, 24-31
Partitioned servers
described, 1-6
in a hosted environment, 12-2
PC-Pine client
configuring, 31-39
PEER Agent
and SNMP Agent, 53-14
Peer-to-peer topology
example of, 4-11
replication and, 4-8
People
registering Internet/intranet, 42-3
Performance
database cache and, 61-9
directory catalogs, 24-18, 24-20,
24-27, 24-30
Domino Directory, 19-1
Domino Performance Zone Web
site, 60-1
encryption and, 43-4
improving, 60-1, 60-3, 61-12
LDAP service, 20-28
mail, 26-17 28-3, 28-6
mail routing, 28-2
monitoring, 52-36
networks, 2-42
optimizing, 61-1, 61-3
Server Health Monitor, 54-12
sources for improving, 60-15
tools, 60-2
troubleshooting, 63-16
tuning disk I/O, 60-15
UNIX server, 60-14
view indexes and, 58-23
Web server, 34-52
Windows server, 60-13
Person documents
changing during
synchronization, 17-5
IMAP users and, 31-23
Internet Address
field, 27-50, 27-53
mail routing and, 26-10
object classes for, 21-4
password checking, F-60
POP3 users and, 30-7
SSL clients, 47-20
Personal Address Book
missing views and, 63-42
PhoneLog setting
described, C-76
PHP
configuring a Web site for, 34-40
Pin lists
creating, 54-32
Ping, 27-38
troubleshooting and, 63-77
Index-25
Pipelining commands
supporting via ESMTP, 28-96,
28-103 to 28-104
PKCS11_Library setting
described, C-77
Platform command
described, A-16
using, 52-28
Platform statistics
disabling, 52-30, C-77
displaying, 52-27
evaluating, 52-28
overview, 52-26
troubleshooting, 63-52
viewing, 52-30
Platform_Statistics_Disabled setting
described, C-77
Policies
assigning, 9-6, 9-40
child policy, 9-4, 9-34
creating, 9-7
examples, 9-4
exceptions, 9-3
for hosted organizations, 9-7, 12-4
with Notes synchronization, 17-6
overview, 9-1
planning, 9-6
troubleshooting, 63-109
types of, 9-2
viewing, 9-37 to 9-38
Policy documents
child policy, 9-34
creating, 9-32
deleting, 9-35
in a hosted environment, 13-4
names in, 9-32
Policy hierarchy
effective policy, 9-36
examples, 9-4
Policy settings
deleting, 9-35
described, 9-1
desktop, 9-14
editing, 9-35
groups, 6-9
inheritance, 9-4
registration, 9-7
security, 9-19
setup, 9-12
viewing, 9-38
in Web Administrator, 16-25
Policy Synopsis tool
using, 9-36
Index-26
Policy viewer
described, 9-37
using, 9-38
Policy-based registration
with Notes synchronization, 17-6
POP3 Initialization Workload script
running, 62-27
sample, J-14
POP3 protocol
Domino mail server and, 26-5
in a hosted environment, 12-13
POP3 service
authentication and, 30-2
binding to an IP address, 2-47
changing default port
information for, 30-3
clients, 30-11
described, 30-1
DNS lookups, C-78
Internet domain names, C-79
mail commands, I-18, I-23
marking messages as read, C-79
message caching, C-78 to C-80
Notes port for TCP/IP, C-80
setting up, 30-2
starting, 30-3
updating configuration, C-78
POP3 users
activity logging, 57-10
allowing SMTP relays from, 28-82
creating mail files for, 30-10
enabling to send mail, 30-1
setting up, 30-7
POP3 Workload script
described, 62-26
running, 62-28
sample, J-14
POP3_Disable_Cache setting
described, C-78
POP3_Enable_Cache_Stats setting
described, C-79
POP3_Message_Stat_Cache_NumPer
User setting
described, C-80
POP3ConfigUpdateInterval setting
described, C-78
POP3DNSLookup setting
described, C-78
POP3Domain setting
described, C-79
POP3MarkRead setting
described, C-79
POP3NotesPort setting
described, C-80
Populate command
described, I-21
Port mapping
on partitioned servers, 2-53
Portals
creating for iNotes Web
Access, 32-3
portname_MaxSessions setting
described, C-80
troubleshooting
and, 63-59 to 63-60
Ports
adding, 2-36, 2-60
binding to IP
addresses, 2-46 to 2-47
cluster servers and, C-91
compressing data on, 2-42
configuring, 2-35, 28-66, 30-3, 31-5
controlling access to, 38-14
deleting, 2-40
disabling, 2-34
dropping connections, I-9
enabling, C-81
encrypting, 2-41
for LDAP service, 20-12
maximum sessions, C-80
names, 2-38
renaming, 2-38
reordering, 2-39, 2-45
Server Setup program
and, 2-2
SMTP, C-104
specifying, 4-16
SSL, 46-15, 2-55
starting and stopping, A-22
TCP, 2-55, C-110 to C-111
Ports setting
described, C-81
Ports, communication
options, 4-47
setting up, 4-34
POST command
restricting, 34-29
Pre-delivery agents
controlling, 28-9
Preferences
Domino Administrator, 16-5, 16-7
to 16-9, 16-11
Web Administrator, 16-24
Primary Domino Directory
changing to Configuration
Directory, 19-5
directory assistance
for, 23-26, 23-33
Q
Quick console
Web Administrator and, 16-26
Quit command
described, A-20, I-22
Quotas
database, 61-23 to 61-24
enforcing, 28-16
mail, 28-10 to 28-11, 28-15
memory, C-67
replication and, C-13, C-83
setting Router controls for, 28-17
soft deletions and, 28-14
Quotas, mail
shared mail and, 29-4
R
R5 IMAP Initialization Workload
running, 62-17
R5 IMAP Workload script
described, 62-15
running, 62-18
sample, J-6
R5 NRPC Mail Initialization script
running, 62-21
R5 Shared Database script
described, 62-24
running, 62-25
sample, J-12
R5 Simple Mail Routing script
described, 62-20
running, 62-23
sample, J-9
RA. See Registration Authority
Ratings
Server Health Monitor, 54-5
Read command
described, I-22
Reader access
actions, 40-14
privileges, 40-16
Readers field
updating, 40-29
Realms
authentication and, 63-104
Receipts
configuring Internet, 28-116
Recertify Certificate Authority in
Domino Directory
administration request, F-47
Recommendation documents
Web Navigator
database, 36-11
Recovery. See IDs, recovering
Redirect URL command
finding links with, 34-27
Referrals
LDAP service and, 20-33, 23-11
Refresh agent
enabling, 36-18
using, 36-18
Register hosted organization
administration requests, F-48
Registration
customizing options, 17-8
existing Active Directory
users, 17-35
group member in Notes, 17-18
Index-27
Index-28
Replica stubs
described, 63-88
troubleshooting, 63-89
Replicas
access levels, 7-6
concurrent changes to, 58-8
controlling changes, 40-5
controlling creation of, 38-14
copying to servers, 48-2
creating, 7-9, F-8, I-19
creating for multiple
domains, F-77
deleting, 58-36
deleting documents from, 7-12
deletions, 63-89, 63-90
described, 7-1
limiting content, 7-12, 7-16
size of, 63-87
Replicas, directory
directory assistance
and, 23-20, 23-36
Replicate command
described, A-20, I-22
Replicate server command, 7-31
Replication
access levels, 7-6
activity logging, 57-10
CD-ROM updates, 7-17
customizing, 7-11, 7-22
database design and, 63-86
deleted documents, 7-7
described, 7-1, 7-3
direction, 7-23
directory catalogs, 24-32
disabling, 7-16, 7-32, 63-89
document size and, 7-14
from Domino
Administrator, A-19
Domino Directory, 19-17
editing conflicts, 63-91
enabling, 7-32
end-to-end topology, 4-8
enforcing consistent ACL, 40-28
error tolerance setting, C-82
examples, 7-19
forcing, 7-33
full-text indexes, 50-1
graphical display of
topology, 7-34
history, 58-6, 58-7
limiting time for, 7-29
log file, 58-8
manual, 7-31
monitoring, 58-6
Report_DB setting
described, C-83
Reporter task
sending statistics, C-83
Reports
directory catalog, 24-49
mail usage, 33-2
REPORTS.NSF (Reports database)
creating, 33-4
ReportUseMail setting
described, C-83
Requests
managing certificate, 46-20
Web server, 34-55
Resent headers
using, 28-131
Reservations
deleting, 8-17
editing, 8-17
Resource balancing
in Activity Trends, 54-26
in Activity Trends,
setting up, 54-27
additional statistics, 54-46
analyzing distributions, 54-37
approval profile for, 54-59
charting options, 54-28
comparing, 54-39
creating plan constraints, 54-62
customizing, 54-36
database and server
locations, 54-27
database
moves, 54-32, 54-53, 54-55
and decommissioning a
server, 54-43
and Domino Change
Manager, 54-48 to 54-49
editing server properties, 54-43
evaluating server activity, 54-39
filtering servers, 54-45
goals, 54-30, 54-31
interpreting profile charts, 54-41
overview, 54-34
plan constraints explained, 54-61
plan documents for, 54-53, 54-57,
54-60 to 54-64
plan variables, 54-63
proposals for, 54-38, 54-47
viewing, 54-47
Resource document
creating, 8-9
editing and deleting, 8-13
plan notification messages, 54-64
Index-29
recalculating, 27-22
Routing task
described, 27-1
Routing. See Mail routing
RSA
trusted root, 46-11
RSVP
command for, I-24
RSVPInvitation command
described, I-24
RTR_Logging setting
described, C-86
Rules
mail, 28-113
S
S/MIME
encrypted, 47-13 to 47-15
setting up clients for, 47-1, 47-13
Sametime
setting up for iNotes Web
Access, 3-14
Save conflicts
consolidating, 58-10
described, 58-8
Sched_Dialing_Enabled setting
described, C-86
Sched_Purge_Interval setting
described, C-86
Schedule Manager
statistics, C-87
Tell commands, A-55
troubleshooting, 63-47
validation settings, C-87
Schedule_Check_Entries_When_
Validating setting
described, C-87
Schedule_No_CalcStats setting
described, C-87
Schedule_No_Validate setting
described, C-87
Scheduled replication
troubleshooting, 63-80, 63-84
Scheduled reports
mail, 33-15
Schedules
replication, 7-24
viewing for replication, 7-34
Scheduling
example, 8-2
server programs, B-2
setting up, 8-5
troubleshooting, 63-45
Index-30
Search results
access to, 10-12
filtering, 10-13
titles in, 10-19
Web server, 34-26
Searching
domains, 10-1
encrypted fields, 50-2
file systems, 10-9
SearchMax
number of documents to
display, 34-26
Secondary directories
directory services for, 18-12
LDAP service, 18-4
Secondary Domino Directory
Administration Process
support, 15-7
described, 23-1
directory assistance
and, 23-3, 23-8, 23-33
LDAP service, 23-10
name lookups, C-68
Secondary name servers
adding in Notes, 2-44
Secure_Disable_FullAdmin setting
described, C-90
SecureMail setting
described, C-90
Security
adding cross-certificates on
demand, 39-32
anonymous access, 42-25
application, 37-14
application design element, 37-15
authenticating
clients, 31-24, 46-25
certificates, 39-2
certifier IDs and, 1-9
database, 10-12, 40-19
database access for SSL
clients, 46-19
databases, 38-14
directory links, 49-1
Domino Directory and, 18-7, 19-9,
20-16, 20-22 to 20-23
Domino Off-Line Services, 11-7
encryption, 2-6, 43-1
encryption defined, 43-4
full-text indexes and, 50-2
ID recovery, 39-14, 39-17
IDs and, 37-16, 39-1
for Internet/intranet clients, 31-24
in a hosted environment, 12-3
workstation, 41-1
Security policy settings
creating, 9-19
Selection formulas
directory catalogs and, 24-20
Selective replication
setting up, 11-22
Selective replication formulas
preventing replication of
ADMIN4.NSF, 15-27
Self subject
extended ACL, 25-11
Self-certified certificate, 46-22
Send copy to mail rule
disabling, 28-9
SendMessage command
described, I-24
SendSMTPMessage command
described, I-25
Server access
anonymous, 38-13
customizing, 38-7
data directory, 49-4
denying, 38-4, 38-7
passthru, 38-17
troubleshooting, 63-91
Server administrators
changing name of, 59-1
Server certificates
changing expiration date, 3-32
merging into key ring file, 46-12
Server Certificate Administration
requesting certificate, 46-5
setting up, 46-3
Server commands
Agent Manager and agents, 63-12
entering from the UNIX
command line, A-8
redirecting command
output to, A-2
table of, A-10
troubleshooting with, 63-2
Server comparisons
when decommissioning a
server, 59-5
Server console
commands, I-8
described, A-1
using at server, A-2
Server Console Configuration
document
settings in, 52-21
Server crashes
database indexes and, 63-99
Index-31
Index-32
Index-33
Index-34
Extended Directory
Catalog, 24-26
increasing database, 61-23
index, 50-3
Java heap, C-46 to C-47
Java stack, C-48
mail file, 28-11
MIME message, C-40
NSF buffer pool, C-73
replica, 7-12, 63-87
Server Web Navigator
database, 36-16
transaction log, C-113
SIZE extension
enabling, 28-96, 28-103 to 28-104
Size quotas
database, 61-23 to 61-24
mail, 29-4, 28-10, 28-15 to 28-16,
28-28, 28-55
Smart hosts
for mail routing, 27-5, 27-43
SMIME_Strong_Algorithm setting
described, C-100
SMIME_Weak_Algorithm setting
described, C-101
SMTP
activity logging, 57-10
binding to an IP address, 2-47
changing default port
information
for, 28-58, 28-60, 28-66
IMAP clients and, 31-1
in local Internet domain, 27-39
mail commands, I-25
requirements for routing, 28-2
restricting inbound connections,
28-71, 28-75
setting up SSL server
authentication, 47-22
setting up SSL server
authentication for Notes and
Domino using, 28-68
using inside the local Internet
domain, 26-23
using outside the local Internet
domain, 26-24, 27-38
SMTP addresses
inbound lookup, 27-47
SMTP configuration
updating, 27-65
SMTP connection documents
creating, 27-34
SMTP Initialization Workload script
running, 62-27
sample, J-14
SMTP Listener task
enabling or disabling, 27-41
starting and stopping, 28-57
SMTP protocol
DNS and, 26-25
Domino mail server and, 26-3
mail routing and, 26-21, 27-37
SMTP routing
configuring multiple relay
hosts, 27-58
customizing, 28-57
relay hosts and, 27-33
SMTP Workload script
described, 62-26
running, 62-28
sample, J-14
SMTP_Config_Update_Interval
setting
described, C-102
SMTPAllHostsExternal setting
described, C-101
SMTPDebug setting
described, C-102
SMTPDebugIO setting
described, C-103
SMTPExpandDNSBLStats setting
described, C-103
SMTPGreeting setting
described, C-104
SMTPMaxForRecipients setting
described, C-105
SMTPMTA_Space_Repl_Char setting
described, C-105
SMTPNotesPort setting
described, C-104
SMTPNoVersionInRcvdHdr setting
described, C-104
SMTPRelayAllowHostsandDomains
setting
described, C-106
SMTPSaveImportErrors setting
described, C-106
SMTPStrict821AddressSyntax setting
described, C-107
SMTPStrict821LineSyntax setting
described, C-107
SMTPTimeoutMultiplier setting
described, C-108
SMUX protocol
and SNMP Agent, 53-14
Snap-in registry values
configuring, G-3
SNMP
Domino events, 53-4
floating-point support, 53-7
INI file configuratrion, 53-9
MIB, 53-5
on partitioned servers, 53-9
overview, 53-1
security, 53-5
traps, 53-21 to 53-23
troubleshooting, 53-10
using Domino MIB with, 53-21
SNMP Agent
alerts, 53-2
Sockets
IPX/SPX addresses and, 2-62
SOCKS proxy
connecting Server Web Navigator
through, 36-3
Soft deletions
defined, 61-8
effect on quotas, 28-14
expiration time, 61-8, F-70
Solaris
configuring partitioned
servers, 2-51
configuring SNMP Agent
for, 53-14
Soundex
directory catalogs and, 24-30
Space Saver settings
in Administration Requests
database, 15-27
Spamming
preventing, 28-20, 28-70, 28-75,
28-90, C-101
Spoofing
preventing, 28-71
SPX. See IPX/SPX
SSL
authenticating clients, 9-37, 28-60,
31-2, 31-6, 46-25,
Certificate Authority server
and, 45-5
client authentication, 47-18
creating a self-certified key
ring, 46-22
database access for clients, 46-19
default Domino trusted
roots, 46-11
features, 46-1
forcing connections, 46-18
in a hosted
environment, 12-4 to 12-13
Internet security and, 40-31
Stamp command
described, I-26
Start Consolelog command
described, A-43
Start Port command
described, A-44
STARTTLS extension
enabling for SMTP, 28-68
enabling for SMTP
inbound, 28-96
Stash files
setting up for SSL, 46-5
Statistic alarms
reporting, 52-9
for Server Health Monitor, 54-10
Statistic Collector
Tell commands, A-57
Statistic Collector task
described, 52-24
Statistic documents
creating, 52-32
Statistic event generator
creating, 52-9
Statistic profiles
charting, 52-37
creating, 52-31, 52-36
modifying, 52-39
Statistic thresholds
viewing, 52-32
Statistics
Activity Trends, 54-22
Administration Process, 15-35
charting, 54-16, 54-25, 52-36
creating documents for, 52-32
database activity, 58-12
database archives and, 61-26
database cache, 61-10
default thresholds, 52-32
directory assistance, 23-60
exporting to spreadsheet, 52-34
LDAP service ports, 20-38
mail-in, 52-35
modifying, 52-32
monitoring, 52-24, 52-31
platform, 52-26, 52-28, 52-30
for resource balancing, 54-46
Server Health
Monitor, 54-3, 54-13
Server.Load, 62-7
Set Statistics command, A-27
setting preferences
for, 16-11, 52-25
shared mail, 29-13
viewing, 52-28, 52-30, 52-32
Index-35
Windows NT Performance
Monitor, 17-23
Statistics Collector
overview, 52-1
Statistics reports
viewing, 52-31
Statlog task
database activity
reporting, 58-11, C-72
statistics, 58-12
user activity reporting, 58-13
STH files
setting up for SSL, 46-5
Stop Consolelog command
described, A-44
Stop Port command
described, A-44
Stop triggers
setting, 52-22
Storage format, mail file
setting for IMAP
users, 31-3, 31-23, 31-35
setting for POP3 users, 30-7
Store CA policy information in
Domino Directory
request, F-62
Store certificate in Domino or LDAP
directory request, F-62
Store Certificate Revocation List in
Domino or LDAP directory
request, F-63
Store directory type in server record
request, F-63
Store servers DNS host name in
Server record request, F-64
Structural object classes
described, 21-2
Subjects
extended ACL, 25-9, 25-17
Subscriptions, offline
overview, 11-1
SwapPath setting
described, C-109
Synchronization
enabling, 17-27
Notes and Windows 2000
users, 17-25, 17-38
Notes and Windows NT
users, 17-1 to 17-3, 17-5
Syntaxes
adding to schema, 21-15
LDAP, 21-2, 21-4
System administrators, 38-8
Index-36
T
Tables
forms and, 61-4
Targets
extended ACL, 25-12 to 25-14,
25-17, 25-30
Task status event generator
creating, 52-10
TCP server event generator
creating, 52-11
TCP/IP
Domino Internet services
and, 2-47
frame types, 63-68
importance of Notes port
order, 2-45
IPv6 standard, 2-25, 2-45
multiple IP addresses for
servers, 2-12, 2-19, 2-22
name resolution in, 2-15
name resolution in NRPC, 2-11,
2-16 to 2-17, 2-19, 2-22
Notes port for, 2-34 to 2-36, 2-38,
2-39 to 2-42, 2-46
NOTES.INI settings, 2-64
partitioned servers and, 2-21
passwords, 42-3, 42-24
planning server
configurations, 2-10
port mapping, 2-53, 63-78
port numbers, 2-55
redirect to SSL, 31-7, 46-18
Secondary name servers, 2-44
security, 2-9
setting up servers
on, 2-19, 2-32, 2-43
testing, 2-56
time-out setting, 2-45
troubleshooting, 63-56, 63-107
TCP/IPportname_PortMappingNN
setting
described, C-110
TCP/IPportname_TCPIPAddress
setting
described, C-111
TCP_EnableIPV6 setting
described, C-110
Tell commands
Administrator Process, A-46
Agent Manager, 63-12, A-47
CA process, A-48
Change Manager, A-50
Cluster Replicator, A-51
described, A-45
Directory Cataloger, A-53
LDAP service, A-53
Router, 27-5, 27-22, A-54
Schedule Manager, A-55
SMTP, 27-65, A-56
Statistic Collector, A-57
troubleshooting, 63-91
Web Navigator, A-57
Web Server, A-57
Telnet
and UNIX installation, 3-5
Temp_Index_Max_Doc setting
described, C-111
Templates
Domino Off-Line Services, 3-11
signing, 48-7
system and application, D-1
updating databases with, 58-24
Temporary directory
changing for view
rebuilding, 58-22
Terminated users
deleting from system, 40-23
Terminations group
adding names to, 40-6
creating, 6-8
Text
in Server Web Navigator, 36-12
Text files
for Domino Web server log, 56-10
redirecting command output
to, A-2
setting up for registration, 5-23
Third-party relays
defined, 28-76
Threads
DIIOP and, 34-11
IMAP service, 31-19
transfer, 28-33, 28-36
Web server, 34-55
Threads, Administration Process
changing number of, 15-29
Time zones
and replication, 7-24
Time-out settings
IMAP service, 31-9
LDAP service, 20-28
message, 28-37
server, C-96
SMTP, C-108
specifying for Web, 34-53
TCP/IP, 2-45
TimeZone setting
described, C-112
Titles
replication and, 63-87
window, C-120
TLS (Transport Layer Security)
for SSL, 28-68
Tools
Active Directory Domino
Upgrade Service, 17-25
administration, 16-16 to 16-17
Agent log, 63-13
for troubleshooting, 63-2
monitoring servers and, 52-1
server performance, 60-2
Topology
creating a passthru, 4-25
replication and, 4-8
Topology maps task
starting, 7-34
update frequency, C-112
Topology_WorkInterval setting
described, C-112
Trace command
described, A-59
TRACERT command
using for TCP/IP, 63-67
Tracing
mail, 63-2
network connections, 63-77
passthru connections, 63-79
Tracking messages
configuring the server for, 33-8
from the Domino
Administrator, 33-10
Mail Tracking Collector task, 33-5
overview, 33-1
Transaction logging
database changes, 58-25
disabling, 55-8
disk space and, C-115, 55-8
enabling, C-114
log location, C-113
log size, C-113
logging style, C-114
overview, 55-1
performance, C-113
planning for, 55-4
recovery, 14-11, 55-9
U
Undeliverable mail
generating non-delivery reports
for, 28-37
holding in
MAIL.BOX, 28-40 to 28-41
Unicode
LDAP service and, 20-3
Unit numbers
NetBIOS ports and, 2-58
Index-37
UNIX
accessing the server console, A-8
directory for entering
commands, 3-2
installation on, 3-4
server performance, 60-14
Unread command
described, I-27
Unread marks
allowing IMAP users to change
other users, 31-17
performance and, 61-3, 63-18
setting, I-27
Unwanted commercial e-mail
preventing, 28-20, 28-70,
28-75, 28-90
Updall task
commands, 58-16
indexes, 58-15
options, 58-16
running, 58-19
scheduling, 50-4 to 50-5
Update client information in Person
record, F-64
Update command
described, I-27
Update Config command, 27-65
described, 27-22
Update task
directory indexer, 58-15
indexes, 58-14
running, 58-21
Update user from non-roaming to
roaming user
administration requests, F-66
Update_No_BRP_Files setting
described, C-115
Update_No_Fulltext setting
described, C-115
Update_Suppression_Limit setting
described, C-116
Update_Suppression_Time setting
described, C-116
Updaters setting
described, C-116
UpgradeApps setting
described, C-117
URLs, 34-3
categorizing for Domain
Search, 10-21
in Server Web Navigator, 36-12
mailed to SSL server
administrators, 45-4
redirecting, 34-27
Index-38
explained, 5-2
from a text file, 5-22
Internet-only users, 5-37
non-Notes users, 5-37
roaming, 5-13
types of, 5-7
Web, 5-8, 5-27, 5-31
User rules mail forwarding
disabling, 28-9
User types
assigning to ACL, 40-19
Users
access levels, 40-1, 40-11
anonymous, 40-8
configuring for TCP/IP, 2-44
managing, 5-54
migrating from external mail
system or directory, 5-8
recertifying, F-48
registering, 5-2, 16-25,
17-33, 17-35
renaming, 17-41, F-51, F-84
restricting in clusters, 60-6
terminated, 40-6
UTF-8
LDAP service and, 20-32
UTF-8 locale
in a hosted environment, 13-8
V
Validation, 38-1
Internet/intranet
clients, 42-27
Verbose logging
mail, 28-7
Web servers, C-119 to C-120
VeriSign
trusted root, 46-11
Version numbers
identifying, C-98
View indexes
updating, 58-14
View_Rebuild_Dir setting
described, C-119
ViewExpnumber setting
described, C-118
ViewImpnumber setting
described, C-118
Views
adding documents, J-1
Administration Requests
database, 15-19
Close command, I-8
creating, 40-17
customizing in Domino
Directory, E-2, E-5
in Server Web Navigator
database, 36-12
keyboard shortcuts for, 58-21
logging, 55-9
navigating, I-10
opening, I-20
performance and, 63-18
purging database, 58-23
rebuilding, 58-22, C-119
searching in, I-11
shortcut keys, H-10
troubleshooting, 63-42, 63-99
updating, J-3, I-16
Virtual servers
Web site hosting, 34-17
Virtual Web servers
partitioned servers and, 2-49
security, 3-42
Viruses
protection against, C-71
W
WANs
integrating Domino with, 2-2
network compression
and, 2-42
Web
access levels, 40-13
anonymous users, 40-8
restricting amount of data
sent, 34-29
Web access
improving, 60-10
Web Administrator
access, 16-18, 16-20
configuring, 16-17
creating groups with, 6-4
Domino Console, Domino
Controller and, 16-28
entering server commands, A-1
in a hosted
environment, 14-15 to 14-16
managing policies, 16-25
managing the ACL with, 40-24
message tracking, 16-27
re-creating database, 63-109
registering users, 16-25, 5-27, 5-31
remote console, 16-26, A-7
resizing and, 63-109
roles, 16-20 to 16-21
Index-39
Web tours
Web Navigator
database, 36-11
Web user
registering, 5-8
Web user preferences, 34-30
cookies, 34-30
regional settings, 34-30
Web users
authenticating, 40-7
controlling access, 40-30
renaming, 5-66
WEB.NSF
renaming, 36-14
WEBADMIN.NSF
configuring, 16-17
securing, 16-18
WebAuth_Verbose_Trace setting
described, C-119
WebDAV, 34-15, 34-22
setting up, 34-15, 34-17
WebGet command
described, I-28
WebSess_Verbose_Trace setting
described, C-120
troubleshooting with, 63-106
WebSphere plug-ins
installing on IIS servers, 35-4
Welcome Page
creating, 5-87
Wide-area networks. See WANs
Wildcard searches
LDAP service, 20-28
Window_Title setting
described, C-120
Windows
configuring SNMP Agent
for, 53-11
directory for entering
commands, 3-2
installation on, 3-3
running Server Setup program
on, 3-18
system fonts, C-121
Windows 2000
configuring partitioned
servers, 2-52
ensuring name resolves on, 2-29
improving server
performance, 60-13
name resolution, 2-15, 2-22
registering existing users, 17-35
registering new users, 17-33
Index-40
X
X.PC network
compression and, 2-42
XACLs. See Extended ACLs
x-headers
adding to outbound Internet
mail, 28-134
XPC_Console setting
described, C-121
xSP servers
Activity Logging
for, 13-23 to 13-24
applications on, 12-15
binding IP addresses to, 13-16
configuring, 12-5, 12-9
Domino features for, 12-4
example, 12-16
for hosted environments, 12-1
installation options, 12-2
installing, 13-2
mail protocols on, 12-13
opening databases on, 13-8
securing, 12-3
setting up environment for, 13-1
Z
zOS
configuring SNMP Agent
for, 53-17
Lotus Domino 6
Lotus software
Lotus Domino 6
Printed in USA