Administering The Domino System, Volume 1

Lotus Domino 6
Lotus software
Lotus Domino 6
Administering the Domino System, Volume 1
Part No. CT1L5NA

G210-1427-00
Printed in USA
software
Lotus Domino 6
Disclaimer
THIS DOCUMENTATION IS PROVIDED FOR REFERENCE PURPOSES ONLY. WHILE EFFORTS
WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION
CONTAINED IN THIS DOCUMENTATION, THIS DOCUMENTATION IS PROVIDED AS IS
WITHOUT ANY WARRANTY WHATSOEVER AND TO THE MAXIMUM EXTENT PERMITTED,
IBM DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION THE
IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT AND FITNESS FOR A
PARTICULAR PURPOSE, WITH RESPECT TO THE SAME. IBM SHALL NOT BE RESPONSIBLE FOR
ANY DAMAGES, INCLUDING WITHOUT LIMITATION, DIRECT, INDIRECT, CONSEQUENTIAL
OR INCIDENTAL DAMAGES, ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO,
THIS DOCUMENTATION OR ANY OTHER DOCUMENTATION. NOTWITHSTANDING
ANYTHING TO THE CONTRARY, NOTHING CONTAINED IN THIS DOCUMENTATION OR ANY
OTHER DOCUMENTATION IS INTENDED TO, NOR SHALL HAVE THE EFFECT OF, CREATING
ANY WARRANTIES OR REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR
ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENT
GOVERNING THE USE OF THIS SOFTWARE.
Copyright
Under the copyright laws, neither the documentation nor the software may be copied, photocopied,
reproduced, translated, or reduced to any electronic medium or machine-readable form, in whole or
in part, without the prior written consent of IBM, except in the manner described in the documentation or the applicable licensing agreement governing the use of the software.
Copyright IBM Corporation 1985, 2002
All rights reserved.
Lotus Software
IBM Software Group
One Rogers Street
Cambridge, MA 02142
US Government Users Restricted Rights Use, duplication or disclosure restricted by GS ADP
Schedule Contract with IBM Corp.
List of Trademarks
1-2-3, cc:Mail, Domino, Domino Designer, Freelance Graphics, iNotes, Lotus, Lotus Discovery Server,
Lotus Enterprise Integrator, Lotus Mobile Notes, Lotus Notes, Lotus Organizer, LotusScript, Notes,
QuickPlace, Sametime, SmartSuite, and Word Pro are trademarks or registered trademarks of Lotus
Development Corporation and/or IBM Corporation in the United States, other countries, or both.
AIX, AS/400, DB2, IBM, iSeries, MQSeries, Netfinity, OfficeVision, OS/2, OS/390, OS/400, S/390,
Tivoli, and WebSphere are registered trademarks of International Business Machines Corporation in
the United States, other countries, or both. Pentium is a trademark of Intel Corporation in the United
States, other countries, or both. Microsoft, Windows, and Windows NT are registered trademarks of
Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark
of The Open Group in the United States and other countries. Java and all Java-based trademarks and
logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other
countries, or both.
All other trademarks are the property of their respective owners.
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . xv
Starting and shutting down the Domino

server . . . . . . . . . . . . . . . . . .
Volume 1
4 Setting Up Server-to-Server
Connections . . . . . . . . . . . . . . . . . . . 4-1
1 Deploying Domino . . . . . . . . . . . . 1-1
. . . . . . . . 1-1
Building the Domino environment . . . . . . 1-14
Guidepost for deploying Domino
2 Setting Up the Domino

Network . . . . . . . . . . . . . . . . . . . . . . 2-1
. . . . . . . . . . . 2-1
Network security . . . . . . . . . . . . . . . . . . 2-6
Planning the TCP/IP network . . . . . . . . . 2-10
Planning the NetBIOS network . . . . . . . . 2-26
Planning the IPX/SPX network . . . . . . . . 2-29
Setting up Domino servers on the network . . 2-32
Server setup tasks specific to TCP/IP . . . . 2-43
Server setup tasks specific to NetBIOS . . . . 2-58
Server setup tasks specific to IPX/SPX . . . . 2-61
NOTES.INI settings for networks . . . . . . . 2-64
Lotus Domino and networks
3 Installing and Setting Up

Domino Servers . . . . . . . . . . . . . . . . 3-1
...
Server installation . . . . . . . . . . . . . . . . . .
The Domino Server Setup program . . . . . . .
Installing and setting up Domino servers
Using Domino Off-Line Services (DOLS)

and iNotes Web Access . . . . . .
...
Using the Domino Server Setup program . .
The Certification Log . . . . . . . . . . . . . . .
Server registration . . . . . . . . . . . . . . . .
Optional tasks to perform after server setup . .
3-1
3-3
3-8
...
3-46
. . . . . 4-1
How a server connects to another server . . . 4-4
Internet connections . . . . . . . . . . . . . . . 4-21
Passthru servers and hunt groups . . . . . . 4-23
Planning the use of passthru servers . . . . . 4-25
Setting up a server as a passthru server . . . 4-27
Setting up a server as a passthru destination . . 4-28
Planning for modem use . . . . . . . . . . . . 4-33
Commands for acquire and connect scripts . . 4-53
Connecting Notes clients to servers . . . . . . 4-55
Planning server-to-server connections
5 Setting Up and Managing

Notes Users . . . . . . . . . . . . . . . . . . . 5-1
Setting up Notes users
...............
Adding an alternate language and name

to a user ID . . . . . . . . . . . . . .
...
Setting up client installation for users . . . .
Managing users . . . . . . . . . . . . . . . . . .
License Tracking . . . . . . . . . . . . . . . . .
Custom welcome page deployment . . . . .
5-1
5-38
5-41
5-54
5-85
5-87
3-10

Groups . . . . . . . . . . . . . . . . . . . . . . . 6-1
3-17
Using groups
3-28
3-29
3-34
.....................
Creating and modifying groups . . . . . . . . .
Managing groups . . . . . . . . . . . . . . . . . .
Assiging a policy to a group . . . . . . . . . . .
6-1
6-2
6-8
6-9
iii
7 Creating Replicas and

Scheduling Replication . . . . . . . . . . 7-1
........................
How server-to-server replication works . . . .
Replicas
Guidelines for setting server access to

databases . . . . . . . . . . . . .
......
7-1
7-3
7-5
Setting up a database ACL for

server-to-server replication
Table of replication settings
. . . . . . . . 7-6
. . . . . . . . . . 7-11
Specifying replication settings for one

replica . . . . . . . . . . . . . . . .
....
Scheduling server-to-server replication . . .
Customizing server-to-server replication . .
Specifying replication direction . . . . . . . .
Scheduling times for replication . . . . . . . .
Replicating only specific databases . . . . . .
Replicating databases by priority . . . . . . .
Limiting replication time . . . . . . . . . . . .
Using multiple replicators . . . . . . . . . . .
Refusing replication requests . . . . . . . . . .
Forcing immediate replication . . . . . . . . .
Disabling database replication . . . . . . . . .
Forcing a server database to replicate . . . .
Viewing replication schedules and
topology maps . . . . . . . . .
......
7-17
7-20
7-22
7-23
7-24
7-27
7-28
7-29
7-30
7-31
. . 8-20
9 Using Policies . . . . . . . . . . . . . . . 9-1
Policies . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Policy hierarchy and the effective policy . . . 9-3
Planning and assigning policies . . . . . . . . . 9-6
Creating policies . . . . . . . . . . . . . . . . . . 9-7
Mail archiving and policies . . . . . . . . . . . 9-22
Managing policies . . . . . . . . . . . . . . . . 9-35
Viewing policy relationships . . . . . . . . . . 9-37
10 Setting Up Domain Search . . . 10-1
Domain Search . . . . . . . . . . . . . . . . . . . 10-1
Planning the Domain Index . . . . . . . . . . 10-4
Creating and updating the Domain Index . 10-14
Customizing Domain Search forms . . . . . 10-18
Setting up Notes users for Domain Search . 10-19
Setting up Web users for Domain Search . 10-20
Using content maps with Domain Search . 10-21
NOTES.INI settings for Domain Search . . 10-23
7-32
11 Setting Up Domino Off-Line

Services . . . . . . . . . . . . . . . . . . . . . 11-1
7-33
Domino Off-Line Services
7-34
12 Planning the Service

Provider Environment . . . . . . . . . . 12-1
7-31
8 Setting Up Calendars and

Scheduling . . . . . . . . . . . . . . . . . . . . 8-1
............
...............
Collecting detailed information from user

calendars . . . . . . . . . . . . . . . .
............
Planning the xSP server environment
....
Using Domino features in a hosted server

environment . . . . . . . . . . . . . .
..
11-1
12-1
12-4
Calendars and scheduling
8-1
Setting up scheduling
8-5
Example of planning a hosted

environment . . . . . .
8-7
13 Setting Up the Service

Provider Environment . . . . . . . . . . 13-1
Setting up the Resource Reservations

database . . . . . . . . . . . . . .
......
Creating Site Profile and Resource

documents . . . . . . . . . .
. . . . . . . . 8-9
Editing and deleting Resource documents . . 8-13
Creating Holiday documents . . . . . . . . . . 8-17
iv Administering the Domino System, Volume 1
.........
Setting up the service provider environment .
12-16
13-1
Installing the first server or additional

servers for hosted environments
13-2
Setting up a hosted organization
...
.......
13-3
Setting up the Domino certificate

authority for hosted organizations
Using policies in a hosted environment
..
...
13-3
15 Setting Up the
Administration Process . . . . . . . . 15-1
13-4
The Administration Process
What happens when you register a hosted

organization? . . . . . . . . . . . . . . .
. 13-5
Example of registering a hosted organization . . 13-8
Registering a hosted organization . . . . . 13-11
Using Internet and Web Site documents in
a hosted environment . . . . . . . . . 13-18
Global Web Settings documents and the
service provider environment . .
Configuring activity logging for billing
hosted organizations . . . . . . .
..
13-21
...
13-23
14 Managing a Hosted
Environment . . . . . . . . . . . . . . . . . 14-1
Maintaining hosted organizations
......
14-1
Adding a hosted organization to an

additional server to provide new
Web applications . . . . . . . . .
14-2
Deleting a hosted organization
14-3
......
Enabling anonymous access to a hosted

organizations database . . . . . .
...
Moving a hosted organization to another

server . . . . . . . . . . . . . . . . . . .
Removing a hosted organization from a
backup or load-balancing server .
Using a browser to access a hosted

organizations Web site . . .
..
14-4
14-4
14-5
..
14-10
...
14-11
.....
14-12
Restoring a hosted environment after a

server crash . . . . . . . . . . . . .
Administration Process support of

secondary Domino Directories
.....
Processing administration requests across

domains . . . . . . . . . . . . . . . . .
..
Setting up ACLs for the Administration

Process . . . . . . . . . . . . . . . . .
..
The Administration Requests database . .
Customizing the Administration Process .
Adminstration Process Statistics . . . . . . .
Administration request messages . . . . . .
Using the Resource Reservations database

in a hosted environment . . . . . . .
.
Viewing hosted organizations . . . . . . . .
Managing users at a hosted organization .
Using the Web Administrator to manage
users at a hosted organization . . .
14-12
14-14
14-14
...........
Installing the Domino Administrator . . . .
Setting up the Domino Administrator . . . .
Starting the Domino Administrator . . . . .
Navigating Domino Administrator . . . . . .
14-15
15-5
15-7
15-8
15-13
15-19
15-29
15-35
15-36
16-1
16-1
16-2
16-2
16-3
Selecting a server to administer in the

Domino Administrator . . . . .
. . . . . 16-4
Setting Domino Administration preferences . . 16-5
Domino Administrator tabs . . . . . . . . . 16-13
Web Administrator . . . . . . . . . . . . . . . 16-17
Setting up the Web Administrator . . . . . 16-17
Starting the Web Administrator . . . . . . . 16-22
Using the Web Administrator . . . . . . . . 16-23
The Server Controller and the Domino
Console . . . . . . . . . . . . . . .
...
16-28
17 Using Domino with

Windows Synchronization Tools . . 17-1
Setting up Windows NT User Manager
15-1
16 Setting Up and Using

Domino Administration Tools . . . 16-1
The Domino Administrator
....
........
Temporarily disabling services for a

hosted organization . . . . . .
..........
Setting up the Administration Process . . . .
Setting policy-based registration options

for use with Notes synchronization
...
17-1
..
17-6
Contents v
Using the Windows NT Performance

Monitor to view Domino . . .
Customizing the Directory Profile
....
17-23
Setting up Domino Active Directory

synchronization . . . . . . . .
. . . . . 17-25
18 Planning Directory Services . . 18-1
Overview of Domino directory services . . . 18-1
Using directory servers in a Domino
domain . . . . . . . . . . . . . . .
.....
Planning LDAP features . . . . . . . . . . . . .
Planning directory access control . . . . . . .
Planning new entries in the Domino
Directory . . . . . . . . . . . . .
.....
Planning the management of entries in the

Domino Directory . . . . . . . . . . . .
Planning directory services for Notes
clients . . . . . . . . . . . . . . .
18-1
18-3
18-7
18-7
18-9
....
18-10
Planning directory services in a

multiple-directory environment
18-12
Directory search order
...
.............
18-15
Planning internationalized directory

services . . . . . . . . . . . . . .
....
Planning directory customization . . . . . .
Directory services terms . . . . . . . . . . . .
18-18
18-19
18-20
19 Setting Up the Domino

Directory . . . . . . . . . . . . . . . . . . . . . 19-1
The Domino Directory
..............
Setting up the Domino Directory for a

domain . . . . . . . . . . . . . . . .
....
19-1
19-2
.....
19-16
Scheduling replication of the Domino

Directory . . . . . . . . . . . . .
. . . . 19-17
20 Setting Up the LDAP Service . . 20-1
The LDAP service . . . . . . . . . . . . . . . . . 20-1
How the LDAP service works . . . . . . . . . 20-2
Setting up the LDAP service . . . . . . . . . . 20-7
Starting and stopping the LDAP service . . . 20-8
Customizing the LDAP service
configuration . . . . . . .
. . . . . . . . . 20-9
Setting up clients to use the LDAP service . 20-34
Using LDAP to search a Domain index . . 20-36
Monitoring the LDAP service . . . . . . . . 20-37
NOTES.INI settings for the LDAP service . 20-41
RFCs supported by the LDAP service . . . 20-42
21 Managing the LDAP Schema . . 21-1
LDAP schema . . . . . . . . . . . . . . . . . . . 21-1
The Domino LDAP schema . . . . . . . . . . . 21-2
The schema daemon . . . . . . . . . . . . . . . 21-5
Domino LDAP Schema database . . . . . . . 21-7
Methods for extending the schema . . . . . 21-10
Extending the schema using the Schema
database . . . . . . . . . . . . . . . .
..
Schema-checking . . . . . . . . . . . . . . . .
Searching the root DSE and schema entry .
21-13
21-18
21-19
NOTES.INI settings related to the schema

daemon . . . . . . . . . . . . . . . . .
Using a central directory architecture in a

Domino domain . . . . . . . . . . . .
..
19-2
. 21-21
22 Using the ldapsearch Utility . . 22-1
Managing Domino Directories in a central

directory architecture . . . . . . . .
..
19-5
Using the ldapsearch utility to search

LDAP directories . . . . . . . .
Controlling access to the Domino

Directory . . . . . . . . . . .
Corporate hierarchies
. . . . . . . 19-9
. . . . . . . . . . . . . 19-13
Setting up Notes clients to use a directory

server . . . . . . . . . . . . . . . . . . .
19-15
vi Administering the Domino System, Volume 1
.....
Table of ldapsearch parameters . . . . . . . .
Using search filters with ldapsearch . . . . .
22-1
22-2
22-4
Using ldapsearch to return operational

attributes . . . . . . . . . . . . . .
22-5
Examples of using ldapsearch
22-6
....
.........
23 Setting Up Directory
Assistance . . . . . . . . . . . . . . . . . . . 23-1
Specifying the Domino Directories for the

Dircat task to aggregate . . . . . . .
. . . . . . . . . . . . . . . 23-1
How directory assistance works . . . . . . . . 23-2
Directory assistance services . . . . . . . . . . 23-3
Directory assistance concepts . . . . . . . . 23-12
Directory assistance and naming rules . . . 23-12
Directory assistance and domain names . . 23-18
Directory assistance and failover for a
directory . . . . . . . . . . . . . . .
Directory assistance
...
23-19
....
24-15
Controlling which information is

aggregated into a directory catalog
24-16
Full-text indexing directory catalogs
.
....
24-25
Planning issues specific to Extended

Directory Catalogs . . . . . . .
....
24-26
Planning issues specific to condensed

Directory Catalogs . . . . . . .
24-29
Multiple directory catalogs
....
..........
24-33
Overview of setting up a condensed

Directory Catalog . . . . . . .
24-34
23-22
The Dircat task
24-45
23-24
Opening the configuration document for a

directory catalog . . . . . . . . . . . . . 24-48
.....
Number of directory assistance databases .
Setting up directory assistance . . . . . . . .
Directory assistance examples . . . . . . . .
Monitoring directory assistance . . . . . . .
23-26
Directory assistance for an Extended

Directory Catalog . . . . . . . .
Directory assistance in conjunction with a

condensed Directory Catalog . . . .
Directory assistance for the primary
Domino Directory . . . . . . .
23-29
23-29
23-51
23-60
24 Setting Up Directory
Catalogs . . . . . . . . . . . . . . . . . . . . . 24-1
.................
Condensed Directory Catalogs . . . . . . . .
Directory catalogs
Directory catalogs on servers compared to

directory assistance for individual
Domino Directories . . . . . . . . . .
..
Extended Directory Catalogs . . . . . . . . . .
Overview of directory catalog setup . . . . .
Planning directory catalogs . . . . . . . . . . .
Directory catalogs and client
authentication . . . . .
..........
Directory catalogs and Notes mail

encryption . . . . . . . . . .
......
Picking the server(s) to run the Dircat task .
24-1
24-2
24-4
24-5
24-8
24-9
24-9
24-14
24-14
.....
..................
. . . . . . . . 24-49
25 Setting Up Extended ACLs . . . 25-1
Extended ACL . . . . . . . . . . . . . . . . . . . 25-1
Monitoring directory catalogs
How other database security features

restrict extended ACL access
settings . . . . . . . . . . . . . . .
. . . . . 25-2
Elements of an extended ACL . . . . . . . . . 25-3
Extended ACL access settings . . . . . . . . . 25-3
Extended ACL subject . . . . . . . . . . . . . . 25-9
Extended ACL target . . . . . . . . . . . . . . 25-12
Extended ACL examples . . . . . . . . . . . 25-19
Extended ACL guidelines . . . . . . . . . . . 25-22
Setting up and managing an extended
ACL . . . . . . . . . . . . . . . . .
...
25-22
26 Overview of the Domino Mail

System . . . . . . . . . . . . . . . . . . . . . . 26-1
Messaging overview
...............
Supported routing, format, and access

protocols . . . . . . . . . . . . . . .
....
The Domino mail server and mail routing . .
Overview of routing mail using Notes
routing . . . . . . . . . . . . . . . .
...
26-1
26-2
26-5
26-17
Contents vii
...
Overview of routing mail using SMTP
26-21
The Domain Name System (DNS) and

SMTP mail routing . . . . . . . .
Mail journaling
. . . 26-25
27 Setting Up Mail Routing . . . . . 27-1
The Domino mail router . . . . . . . . . . . . . 27-1
Planning a mail routing topology . . . . . . . 27-2
Sample mail routing configurations . . . . . 27-9
Creating a Configuration Settings
document . . . . . . . . . . .
27-18
Setting up Notes routing
27-20
......
...........
Configuring Domino to send and receive

mail over SMTP . . . . . . . . . . . .
27-37
Setting up how addresses are resolved on

inbound and outbound mail . . . .
27-42
...
Routing mail over transient connections .
27-58
Configuring Domino to send mail to a

relay host or firewall . . . . . . .
27-59
28 Customizing the Domino

Mail System . . . . . . . . . . . . . . . . . . 28-1
. . . . . . . . . . . . . . . . . 28-1
Controlling messaging . . . . . . . . . . . . . . 28-1
Improving mail performance . . . . . . . . . . 28-2
Controlling message delivery . . . . . . . . . 28-8
Setting server mail rules . . . . . . . . . . . . 28-20
Customizing message transfer . . . . . . . . 28-26
Setting transfer limits . . . . . . . . . . . . . 28-33
Customizing mail
Setting advanced transfer and delivery

controls . . . . . . . . . . . . . . .
...
Customizing Notes routing . . . . . . . . . .
Customizing SMTP Routing . . . . . . . . .
Changing SMTP port settings . . . . . . . .
Restricting SMTP inbound routing . . . . .
Preventing unauthorized SMTP hosts
from using Domino as a relay
....
Enabling DNS blacklist filters for SMTP

connections . . . . . . . . . . . . . .
..
28-39
28-50
28-57
28-58
28-70
. . . . . 28-98
. . . . . . . . . . . . . . . . . 28-105
Restricting outbound mail routing
Setting inbound and outbound MIME and

character set options . . . . . . . . .
. 28-115
29 Setting Up Shared Mail . . . . . . 29-1
Shared mail overview . . . . . . . . . . . . . . 29-1
Setting up shared mail databases . . . . . . . 29-5
Managing a shared mail database . . . . . 29-11
Disabling shared mail . . . . . . . . . . . . . 29-25
30 Setting Up the POP3 Service . . 30-1
The POP3 service . . . . . . . . . . . . . . . . . 30-1
Setting up the POP3 service . . . . . . . . . . 30-2
Setting up POP3 users . . . . . . . . . . . . . . 30-7
31 Setting Up the IMAP Service . . 31-1
The IMAP service . . . . . . . . . . . . . . . . . 31-1
Setting up the IMAP service . . . . . . . . . . 31-4
Customizing the IMAP service . . . . . . . . 31-5
Setting up IMAP users . . . . . . . . . . . . . 31-22
IMAP settings in the server NOTES.INI
file . . . . . . . . . . . . . . . . . . . .
31-39
32 Setting Up iNotes Web

Access . . . . . . . . . . . . . . . . . . . . . . 32-1
. . . . . . . . . . . . . . . . 32-1
iNotes Access for Microsoft Outlook . . . . 32-11
33 Monitoring Mail . . . . . . . . . . . . 33-1
Tools for mail monitoring . . . . . . . . . . . . 33-1
Setting up mail monitoring . . . . . . . . . . . 33-3
Viewing mail usage reports . . . . . . . . . 33-16
iNotes Web Access
34 Setting Up the Domino Web

Server . . . . . . . . . . . . . . . . . . . . . . . 34-1
The Domino Web server
.............
28-75
Setting up a Domino server as a Web

server . . . . . . . . . . . . . . . .
28-86
Setting up WebDAV
viii Administering the Domino System, Volume 1
..
34-1
. . . . . 34-4
. . . . . . . . . . . . . . 34-15
................
Web Site rules and global Web settings . .
Custom Web server messages . . . . . . . .
Improving Web server performance . . . .
Hosting Web sites
Certificates
34-34
Password-protection for Notes and

Domino IDs . . . . . . . . . . .
34-48
34-52
35 Setting Up Domino to Work

with Other Web Servers . . . . . . . . 35-1
Setting up Domino to work with other
Web servers . . . . . . . . . . . . .
.....................
34-17
......
39-2
39-4
Verifying user passwords during

authentication . . . . . . . .
. . . . . . . 39-8
ID recovery . . . . . . . . . . . . . . . . . . . . 39-14
Public key security . . . . . . . . . . . . . . . 39-22
35-1
Using cross-certificates to access servers

and send secure S/MIME messages
39-27
36 Setting Up the Web

Navigator . . . . . . . . . . . . . . . . . . . . 36-1
Adding cross-certificates to the Domino

Directory or Personal Address Book
39-29
....
. . . . . . . . . . . . . . . . 36-1
Setting up a Web Navigator server . . . . . . 36-2
Customizing the Web Navigator . . . . . . . 36-6
The Web Navigator database . . . . . . . . . 36-10
Customizing the Web Navigator database . 36-11
The Web Navigator
Volume 2
37 Planning Security . . . . . . . . . . 37-1
. . . . . . . . . 37-1
. . . . . . . . . . 37-5
. . . . . . . . . . . 37-8
. . . . . . . . . 37-11
Overview of Domino security

The Domino security model
The Domino security team
Security planning checklists
38 Controlling Access to
Domino Servers . . . . . . . . . . . . . . . 38-1
Validation and authentication for Notes
and Domino . . . . . . . . . . . . .
Server access for Notes users, Internet
users, and Domino servers . . .
...
38-1
....
38-2
Setting up Notes user, Domino server,

and Internet user access to a
Domino server . . . . . . . . . . .
. . . . 38-4
Customizing access to a Domino server . . . 38-7
Physically securing the Domino server . . 38-23
39 Protecting and Managing
Notes IDs . . . . . . . . . . . . . . . . . . . . 39-1
Domino server and Notes user IDs
......
39-1
40 Controlling User Access to

Domino Databases . . . . . . . . . . . . 40-1
. . . . . . . . 40-1
Default ACL entries . . . . . . . . . . . . . . . 40-2
Acceptable entries in the ACL . . . . . . . . . 40-4
Configuring a database ACL . . . . . . . . . 40-11
Access levels in the ACL . . . . . . . . . . . 40-13
Access level privileges in the ACL . . . . . 40-16
User types in the ACL . . . . . . . . . . . . . 40-19
Roles in the ACL . . . . . . . . . . . . . . . . 40-20
Managing database ACLs . . . . . . . . . . . 40-22
The database access control list
Using the Administration Process to

update ACLs . . . . . . . . . . .
....
Setting up the Administration Process for

database ACLs . . . . . . . . . . . . .
40-23
40-24
Managing database ACLs with the Web

Administrator . . . . . . . . . . . .
..
......
Enforcing a consistent access control list .
Setting up database access for Internet users .
40-24
Editing entries in multiple ACLs
40-25
Maximum Internet name-and-password

access . . . . . . . . . . . . . . . . . .
..
40-28
40-30
40-30
41 Protecting User Workstations

with Execution Control Lists . . . . . 41-1
The execution control list
............
41-1
Contents ix
The administration ECL
.............
41-6
42 Setting Up
Name-and-Password and
Anonymous Access to Domino
Servers . . . . . . . . . . . . . . . . . . . . . . 42-1
SSL port configuration
46-14
Managing server certificates and

certificate requests . . . .
.......
46-20
...
42-1
.....
42-6
47 Setting Up Clients for

S/MIME and SSL . . . . . . . . . . . . . . 47-1
Multi-server session-based
name-and-password authentication
for Web users (single sign-on) . . .
.
Managing Internet passwords . . . . . . . .
Anonymous Internet/intranet access . . .
Validation and authentication for
Internet/intranet clients . .
46-11
Authenticating Web SSL clients in

secondary Domino and LDAP
directories . . . . . . . . . . . . .
Name-and-password authentication for

Internet/intranet clients . . . . . .
Session-based name-and-password
authentication for Web clients
.....
.............
Default Domino SSL trusted roots
......
SSL and S/MIME for clients

42-12
42-24
42-25
42-27
43 Encryption and Electronic

Signatures . . . . . . . . . . . . . . . . . . . 43-1
.....................
Mail encryption . . . . . . . . . . . . . . . . . .
Electronic signatures . . . . . . . . . . . . . . .
Encryption
43-1
43-4
43-9
44 Setting Up a Domino
Server-Based Certification
Authority . . . . . . . . . . . . . . . . . . . . 44-1
Domino server-based certification
authority . . . . . . . . . . .
.......
44-1
Setting up a server-based Domino

certification authority . . .
.......
44-5
45 Setting Up a Domino 5
Certificate Authority . . . . . . . . . . . 45-1
....
Setting up a Domino 5 certificate authority . .
Using a Domino 5 certificate authority
....
..........
46-25
47-1
Setting up Notes and Internet clients for

SSL authentication . . . . . . . . .
. . . 47-3
Internet certificates for SSL and S/MIME . . 47-5
Setting up Notes clients for S/MIME . . . . 47-13
Dual Internet certificates for S/MIME
encryption and signatures . .
....
Setting up Notes and Internet clients for

SSL client authentication . . . . .
..
47-17
47-18
Using SSL when setting up directory

assistance for LDAP directories
. . . 47-23
48 Rolling Out Databases . . . . . . 48-1
Database design, management, and
administration . . . . . . . . .
......
Rolling out a database . . . . . . . . . . . . . .
Copying a new database to a server . . . . .
Creating a Mail-In Database document for
a new database . . . . . . . . . . . . .
..
Adding a database to the Domain Index . .
Signing a database or template . . . . . . . .
48-1
48-1
48-4
48-5
48-7
48-7
45-1
49 Organizing Databases on a
Server . . . . . . . . . . . . . . . . . . . . . . . 49-1
45-1
Organizing databases on a server
.......
49-1
46 Setting Up SSL on a Domino

Server . . . . . . . . . . . . . . . . . . . . . . . 46-1

Full-text Indexes . . . . . . . . . . . . . . 50-1
.....................
Setting up SSL on a Domino server . . . . . .
Full-text indexes for single databases
SSL security
46-1
46-2
x Administering the Domino System, Volume 1
....
50-1
51 Setting Up Database
Libraries and Catalogs . . . . . . . . . 51-1
Database libraries
.................
Creating a database library and assigning

librarians . . . . . . . . . . . . . . . .
..
Publishing databases in a library . . . . . . .
Database catalogs . . . . . . . . . . . . . . . . .
Setting up a servers database catalog . . . .
51-1
51-2
51-3
51-4
51-5
52 Monitoring the Domino

Server . . . . . . . . . . . . . . . . . . . . . . . 52-1
. . . . . . . . 52-1
Monitoring events on the Domino system . . 52-2
Event generators . . . . . . . . . . . . . . . . . 52-3
Event handlers . . . . . . . . . . . . . . . . . . 52-14
Viewing an event report . . . . . . . . . . . . 52-20
Monitoring the Domino system
Viewing event messages, causes, and

solutions . . . . . . . . . . . . . .
....
.
Statistics and the Domino system . . . . . .
Platform statistics . . . . . . . . . . . . . . . .
Using the Domino Administrator to
monitor statistics . . . . . . .
.....
Charting statistics . . . . . . . . . . . . . . . .
Domino server monitor . . . . . . . . . . . .
Profiles and the Domino server monitor .
Working with Server Health Monitor

statistics . . . . . . . . . . . . . .
....
Activity Trends . . . . . . . . . . . . . . . . .
Setting up Activity Trends . . . . . . . . . .
Activity Trends server and statistics
profiles . . . . . . . . . . . . . .
.....
Resource balancing in Activity Trends . . .
Setting up resource balancing in Activity
Trends . . . . . . . . . . . . . . . . . .
...........
Configuring the Domino SNMP Agent . . .
The Domino SNMP Agent
54-1
54-2
54-3
54-5
54-6
54-8
54-13
54-17
54-18
54-22
54-26
54-27
.....
54-34
52-24
Analyzing resource-balancing
distributions . . . . . . .
54-37
52-26
Domino Change Manager
........
...........
54-48
52-31
ACLs for the Domino Change Control

database . . . . . . . . . . . . . . .
54-51
52-36
Resource-balancing plans
54-53
52-40
Setting up plan documents for resource

balancing . . . . . . . . . . . . . . .
52-20
52-21
52-43
53 Using the Domino SNMP

Agent . . . . . . . . . . . . . . . . . . . . . . . 53-1
Troubleshooting the Domino SNMP

Agent . . . . . . . . . . . . . . .
...
Server Health Monitor . . . . . . . . . . . . . .
Table of Server Health Monitor statistics . .
Table of Server Health Monitor ratings . . .
Server Health Monitor configuration . . . . .
Using the Server Health Monitor . . . . . . .
IBM Tivoli Analyzer for Lotus Domino
Understanding resource-balancing
behavior . . . . . . . . . . . . .
Customizing the appearance of the

Domino server console and Domino
Administrator console . . . . . . . .
Using the Domino MIB with your SNMP

management station . . . . . . . . .
54 Using IBM Tivoli Analyzer

for Lotus Domino . . . . . . . . . . . . . 54-1
53-1
53-8
53-21
.....
53-24
...
...........
..
54-61
55 Transaction Logging and

Recovery . . . . . . . . . . . . . . . . . . . . 55-1
...............
How transaction logging works . . . . . . . .
Planning for transaction logging . . . . . . .
Transaction logging
Setting up a Domino server for

transaction logging . . .
.........
Changing transaction logging settings . . . .
55-1
55-3
55-4
55-5
55-7
Contents xi
Disabling transaction logging for a

specific database . . . . . . . .
. . . . . . 55-8
View logging . . . . . . . . . . . . . . . . . . . . 55-9
Using transaction logging for recovery . . . 55-9
Fault recovery . . . . . . . . . . . . . . . . . . 55-10
56 Using Log Files . . . . . . . . . . . . 56-1
The Domino server log (LOG.NSF) . . . . . . 56-1
Controlling the size of the log file
(LOG.NSF) . . . . . . . . . .
.......
Logging Domino Web server requests . . . .
56-1
56-8
The Domino Web server log

(DOMLOG.NSF) . . .
. . . . . . . . . . . 56-8
Domino Web server logging to text files . . 56-10
57 Setting Up Activity Logging . . 57-1
. . . . . . . . . . . . . . . . . . 57-1
The information in the log file . . . . . . . . . 57-1
Configuring activity logging . . . . . . . . . 57-12
Viewing activity logging data . . . . . . . . 57-13
58 Maintaining Databases . . . . . . 58-1
Database maintenance . . . . . . . . . . . . . . 58-1
The Files tab in the Domino Administrator . . 58-2
Monitoring replication of a database . . . . . 58-6
Replication or save conflicts . . . . . . . . . . 58-8
Monitoring database activity . . . . . . . . . 58-11
Updating database indexes and views . . . 58-14
Managing view indexes . . . . . . . . . . . . 58-23
Activity logging
Synchronizing databases with master

templates . . . . . . . . . . . . .
....
Fixing corrupted databases . . . . . . . . . .
Using Fixup . . . . . . . . . . . . . . . . . . .
Moving databases . . . . . . . . . . . . . . . .
Deleting databases . . . . . . . . . . . . . . .
Database analysis . . . . . . . . . . . . . . . .
58-24
58-25
58-26
58-33
58-36
58-37
xii Administering the Domino System, Volume 1
59 Maintaining Domino Servers . . 59-1
. . . . . . . . . . . . . . . . . 59-1
Decommissioning a Domain Search server . 59-12
Uninstalling a Domino partitioned server . 59-13
Managing servers
60 Improving Server
Performance . . . . . . . . . . . . . . . . . 60-1
Improving Domino server performance
Tools for measuring server performance
...
..
Improving basic server performance and

capacity . . . . . . . . . . . . . . . . .
..
60-1
60-2
60-3
Improving partitioned server performance

and capacity . . . . . . . . . . . . . . .
60-5
Improving Agent Manager performance
60-6
Improving database and Domino

Directory performance . . .
Tips for tuning mail performance
.
..
. . . . . . . 60-9
. . . . . . 60-11
Improving Windows NT and Windows

2000 server performance . . . . .
60-13
Improving UNIX server performance
60-14
..
...
61 Improving Database
Performance . . . . . . . . . . . . . . . . . 61-1
Setting advanced database properties
....
61-1
Database properties that optimize

database performance . . .
. . . . . . . 61-3
The database cache . . . . . . . . . . . . . . . . 61-9
Controlling database size . . . . . . . . . . . 61-12
Tools for monitoring database size . . . . . 61-13
Monitoring database size . . . . . . . . . . . 61-13
Compacting databases . . . . . . . . . . . . . 61-13
Ways to compact databases . . . . . . . . . . 61-16
Database size quotas . . . . . . . . . . . . . . 61-23
Deleting inactive documents . . . . . . . . . 61-25
Using an agent to delete and archive
documents . . . . . . . . . . . .
61-27
Allowing more fields in a database
61-29
....
.....
62 Using Server.Load . . . . . . . . . . 62-1
.....................
Server.Load agents . . . . . . . . . . . . . . . .
Server.Load metrics . . . . . . . . . . . . . . .
Server.Load
62-1
62-4
62-7
Setting up clients and servers for

Server.Load . . . . . . . . .
. . . . . . . 62-12
Idle Workload script . . . . . . . . . . . . . . 62-14
R5 IMAP Workload test . . . . . . . . . . . . 62-15
R5 Simple Mail Routing test . . . . . . . . . 62-20
R5 Shared Database test . . . . . . . . . . . . 62-24
SMTP and POP3 Workload test . . . . . . . 62-26
Web Idle Workload test . . . . . . . . . . . . 62-30
Web Mail test . . . . . . . . . . . . . . . . . . 62-31
63 Troubleshooting . . . . . . . . . . . 63-1
Troubleshooting the Domino system . . . . . 63-1
Troubleshooting tools . . . . . . . . . . . . . . 63-2
Overview of server maintenance . . . . . . . 63-6
Server maintenance checklist . . . . . . . . . . 63-6
Backing up the Domino server . . . . . . . . . 63-7
Administration Process
Troubleshooting . .
............
Agent Manager and agents

Troubleshooting . . . . .
........
Database performance Troubleshooting .
Directories Troubleshooting . . . . . . .
Mail routing Troubleshooting . . . . . .
Meeting and resource scheduling
Troubleshooting . . . . . . . . .
63-8
63-12
63-16
63-21
63-36
....
63-45
.....
Platform statistics Troubleshooting . . .
63-48
Modems and remote connections

Troubleshooting . . . . . . . .
Network connections over NRPC

Troubleshooting . . . . . . . . .
Network dialup connections
Troubleshooting . . . . .
..
Passthru connections Troubleshooting .
Replication Troubleshooting . . . . . . .
Partitioned servers Troubleshooting
63-78
63-79
63-80
You see the message Database is not

fully initialized yet . . . . . .
. . . . 63-89
Server access Troubleshooting . . . . . . 63-91
Server crashes Troubleshooting . . . . . 63-96
Transaction logging Troubleshooting . 63-102
Web server, Web Navigator, and the Web
Administrator Troubleshooting
. 63-104
Server.Load Troubleshooting . . . . . . . 63-110
Appendix A Server Commands . . A-1
Appendix B Server Tasks . . . . . . . B-1
Appendix C NOTES.INI File . . . . . C-1
Appendix D System and
Application Templates . . . . . . . . . D-1
Appendix E Customizing the
Domino Directory . . . . . . . . . . . . . . E-1
Appendix F Administration
Process Requests . . . . . . . . . . . . . . F-1
Appendix G Novell Directory
Service for the IPX/SPX Network . . G-1
Appendix H Accessibility and
Keyboard Shortcuts in Domino
Administrator . . . . . . . . . . . . . . . . . H-1
Appendix I Server.Load
Command Language . . . . . . . . . . . . I-1
Appendix J Server.Load Scripts . . . J-1
Index . . . . . . . . . . . . . . . . . . . . . . Index-1
63-52
....
63-55
........
63-74
Contents xiii
Preface
The documentation for IBM Lotus Notes, IBM Lotus Domino, and IBM
Lotus Domino Designer is available online in Help databases and, with the
exception of the Notes client documentation, in print format.
License information
Any information or reference related to license terms in this document is
provided to you for your information. However, your use of Notes and
Domino, and any other IBM program referenced in this document, is solely
subject to the terms and conditions of the IBM International Program
License Agreement (IPLA) and related License Information (LI) document
accompanying each such program. You may not rely on this document
should there be any questions concerning your right to use Notes and
Domino. Please refer to the IPLA and LI for Notes and Domino that is
located in the file LICENSE.TXT.
System requirements
Information about the system requirements for Lotus Notes and Domino is
listed in the Release Notes.
Printed documentation and PDF files

The same documentation for Domino and Domino Designer that is available in online Help is also available in printed books and PDF files.
You can order printed books from the IBM Publications Center at
www.ibm.com/shop/publications/order.
You can download PDF files from the IBM Publications Center and from
the Documentation Library at the Lotus Developer Domain at
www-10.lotus.com/ldd.
Related information
In addition to the documentation that is available with the product, other
information about Notes and Domino is available on the Web sites listed
here.
IBM Redbooks are available at www.redbooks.ibm.com.
xv
A technical journal, discussion forums, demos, and other information is

available on the Lotus Developer Domain site at
www-10.lotus.com/ldd.
Table of conventions
This table lists conventions used in the Notes and Domino documentation.
Convention
Description
italics
Variables and book titles are shown in italic type.
monospaced type
Code examples and console commands are

shown in monospaced type.
file names
File names are shown in uppercase, for example

NAMES.NSF.
hyphens in menu names

(File - Database - Open)
Hyphens are used between menu names, to show

the sequence of menus.
Structure of Notes and Domino documentation

This section describes the documentation for Notes, Domino, and Domino
Designer. The online Help databases are available with the software
products. Print documentation can be downloaded from the Web or
purchased separately.
Release Notes
The Release Notes describe new features and enhancements, platform
requirements, known issues, and documentation updates for Lotus Notes 6,
Lotus Domino 6, and Lotus Domino Designer 6. The Release Notes are
available online in the Release Notes database (README.NSF). You can
also download them as a PDF file.
Documentation for the Notes client
The Lotus Notes 6 Help database (HELP6_CLIENT.NSF) contains the
documentation for Notes users. This database describes user tasks such as
sending mail, using the Personal Address Book, using the Calendar and
Scheduling features, using the To Do list, and searching for information.
Documentation for Domino administration
The following table describes the books that comprise the Domino Administration documentation set. The information in these books is also found
online in the Lotus Domino Administrator 6 Help database
(HELP6_ADMIN.NSF).
The book Installing Domino Servers ships with Domino. The other books are
available for purchase, or for free download as PDF files.
xvi Administering the Domino System, Volume 1
Title
Description
Upgrade Guide
Describes how to upgrade existing Domino servers and

Notes clients to Notes and Domino 6. Also describes how
to move users from other messaging and directory
systems to Notes and Domino 6.
Installing Domino
Servers
Describes how to plan a Domino installation; how to

configure Domino to work with network protocols such
as Novell SPX, TCP/IP, and NetBIOS; how to install
servers; and how to install and begin using Domino
Administrator and the Web Administrator.
Administering the
Domino System,
Volumes 1 and 2
Describes how to register and manage users and groups,

and how to register and manage servers including
managing directories, connections, mail, replication,
security, calendars and scheduling, activity logging,
databases, and system monitoring. This book also
describes how to use Domino in a service provider
environment, how to use Domino Off-Line Services, and
how to use IBM Tivoli Analyzer for Lotus Domino.
Administering Domino
Clusters
Describes how to set up, manage, and troubleshoot

Domino clusters.
Documentation for Domino Designer

The following table describes the books that comprise the Domino Designer
documentation set. The information in these books is also found online in
the Lotus Domino Designer 6 Help database (HELP6_DESIGNER.NSF)
with one exception: Domino Enterprise Connection Services (DECS) Installation
and User Guide is available online in a separate database, DECS User Guide
Template (DECSDOC6.NSF). The printed documentation set also includes
Domino Objects posters.
In addition to the books listed here, the Domino Designer Templates Guide is
available for download in NSF or PDF format. This guide presents an
in-depth look at three commonly used Designer templates: TeamRoom,
Discussion, and Documentation Library.
Title
Description
Application Development with

Domino Designer
Explains how to create all the design elements

used in building Domino applications, how to
share information with other applications, and
how to customize and manage applications.
Domino Designer Programming Introduces programming in Domino Designer and

Guide,
describes the formula language.
Volume 1: Overview and
Formula Language
continued
Preface xvii
Title
Description
Domino Designer Programming Describes the LotusScript/COM/OLE classes for

access to databases and other Domino structures.
Guide,
Volumes 2A and 2B:
LotusScript/COM/OLE Classes
Domino Designer Programming Provides reference information on using the Java
and CORBA classes to provide access to databases
Guide,
Volume 3: Java/CORBA Classes and other Domino structures.
Domino Designer Programming Describes the XML and JSP interfaces for access to
Guide,
databases and other Domino structures.
Volume 4: XML Domino DTD
and JSP Tags
LotusScript Language Guide
Describes the LotusScript programming language.
Domino Enterprise Connection

Services (DECS) Installation
and User Guide
Describes how to use Domino Enterprise

Connection Services (DECS) to access enterprise
data in real time.
Lotus Connectors and

Connectivity Guide
Describes how to configure Lotus Connectors for

use with either DECS or IBM Lotus Enterprise
Integrator for Domino (LEI). It also describes how
to test connectivity between DECS or LEI and an
external system, such as DB2, Oracle, or Sybase.
Lastly, it describes usage and feature options for
all of the base connection types that are supplied
with LEI and DECS. This online documentation
file name is LCCON6.NSF.
Lotus Connector LotusScript

Extensions Guide
Describes how to use the LC LSX to

programmatically perform Lotus
Connector-related tasks outside of, or in
conjunction with, either LEI or DECS. This online
documentation file name is LSXLC6.NSF.
IBM Lotus Enterprise

Integrator for Domino (LEI)
Installation Guide
Describes installation, configuration, and

migration information and instructions for LEI.
The online documentation file names are
LEIIG.NSF and LEIIG.PDF. This document is for
LEI customers only and is supplied with LEI, not
with Domino.
IBM Lotus Enterprise

Integrator for Domino (LEI)
Activities and User Guide
Provides information and instructions for using

LEI and its activities. The online documentation
file names are LEIDOC.NSF and LEIDOC.PDF.
This document is for LEI customers only and is
supplied with LEI, not with Domino.
xviii Administering the Domino System, Volume 1
Installation
Chapter 1
Deploying Domino
This chapter outlines the steps required to deploy IBM Lotus
Domino 6 successfully and introduces important concepts that you
need to know before you install Domino servers.
Guidepost for deploying Domino

Whether youre setting up IBM Lotus Domino 6 and IBM Lotus Notes 6
for the first time or adding to an established Domino environment,
planning is vital. Along with determining your companys needs, you
need to plan how to integrate Domino into your existing network. After
planning is complete, you can begin to install and set up Domino servers
and the Domino Administrator and build the Domino environment. The
following list describes, in order, the process to use to deploy Domino.
1. Determine your companys server needs. Decide where to locate
each server physically, taking into consideration local and wide-area
networks and the function of each server.
2. Develop a hierarchical name scheme that includes organization and
organizational unit names.
3. Decide whether you need more than one Domino domain.
4. Understand how server name format affects network
name-to-address resolution for servers. Ensure that the DNS records
for your company are the correct type for the server names.
5. Determine which server services to enable.
6. Determine which certificate authority Domino server-based
certification authority, Domino 5 certificate authority, third-party
to use.
7. Install and set up the first Domino server.
8. Install and set up the Domino Administrator on the administrators
machine.
9. Complete network-related server setup.
1-1
10. If the Domino server is offering Internet services, set up Internet site
documents. There are some instances where Internet Site documents
are required.
11. Specify Administration Preferences.
12. Create additional certifier IDs to support the hierarchical name
scheme.
13. Set up recovery information for the certifier IDs.
14. Add the administrators ID to the recovery information for the
certifier IDs and then distribute the certifier IDs, as necessary, to
other administrators.
15. Register additional servers.
16. If you did not choose to do so during first server setup, Create a
group in the Domino Directory for all administrators, and give this
group Manager access to all databases on the first server.
17. Install and set up additional servers.
18. Complete network-related server setup for each additional server.
19. Build the Domino environment.
Functions of Domino servers

Before you install and set up the first Domino server, consider the
function and physical location of the servers that your company needs
and determine how to connect the servers to each other. The current
configuration of local and wide-area networks affects many of these
decisions.
Consider your companys need for:
Servers that provide Notes and/or browser users with access to

applications
Hub servers that handle communication between servers that are

geographically distant
Web servers that provide browser users with access to Web

applications
Servers that manage messaging services
Directory servers that provide users and servers with information

about how to communicate with other users and servers
Passthru servers that provide users and servers with access to a

single server that provides access to other servers
Domain Search servers that provide users with the ability to perform
searches across all servers in a Domino domain
1-2 Administering the Domino System, Volume 1
Clustered servers that provide users with constant access to data and
provide load-balancing and failover
Partitioned servers that run multiple instances of the Domino server

on a single computer
Firewall servers that provide Notes users with access to internal

Domino services and protect internal servers from outside users
xSP servers that provide users with Internet access to a specific set of
Domino applications
Your decisions help determine which types of Domino servers your

require. When you install each server, you must select one of the
following installation options:
Domino Utility Server Installs a Domino server that provides

application services only, with support for Domino clusters. The
Domino Utility Server is a new installation type for Lotus Domino 6
that removes client access license requirements. Note that it does
NOT include support for messaging services. See full licensing text
for details.
Domino Messaging Server Installs a Domino server that provides

messaging services. Note that it does NOT include support for
application services or Domino clusters.
Domino Enterprise Server Installs a Domino server that provides

both messaging and application services, with support for Domino
clusters.
Note All three types of installations support Domino partitioned
servers. Only the Domino Enterprise Server supports a service
provider (xSP) environment.
Hierarchical naming for servers and users

Hierarchical naming is the cornerstone of Domino security; therefore
planning it is a critical task. Hierarchical names provide unique
identifiers for servers and users in a company. When you register new
servers and users, the hierarchical names drive their certification, or their
level of access to the system, and control whether users and servers in
different organizations and organizational units can communicate with
each another.
Before you install Domino servers, create a diagram of your company
and use the diagram to plan a meaningful name scheme. Then create
certifier IDs to implement the name scheme and ensure a secure system.
Deploying Domino 1-3
Installation
A hierarchical name scheme uses a tree structure that reflects the actual
structure of a company. At the top of the tree is the organization name,
which is usually the company name. Below the organization name are
organizational units, which you create to suit the structure of the
company; you can organize the structure geographically, departmentally,
or both.
For example, the Acme company created this diagram for their servers
and users:
Acme
West
HR
Accounting
East
IS
Sales
Marketing
Development
Looking at Acmes diagram, you can see where they located their servers
in the tree. Acme decided to split the company geographically at the first
level and create certifier IDs for the East and West organizational units.
At the next level down, Acme made its division according to department.
For more information on certifier IDs, see the topic Certifier IDs and
certificates in this chapter.
Components of a hierarchical name
A hierarchical name reflects a users or servers place in the hierarchy
and controls whether users and servers in different organizations and
organizational units can communicate with each another. A hierarchical
name may include these components:
Common name (CN) Corresponds to a users name or a servers

name. All names must include a common name component.
Organizational unit (OU) Identifies the location of the user or

server in the organization. Domino allows for a maximum of four
organizational units in a hierarchical name. Organizational units are
optional.
Organization (O) Identifies the organization to which a user or

server belongs. Every name must include an organization
component.
Country (C) Identifies the country in which the organization exists.

The country is optional.
Julia Herlihy/Sales/East/Acme/US
Typically a name is entered and displayed in this abbreviated format, but
it is stored internally in canonical format, which contains the name and
its associated components, as shown below:
CN=Julia Herlihy/OU=Sales/OU=East/O=Acme/C=US.
Note You can use hierarchical naming with wildcards as a way to
isolate a group of servers that need to connect to a given Domino server
in order to route mail.
For more information, see the chapter Setting Up Mail Routing.
Domino domains
A Domino domain is a group of Domino servers that share the same
Domino Directory. As the control and administration center for Domino
servers in a domain, the Domino Directory contains, among other
documents, a Server document for each server and a Person document
for each Notes user.
Planning for Domino domains
There are four basic scenarios for setting up Domino domains. The first
scenario, which many small- and medium-size companies use, involves
creating only one Domino domain and registering all servers and users in
one Domino Directory. This scenario is the most common and the easiest
to manage.
The second scenario is common when a large company has multiple
independent business units. In this case, one organization spread across
multiple domains may be the best scenario. Then all servers and users
are members of the same organization, and each business unit
administers its own Domino Directory.
For more information on administering multiple Domino directories, see
the chapter Planning Directory Services.
A third scenario is common when multiple companies work closely
together yet want to retain individual corporate identities. Then one
domain and multiple organizations may work best.
Finally, the fourth scenario involves maintaining multiple domains and
multiple organizations. This scenario often occurs when one company
acquires another.
Sometimes the decision to create multiple Domino domains is not based
on organizational structure at all. For example, you may want to create
multiple Domino domains if you have slow or unreliable network
Installation
An example of a hierarchical name that uses all of the components is:
connections that prohibit frequent replication of a single, large directory.

Keep in mind that working with multiple domains requires additional
administrative work and requires you to set up a system for managing
them.
Domains can be used as a broad security measure. For example, you can
grant or deny a user access to servers and databases, based on the
domain in which the user is registered. Using an extended ACL is an
alternative to creating multiple domains, because you can use the
extended ACL to specify different levels of access to a single Domino
Directory, based on organization name hierarchy.
For more information on extended ACLs, see the chapter Setting Up
Extended ACLs.
Partitioned servers
Using Domino server partitioning, you can run multiple instances of the
Domino server on a single computer. By doing so, you reduce hardware
expenses and minimize the number of computers to administer because,
instead of purchasing multiple small computers to run Domino servers
that might not take advantage of the resources available to them, you can
purchase a single, more powerful computer and run multiple instances
of the Domino server on that single machine.
On a Domino partitioned server, all partitions share the same Domino
program directory, and thus share one set of Domino executable files.
However, each partition has its own Domino data directory and
NOTES.INI file; thus each has its own copy of the Domino Directory and
other administrative databases.
If one partition shuts down, the others continue to run. If a partition
encounters a fatal error, Dominos fault recovery feature restarts only
that partition, not the entire computer.
For information on setting up fault recovery, see the chapter
Transaction Logging and Recovery.
Partitioned servers can provide the scalability you need while also
providing security. As your system grows, you can migrate users from a
partition to a separate server. A partitioned server can also be a member
of a cluster if you require high availability of databases. Security for a
partitioned server is the same as for a single server.
When you set up a partitioned server, you must run the same version of
Domino on each partition. However, if the server runs on UNIX, there
is an alternative means to run multiple instances of Domino on the
server: on UNIX, you can run different versions of Domino on a single
computer, each version with its own program directory. You can even
For more information on installing Domino on UNIX, see the chapter

Installing and Setting Up Domino Servers.
Deciding whether to use partitioned servers
Whether or not to use partitioned servers depends, in part, on how you
set up Domino domains. A partitioned server is most useful when the
partitions are in different Domino domains. For example, using a
partitioned server, you can dedicate different Domino domains to
different customers or set up multiple Web sites. A partitioned server
with partitions all in the same Domino domain often uses more computer
resources and disk space than a single server that runs multiple services.
When making the decision to use partitioned servers, remember that it is
easier to administer a single server than it is to administer multiple
partitions. However, if your goal is to isolate certain server functions on
the network for example, to isolate the messaging hub from the
replication hub or isolate work groups for resource and activity logging
you might be willing to take on the additional administrative work. In
addition, running a partitioned server on a multiprocessor computer may
improve performance, even when the partitions are in the same domain,
because the computer simultaneously runs certain processes.
To give Notes users access to a Domino server where they can create and
run Domino applications, use a partitioned server. However, to provide
customers with Internet access to a specific set of Domino applications,
set up an xSP server environment.
For more information about using Domino in an xSP environment, see
the chapter Planning the Service Provider Environment.
Deciding how many partitions to have
How many partitions you can install without noticeably diminishing
performance depends on the power of the computer and the operating
system the computer uses. For optimal performance, partition
multiprocessor computers that have at least one, and preferably two,
processors for each partition that you install on the computer.
Certifier IDs and certificates

Certifier IDs and certificates form the basis of Domino security. To place
servers and users correctly within your organizations hierarchical name
scheme, you create a certifier ID for each branch on the name tree. You
use the certifiers during server and user registration to stamp each
server ID and user ID with a certificate that defines where each belongs
Installation
run multiple instances of each version by installing it as a Domino

partitioned server.
in the organization. Servers and users who belong to the same name tree
can communicate with each other; servers and users who belong to
different name trees need a cross-certificate to communicate with each
other.
Note You can register servers and users without stamping each server
ID and user ID if you have migrated the certifier to a Domino
server-based certification authority (CA).
For more information about server-based CAs, see the chapter Setting
Up a Domino Server-based Certification Authority.
Each time you create a certifier ID, Domino creates a certifier ID file and
a Certifier document. The ID file contains the ID that you use to register
servers and users. The Certifier document serves as a record of the
certifier ID and stores, among other things, its hierarchical name, the
name of the certifier ID that issued it, and the names of certificates
associated with it.
There are two types of certifier IDs: organization and organizational unit.
Organization certifier ID
The organization certifier appears at the top of the name tree and is
usually the name of the company for example, Acme. During first
server setup, the Server Setup program creates the organization certifier
and stores the organization certifier ID file in the Domino data directory,
giving it the name CERT.ID. During first server setup, this organization
certifier ID automatically certifies the first Domino server ID and the
administrators user ID.
If your company is large and decentralized, you might want to use the
Domino Administrator after server setup to create a second organization
certifier ID to allow for further name differentiation for example, to
differentiate between company subsidiaries.
For more information on working with multiple organizations, see the
topic Domino domains earlier in this chapter.
Organizational unit certifier IDs
The organizational unit certifiers are at all the branches of the tree and
usually represent geographical or departmental names for example,
East/Acme or Sales/East/Acme. If you choose to, you can create a
first-level organizational unit certifier ID during server setup, with the
result that the server ID and administrators user ID are stamped with
the organizational unit certifier rather than with the organization
certifier. If you choose not to create this organizational unit certifier
For information on recertifying user IDs, see the chapter Setting Up and
Managing Notes Users. For information on recertifying server IDs, see
the chapter Maintaining Domino Servers.
You can create up to four levels of organizational unit certifiers. To create
first-level organizational unit certifier IDs, you use the organization
certifier ID. To create second-level organizational unit certifier IDs, you
use the first-level organizational unit certifier IDs, and so on.
Using organizational unit certifier IDs, you can decentralize certification
by distributing individual certifier IDs to administrators who manage
users and servers in specific branches of the company. For example, the
Acme company has two administrators. One administers servers and
users in West/Acme and has access to only the West/Acme certifier ID,
and the other administers servers and users in East/Acme and has access
to only the East/Acme certifier ID.
Certifier security
By default, the Server Setup program stores the certifier ID file in the
directory you specify as the Domino data directory. When you use the
Domino Administrator to create an additional organization certifier ID or
organizational unit certifier ID, you specify where you want the ID
stored. To ensure security, store certifiers in a secure location such as a
disk locked in a secure area.
User ID recovery
To provide ID and password recovery for Notes users, you need to set
up recovery information for each certifier ID. Before you can recover user
ID files, you need access to the certifier ID file to specify the recovery
information, and the user ID files themselves must be made recoverable.
There are three ways to do this:
At user registration, create the ID file with a certifier ID that contains

recovery information.
Export recovery information from the certifier ID file and have the
user accept it.
(Only for servers using the server-based certification authority) Add

recovery information to the certifier. Then, when existing users
authenticate to their home server, their IDs are automatically
updated.
For more information, see the chapter Protecting and Managing Notes
IDs.
Installation
during server setup, you can always use the Domino Administrator to do
it later just remember to recertify the server ID and administrators
user ID.
Example of how certifier IDs mirror the hierarchical name scheme

To implement their hierarchical name scheme, the Acme company
created a certifier ID at each branch of the hierarchical name tree:
Acme
Key:
Acme
Acme
Certifier ID Names
West
East
West/Acme
IS
Marketing
Sales
Development
/A
cm
e
Accounting
ev
el
op
m
en
t/ E
as
t
Ea
st
le
s/
E
Sa
ar
ke
tin
g/
M
/A
cm
e
e
as
t/A
cm
e
cm
IS
/W
es
t/A
tin
co
un
Ac
R/
W
es
t/A
cm
g/
W
es
t/A
cm
HR
East/Acme
To register each server and user, Acme does the following:
Creates /Acme as the organization certifier ID during first server

setup.
Uses the /Acme certifier ID to create the /East/Acme and

/West/Acme certifier IDs.
Uses the /East/Acme certifier ID to register servers and users in the

East coast offices and uses the /West/Acme certifier ID to register
servers and users in the West coast offices.
Uses the /East/Acme certifier ID to create the /Sales/East/Acme,

/Marketing/East/Acme, and /Development/East/Acme certifier
IDs.
Uses the /West/Acme certifier ID to create the /HR/West/Acme,

/Accounting/West/Acme, and IS/West/Acme certifier IDs.
Uses the /Sales/East/Acme, /Sales/Marketing/Acme, and

Development/East/Acme certifier IDs to register users and servers
in the East coast division.
Uses the /HR/West/Acme, /Accounting/West/Acme, and

IS/West/Acme certifier IDs to register users and servers in the West
coast division.
Domino server services

Before you start the Server Setup program, decide which services and
tasks to set up on the server. If you dont select the services during the
setup program, you can later enable them by editing the ServerTasks
setting in the NOTES.INI file or by starting the server task from the
server console.
Internet services
The Domino Server Setup program presents these selections for Internet
services:
Web Browsers (HTTP Web services)
Internet Mail Clients (SMTP, POP3, and IMAP mail services)
Directory services (LDAP)
Advanced Domino services

These Domino services, which are necessary for the proper operation of
the Domino infrastructure, are enabled by default when you set up a
Domino server:
Database Replicator
Mail Router
Agent Manager
Calendar Connector
Schedule Manager
DOLS (Domino Off-Line Services)
These are optional advanced Domino server services that you can enable:
DIIOP CORBA Services
DECS (Domino Enterprise Connection Services)
Billing
HTTP Server
IMAP Server
ISpy
LDAP Server
POP3 Server
Installation
For more information on hierarchical name schemes, see the topic

Hierarchical naming for users and servers earlier in this chapter.
Remote Debug Server
SMTP Server
Stats
Statistic Collector
Web Retriever
Note It is best to use activity logging instead of the billing service.
For more information on activity logging, see the chapter Planning
the Service Provider Environment.
Table of Domino naming requirements

Consider these guidelines when naming parts of the Domino system.
Name
Characters
Tips
Domino
domain
31 maximum
This is usually the same as the

organization name.
Use a single word, made up of only alpha
(A-Z) or numeric (0-9) characters.
Notes named
network
31 maximum
By default, the Server Setup program

assigns names in the format port name
network for example, TCP/IP network.
Edit Notes named network names to use
an identifier such as the location of the
Notes named network and the network
protocol for example, TCPIP-Boston.
Organization
3-64 maximum* This name is typically the same as the

Domino domain name.
The organization name is the name of the
certifier ID and is appended to all user
and server names.
Organizational 32 maximum*
unit
There can be up to four levels of

organizational units.
continued
Characters
Tips
Server
79 maximum
Choose a name you want to keep. If you

change a server name, you must recertify
the server ID.
Choose a name that meets your networks
requirements for unique naming. On
TCP/IP, use only the characters 0 through
9, A through Z, and - (dash), and do not
use spaces or underscores. On NetBIOS,
the first 15 characters must be unique. On
SPX, the first 47 characters must be
unique.
Keep in mind that Domino performs
replication and mail routing on servers
named with numbers before it does those
tasks on servers named with alphabetic
characters.
User
79 maximum*
Use a first and last name. A middle name is

allowed, but usually not needed.
Alternate user
No minimum
Can have only one alternate name
Group
62 maximum
Use any of these characters: A - Z, 0 - 9, &

- . _ / (ampersand, dash, period, space,
underscore, apostrophe, and forward
slash)
For mail routing, you can nest up to five
levels of groups. For all other purposes,
you can nest up to six levels of groups.
Port
No maximum
Do not include spaces
Country code
0 or 2
Optional
* This name may include alpha characters (A - Z), numbers (0 - 9), and
the ampersand (&), dash (-), period (.), space ( ) , and underscore (_).
For more information on network name requirements and the effect that
server name format has on network name-to-address resolution, see the
chapter Setting Up the Domino Network.
Installation
Name
Building the Domino environment

After installing the first Domino server and any additional servers, you
configure the servers and build the environment.
This overview lists the features that you may want to include in your
Domino environment.
1. Create Connection documents for server communication.
2. If you have mobile users, set up modems, dialup support, and RAS.
3. Set up mail routing
4. Establish a replication schedule.
5. Configure incoming and outgoing Internet mail (SMTP).
6. Customize the Administration Process for your organization.
7. Plan and create policies before you register users and groups.
8. Register users and groups.
9. Determine backup and maintenance plans and consider transaction
logging.
10. Consider remote server administration from the Domino console or
Web Administrator console. Also consider the use of an extended
administration server.
11. Set up a mobile directory catalog on Notes clients to give Notes users
local access to a corporate-wide directory.
12. Consider implementing clustering on servers.
For information about clustering, see the book Administering Domino
Clusters.
Installation
Chapter 2
Setting Up the Domino Network
This chapter describes planning concepts and presents protocol-specific
procedures required to run Domino on a network. The chapter describes
using network protocols from a Domino perspective and does not
provide general network information.
Lotus Domino and networks

A variety of client systems can use wireless technology or modems to
communicate with Domino servers over local area networks (LANs),
wide area networks (WANs), and metropolitan area networks (MANs).
To govern how computers share information over a network, they use
one or more protocols, which are sets of rules. For example, Notes
workstations and Domino servers use the Notes remote procedure call
(NRPC) protocol running over the LANs network protocol to
communicate with other Domino servers. Other client systems, such as
Web browsers, Internet mail clients, wireless application protocol (WAP)
devices, and personal information management (PIM) devices, can also
communicate with Domino servers.
Isolated LANs can be connected by WANs. A WAN is either a
continuous connection such as a frame-relay, leased telephone line, or
digital subscriber line (DSL) or a dialup connection over a modem or
Integrated Services Digital Network (ISDN) line. Dialup connections are
either to an individual server or to a LAN (through a provider network
or your companys own communications server).
Buildings or sites that are geographically close to each other can use a
MAN, which is a continuous, high-speed connection that can connect
corporate LANs or connect a LAN to the WAN. Like a WAN, a MAN is
usually shared by multiple organizations.
Wireless technology that works with Domino ranges from localized
transmission systems (802.11a or 802.11b) to national or international
satellite transmission systems that are geostationary, mid-orbit, or
tracked orbit.
2-1
If you are planning a network for geographically dispersed locations,

consider how to achieve a cost-effective infrastructure. Placing servers in
one location requires that users in other locations access the Domino
server across WAN connections, which can be slow and expensive.
Placing servers in every location and replicating databases to make the
same information available on several LANs requires attention to
administration at each location. One effective way to set up a network is
to use a hub server at each location to handle communication with hub
servers in other locations. Then, only the hub servers, not every server in
the network, use WAN connections.
The functionality of Notes workstations and Domino servers depends on
the effectiveness and capacity of networks. To plan a Domino network
with sufficient capacity, you must consider not only the traffic to and
from Domino servers but also any other traffic on the network.
NRPC communication
Domino servers offer many different services. The foundation for
communication between Notes workstations and Domino servers or
between two Domino servers is the Notes remote procedure call (NRPC)
service.
Network protocols for NRPC communication
To communicate, two computers must run the same network protocol
and software driver. For dialup connections, Lotus Domino uses its own
X.PC protocol natively; Notes and Domino also support PPP using either
Microsoft Dialup Networking (DUN) or Remote Access Service (RAS) for
network dialup. In addition, you can use any IETF-compliant PPP
communications server to dial into the network on which the Domino
server resides or though which the server can be accessed.
For more information on dialup connections, see the chapter Setting Up
Server-to-Server Connections.
On LANs, Lotus Domino is compatible with the TCP/IP and IPX/SPX
protocol suites, as well as NetBIOS over the lower transports IP, IPX, and
NetBEUI. For NetBIOS connections to work, both Notes workstations
and Domino servers must use the same lower transport.
For detailed information on which protocols are compatible with Lotus
Domino for each supported operating system, see the Release Notes.
Notes network ports
During the Server Setup program, Domino provides a list of Notes
network ports based on the current operating system configuration. If
these ports are not the ones you want to enable for use with the Domino
server, you can edit the list during setup.
In TCP/IP and NetBIOS, you can install multiple network interface cards
(NICs) and enable additional Notes network ports for each protocol,
using the NOTES.INI file to bind each port to a separate IP address or
NetBIOS LANA number.
For more information, see the topic Adding a network port on a server
later in this chapter.
Notes named networks
Consider Notes named networks in your planning. A Notes named
network (NNN) is a group of servers that can connect to each other
directly through a common LAN protocol and network pathway for
example, servers running on TCP/IP in one location. Servers on the same
NNN route mail to each another automatically, whereas you need a
Connection document to route mail between servers on different NNNs.
When you set up Server documents, be sure to assign each server to the
correct NNN. Lotus Domino expects a continuous connection between
servers that are in the same NNN, and serious delays in routing can
occur if a server must dial up a remote LAN because the remote server is
inadvertently placed within the NNN. Also bear in mind that the Notes
Network field for each port can contain only one NNN name, and no two
NNN names can be the same.
NNNs affect Notes users when they use the Open Database dialog box.
When a user selects Other to display a list of servers, the servers
displayed are those on the NNN of the users home server for the port on
which the Notes workstation communicates with the home server. Also,
when users click on a database link or document link, if a server in their
home servers NNN has a replica of that database, they can connect to
the replica.
Note If a server is assigned to two NNNs in the same protocol, as in the
case where the server has two Notes network ports for TCP/IP, a Notes
workstation or Domino server connecting to that server uses the NNN
for the port listed first in the Server document.
Setting Up the Domino Network 2-3
Installation
Because each network protocol consumes memory and processing

resources, you might want to exclude one or more ports and later remove
the associated protocol software from the system.
Resolving server names to network addresses in NRPC

Communications between Lotus Notes and Lotus Domino run over the
NRPC protocol on top of each supported LAN protocol. When a Notes
workstation or Domino server attempts to connect to a Domino server
over a LAN, it uses a combination of the built-in Notes Name Service
and the network protocols name-resolver service to convert the name of
the Domino server to a physical address on the network.
The Notes Name Service resolves Domino common names to their
respective protocol-specific names. Because the Notes Name Service
resolves common names by making calls to the Domino Directory, the
service becomes available to the Notes workstation only after the
workstation has successfully connected to its home (messaging) server
for the first time. (The protocol name-resolver service normally makes
the first connection possible.) When the Notes workstation makes a
subsequent attempt to connect to a Domino server, the Notes Name
Service supplies it with the Domino servers protocol-specific name
that is, the name that the server is known by in the protocols name
service which is stored in the protocols Net Address field in the
Server document. The protocols name-resolver service then resolves the
protocol-specific name to its protocol-specific address, and the
workstation is able to connect to the server.
Note When resolving names of Domino servers that offer Internet
services, Lotus Notes uses the protocols name-resolver service directly.
How name resolution works in NRPC
A Notes workstation or Domino server follows these steps to resolve the
name of the Domino server to which it is trying to connect over NRPC.
Note If the Net Address field in the Server document contains a
physical address a practice that is not recommended in a production
environment the Notes Name Service performs the resolve directly,
thus placing the burden of maintaining physical address changes on the
Domino administrator.
1. If the workstation/server has a Connection document for the
destination server that contains the protocol-specific name, the
workstation/server passes the protocol-specific name to the
protocols name-resolver service. If the Connection document
contains a physical address, the Notes Name Service performs the
resolve directly. Normal-priority Connection documents are checked
first, and then low-priority Connection documents.
Note Unlike in Server documents, adding physical addresses in
Connection documents is not discouraged, since only the local
workstation/server uses the Connection document.
3. If the protocol-specific name is not cached, one of the following

occurs, based on the list order of enabled Notes network ports:
For a Notes workstation connected to the home (messaging)
server, Notes gives the common name of the destination Domino
server to the home server, which looks in the Domino Directory
for the Server document of the destination server. The home
server locates the contents of the Net Address field for the Notes
named network that the Notes workstation has in common with
the destination server and passes this name to the protocols
name-resolver service. If the workstation and the destination
server are in the same Domino domain but not in the same Notes
named network, the home server locates the names of each
protocol that the workstation has in common with the destination
server and passes each to the appropriate protocol until a resolve
is made. If the Notes workstation cant access its home server, it
connects to its secondary Notes name server, which carries out the
same actions as the home server.
For a Domino server, Domino checks the Server document for the
destination server, locates the contents of the Net Address field for
the Notes named network that the Domino server has in common
with the destination server, and passes this name to the protocols
name-resolver service. If the destination server is in the same
Domino domain as the Domino server, but not in the same Notes
named network, the Domino server locates the protocol name of
each protocol that it has in common with the destination server and
passes each to the appropriate protocol until a resolve is made.
4. If Steps 1 through 3 do not produce the servers network address, the
workstation/server offers the Domino common name of the
destination server to the name-resolver service of each protocol,
based on the order of the enabled network ports in the Server
document.
Installation
2. To determine if the destination servers protocol-specific name is

cached, the workstation checks the Location document and the
server checks its own Server document. If the name is cached, the
workstation/server uses the last-used Notes network port to
determine the protocol and passes this value to the protocols
name-resolver service.
Network security
Physical network security is beyond the scope of this book, but you must
set it up before you set up connection security. Physical network security
prevents unauthorized users from breaking through the network and
using one of the operating systems native services for example, file
sharing to access the server. Physical network security also comes into
play when any data is exposed, as the potential exists for malicious or
unauthorized users to eavesdrop both on the network where the Domino
system resides and on the system you are using to set up the server.
Network access is typically controlled using network hardware such
as filtering routers, firewalls, and proxy servers. Be sure to enable rules
and connection pathways for the services that you and others will access.
Newer firewall systems offer virtual-private-network (VPN) services,
which encapsulate the TCP/IP packet into another IP wrapper where the
inner TCP/IP packet and its data are encrypted. This is a popular way to
create virtual tunnels through the Internet between remote sites. If you
want to have the Domino server access both a private VPN and the
Internet for SMTP mail, make sure your solution is able to handle full
TCP data packets and that it allows dual connections. If not, the Domino
server system may require a second NIC to work around limitations of
the VPN solution.
For more information, see the chapter Controlling Access to Domino
Servers.
NRPC and Internet connection security

To control connection access, you typically use a network hardware
configuration, such as a firewall, reverse proxy, or Domino passthru
server, to which you can authorize connections and define access to
network resources.
In addition, you can encrypt all connections by service type. Encrypting
connections protects data from access by malicious or unauthorized
users. To prevent data from being compromised, encrypt all Domino and
Notes services that connect to public networks or to networks over which
you have no direct control. Encrypting the connection channel prevents
unauthorized users from using a network protocol analyzer to read data.
To encrypt NRPC network traffic, use the Notes port encryption feature.
For traffic over Internet protocols, use SSL. For both NRPC and Internet
protocols, you can enforce encryption at the server for all inbound and
outbound connections. In the case of the Notes client, you can also
enforce encryption on all outbound connections, even if the server to
which you are connecting allows unencrypted connections.
Using an additional Domino server acting as a passthru server for

NRPC connections
Using a reverse proxy to manage authentication and encryption

outside of Domino servers when using SSL
Removing unnecessary or unused protocols or services on the server

system as well as Domino server services
For more information, see the chapters Installing and Setting Up

Domino Servers and Setting Up SSL on a Domino Server.
Using a Domino passthru server as a proxy
A proxy is a system that understands the type of information transmitted
for example, NRPC or HTTP-format information and controls the
information flow between trusted and untrusted clients and servers. A
proxy communicates on behalf of the requester and also communicates
information back to the requester. A proxy can provide detailed logging
information about the client requesting the information and the
information that was transmitted. It can also cache information so
requesters can quickly retrieve information again.
A proxy stops direct access from an untrusted network to services on a
trusted network. If an application proxy is in use, then application-specific
heuristics can be applied to look at the connections from the untrusted
networks and determine if what is being requested is legal or safe.
An application proxy resides in the actual server application and acts as
an intermediary that communicates on behalf of the requester. An
application proxy works the same as a packet filter, except the
application proxy delivers the packet to the destination. An application
proxy can be used with any protocol, but it is designed to work with one
application. For example, an SMTP proxy understands only SMTP.
A circuit-level proxy is similar to an application proxy, except that it does
not need to understand the type of information being transmitted. For
example, a SOCKS server can act as a circuit-level proxy. You can use a
circuit-level proxy to communicate using Internet protocols with TCP/IP
that is, IMAP, LDAP, POP3, SMTP, IIOP, and HTTP, as well as
Internet protocols secured with SSL.
HTTP is a special case. In Domino, when the HTTP Connect method is
used by an HTTP proxy, applications using other protocols can also use
the HTTP proxy, but they use it as a circuit-level proxy, not as an
application proxy. SSL uses the HTTP Connect method to get through an
Installation
Because encryption adds additional load to the server, you may want to
limit the services for which the server uses encryption. Other ways to
minimize the load that encryption puts on the system include:
application proxy because the data is encrypted and the application

proxy cannot read the data. HTTPS (HTTP and SSL) use both the HTTP
proxy and the Connect method, which implies that the HTTP proxy is a
circuit-level proxy for HTTPS. The same method is used to get NRPC,
IMAP, and other protocols through the HTTP proxy.
You can set up a Domino passthru server as an application proxy for
NRPC. A passthru server provides all levels of Notes and Domino
security while allowing clients who use dissimilar protocols to
communicate through a single Domino server. The application proxy
does not allow Internet protocols for example, HTTP, IMAP, and
LDAP to use a Domino passthru server to communicate, however. For
Internet protocols, you can use an HTTP proxy with the HTTP Connect
method to act as a circuit-level proxy.
A Notes client or Domino server can also be a proxy client and
interoperate with either passthru (NRPC protocol only) or as a SOCKS or
HTTP tunnel client (for NRPC, POP3, LDAP, IMAP, and SMTP
protocols). You set this up in the Proxy setting in the client Location
document.
To set up a Domino passthru server as an application proxy
When you set up an application proxy, make sure the following Domain
Name System (DNS) services are correctly configured:
The databases db.DOMAIN and db.ADDR, which DNS uses to map

host names to IP addresses, must contain the correct host names and
addresses.
Hosts files must contain the fully qualified domain name of the
servers.
If you are using the Network Information Service (NIS), you must use the
fully qualified domain name and make sure NIS can coexist with DNS.
For information on configuring these settings, see the documentation for
your network operating system.
You must first connect the server to the untrusted network for
example, the Internet and then set up Notes workstations and Domino
servers to use the passthru server as a proxy when accessing services
outside the trusted network.
To set up a workstation or server to use the passthru server, you must
specify the passthru server in the Location document for a workstation
and in the Server document for a server.
For more information on connecting a server to the Internet and passthru
servers, see the chapter Setting Up Server-to-Server Connections.
In a TCP/IP network, configure all Domino servers to reject Telnet and

FTP connections. Furthermore, do not allow file system access to the
Domino server or the operating system on which it runs, unless you are
sure you can properly maintain user access lists and passwords and you
can guarantee a secure environment.
If you use the Network File System (NFS) without maintaining the
password file, users can breach security by accessing files through NFS
instead of through the Domino server. If this back door access method
is needed, isolate the network pathway on a LAN NIC and segment, and
make sure that the ability to access files through NFS is exclusive to this
isolated secure network.
Mapped directory links and Domino data security

To ensure data security, do not create a mapped directory link to a file
server or shared Network Attached Storage (NAS) server for a Domino
server. These links can cause both database corruption and security
problems.
Database corruption
If the network connection fails while the Domino server is writing to a
database on the file server or shared NAS server, the database can
become corrupted. In addition, the interdependence of the file sharing
protocols Server Message Block (SMB), Common Internet File System
(CIFS), and Network File System (NFS) and the remote file system can
affect the Domino servers performance. Domino sometimes needs to
open large numbers of remote files, and low latency for read/write
operations to these files is desirable.
To avoid these problems on Domino servers, consider doing one or more
of the following:
Create an isolated network and use cut-through (non-buffering)
layer-2 switches to interconnect the Domino server to the NAS
system.
Limit access to the NAS system to the Domino server.
Reduce the number of hops and the distance between hops in the
connection pathways between the Domino server and the storage
system.
Use a block protocol instead of a file protocol.
Use a private storage area network (SAN) instead of a shared NAS
system.
Installation
TCP/IP security considerations
Avoid creating any file-access contention between Domino and

other applications.
To avoid problems with Notes workstations, consider doing the
following:
Locate Notes workstations so that they are not accessing a remote
file server or NAS system over a WAN.
To minimize the risk of database corruption because of server
failure when a Notes clients Domino data directory is on a file
server or NAS server, evaluate the reliability of the entire network
pathway as well as the remote systems ability to maintain
uninterrupted sessions to the Notes client over the file sharing
protocols it is using (SMB, CIFS, NFS, NetWare Core Protocol, or
AppleShare).
If a Notes clients Domino data directory is on a file server or NAS
server, remember that only one user (user session) can have the
user data directory files open a time. Lotus Notes does not
support concurrent access to the same local database by two
clients.
Security problems
When Encrypt network data is enabled, all Domino server and Notes
workstation traffic is encrypted. However, the file I/O between the
Domino server and the file server or shared NAS server is not encrypted,
leaving it vulnerable to access by unauthorized users.
Planning the TCP/IP network

The default TCP/IP configuration for a Domino server is one IP address
that is globally bound, meaning that the server listens for connections at
the IP addresses of all NICs on the computer. Global binding works as
long as the computer does not have more than one IP address offering a
service over the same assigned TCP port.
For operating system requirements, see the Release Notes.
The default configuration
Use these topics to plan how to integrate Lotus Domino with the TCP/IP
network when the Domino server has one IP address and is not
partitioned:
NRPC name-to-address resolution over TCP/IP
Ensuring DNS resolves in TCP protocols
Advanced Domino TCP/IP configurations
Partitioned servers and IP addresses
Ensuring DNS resolves in advanced TCP/IP configurations
Moving to IPv6
This topic provides the information you need if your company is
migrating to IPv6 standard:
IPv6 and Lotus Domino
NRPC name-to-address resolution over TCP/IP

In the TCP/IP protocol, the method most commonly used to resolve
server names to network addresses is the Domain Name System (DNS),
an Internet directory service developed both to allow local administrators
to create and manage the records that resolve server names to IP
addresses and to make those records available globally. While the POP3,
IMAP, LDAP, and HTTP services use DNS directly, the NRPC service
uses a combination of the Notes Name Service and DNS to resolve server
names to network addresses.
For background information on how the Notes Name Service works with
name-resolver services such DNS, see the topic Resolving server names
to network addresses in NRPC earlier in this chapter.
Within DNS, domain refers to a name space at a given level of the
hierarchy. For example, the .com or .org in a Web URL represents a
top-level domain. In a domain such as acme.com, a DNS server that is,
a server running DNS software in the Acme company stores the
records for all Acme servers, and an administrator at Acme maintains
those records.
When you set up a Notes workstation on the TCP/IP network, you
normally rely on DNS to resolve the name of the workstations Domino
home server the first time the workstation tries to connect to it. As long
as the Notes workstation and Domino home server are in the same DNS
domain level, DNS can accomplish the resolve.
When to edit the Net Address field in the Server document
The default format for a servers TCP/IP network address in Lotus
Domino is its fully qualified domain name (FQDN) for example,
app01.acme.com based on the DNS record and the IP address
references in the systems TCP/IP stack. When a Notes workstation or
Installation
Advanced configurations
Use these topics to plan how to integrate Lotus Domino with the TCP/IP
network when the Domino server has more than one IP address or is
partitioned:
Domino server requests this name, the TCP/IP resolver passes it to DNS,
and DNS resolves the name directly to the IP address of the destination
server, regardless of the DNS domain level of the requesting system.
If you do not want to enter the FQDN in the Net Address field, you can
change it to the simple IP host name for example, app01 either
during server setup or later by editing the Server document. For
example, you might use the simple IP host name if you are setting up
multiple TCP ports for NRPC, a configuration in which using the FQDN
for each network address can cause connection failures if the Notes
Name Service returns the FQDN for the wrong TCP port. In this case,
using the simple IP host name ensures that DNS does a lookup in all
domain levels within the scope of the domains defined in the requesting
systems TCP/IP stack settings.
Caution In a production environment, do not use IP addresses in Net
Address fields. Doing so can result in serious administrative
complications if IP addresses change or if Network Address Translation
(NAT) connections are used, as the values returned by the Notes Name
Service will not be correct.
Secondary name servers
To ensure that the Notes Name Service is always available over TCP/IP,
when you set up a Notes user, you can designate a Domino secondary
name server that stands in for the home server in these situations:
The users home server is down.
The users home server is not running TCP/IP.
The users home server cannot be resolved over TCP/IP.
Note In companies using multiple DNS domains, a Domino secondary

name server ensures that a Notes workstation can connect with its home
server even when the home server is in a different DNS domain. You can
use policies to automate the setup of secondary name servers.
For more information, see the topic Ensuring DNS resolves in NRPC
Best practices later in this chapter. For information on policies, see the
chapter Using Policies.
Special case: The passthru server
By connecting to a passthru server, Notes users can access servers that do
not share a network protocol with their systems. If both the Notes
workstation and destination server are in a different Domino domain
On the Notes workstation, create a Connection document that

includes the IP address of the destination server.
On the passthru server, create a Connection document to the

destination server.
For more information on passthru servers, see the chapter Setting Up

Internal alternatives to DNS
If you dont use DNS at your site or if a Domino server is not registered
with DNS (as is sometimes the case if the server offers Internet services),
use one of these methods to enable each Notes workstation and Domino
server to perform name resolution locally. Keep in mind that the upkeep
required for both of these approaches is considerable.
Place a hosts file, which is a table that pairs each system name with
its IP address, on every system that needs private access. Set up each
system so that it accesses the hosts file before accessing DNS.
Create a Connection document that contains the destination servers

IP address on every Notes workstation and Domino server that
needs to access that server.
Tip Use policies to automate the setup of Connection documents for
Notes users. Even if you use DNS, you should set up Connection
documents for Notes users in locations from which they have
difficulty accessing the DNS server.
For more information on policies, see the chapter Using Policies.
Alternative IP name services

Microsoft networking services offers four additional methods of IP
address resolution. These methods are not as reliable as traditional DNS
and hosts files and can cause name and address confusion. For best
results, do not use these methods when also using the Notes network
port for TCP/IP.
Direct NetBIOS broadcast The system sends out a name broadcast

message so that all of the systems on the local network segment can
register the name and IP address in their name cache. If you must
use NetBIOS over IP and use Domino with both the NetBIOS and
TCP/IP port drivers, avoid name-resolution problems by giving the
Domino server and the system different names.
Installation
from the passthru server, it may not be possible for the passthru server to
resolve the name of the destination server. In this case, do one of the
following:
Master Browser cache (for NT domains or SAMBA servers)

Collects broadcasted names and IP addresses and publishes them
across the NT domain to other Master Browser systems for
Windows systems to access in their name lookups.
Windows Internet Name Service (WINS) Uses NetBIOS

broadcasts. Unlike DNS, which is static in nature, WINS is dynamic.
Note that the TCP/IP stacks of Macintosh and UNIX client systems
may not be able to access the WINS server.
LAN Manager Hosts (LMHosts) A static hosts file method.
Caution On a Windows system, the combination of the systems native

NetBIOS over IP name-resolver service and DNS can cause name
resolution failure for the Domino server name.
For information on avoiding this problem, see the topic Server
name-to-address resolution over NetBIOS later in this chapter.
Ensuring DNS resolves in TCP protocols

When you register a new Domino server, you specify a common name for
it. Within a Domino hierarchical name, the common name is the portion
before the leftmost slash. For example, in the name App01/East/Acme,
the common name is App01. The common name, not the hierarchical
name, is the name that the Domino server is known by in DNS.
Note When you choose a common name for a Domino server that uses
DNS, use only the characters 0 through 9, A through Z, and the dash (-).
Do not use spaces or underscores.
Note The DNS names held in Lotus Notes and Lotus Domino are not
case sensitive; Notes workstations and Domino servers always pass DNS
names to DNS in lowercase.
You can avoid problems and extra work if you consider the DNS
configuration, as well as the effect of other protocol name-resolver
services, when you choose the format for the common name of the
Domino server.
To avoid name-resolution problems that affect all TCP services on
Windows systems, see the topic Ensuring DNS resolves on Windows
systems All TCP protocols.
For procedures to help you avoid DNS problems in NRPC, see these
topics:
Ensuring DNS resolves in NRPC Best Practices
Ensuring DNS resolves in NRPC Alternative practices
Ensuring DNS resolves in NRPC A practice to use with caution
For naming requirements when using Domino Off-Line Services (DOLs)

or iNotes, see the chapter Installing and Setting Up Domino Servers.
Ensuring DNS resolves on Windows systems All TCP protocols
If a Domino server is a Windows system, often two name services exist
on the system NetBIOS over IP and DNS. If you assign the same name
to both the Domino server and the system, client applications that use
either the Notes Name Service or DNS can encounter name-space
ghosting between the two names. In other words, because the NetBIOS
record for a systems host name has already been found, the name
resolving process ends and the DNS record for the Domino server on that
system is never found.
Note For a Domino server on Windows 2000, problems occur only if
you enable name services for NetBIOS over IP in order to join an NT
domain using Server Message Blocks (SMB).
To prevent this problem:
1. Do one:
On Windows NT, assign one name as the Domino server common
name and then alter that name slightly for the system name by
adding a preface such as NT-. In the Network dialog box on the
Windows NT Control Panel, specify the name in two places: the
Identification tab and the Protocols - TCP/IP properties - DNS tab.
On Windows 2000, add a preface such as W2K- to the system
name, using the Network Identification tab on the System
Properties dialog box.
2. Create an A record (or, for IPv6, AAAA record) in DNS for the system
name. The IP address is the same as the one for the Domino server.
3. Create a CNAME record in DNS for the Domino servers name,
linking it to the system name.
For example, for the Domino server BosMail02/Acme, the common
name is BosMail02. You name the system NT-BosMail02. You create an A
record in DNS for NT-BosMail02.acme.com and a CNAME record for
BosMail02.acme.com, linking it with NT-BosMail02.acme.com.
Installation
Note that these procedures apply only to servers handling

communications between Lotus Notes and Lotus Domino (NRPC
services). If you administer servers that provide Internet services such as
HTTP, SMTP, POP3, or LDAP, you can skip these topics, as these
services use DNS directly.
Ensuring DNS resolves in NRPC Best practices

The following procedures provide the best name-resolution practices for
a Domino server using the default NRPC configuration on a TCP/IP
network (one Notes network port for TCP/IP). These procedures address
the following DNS configurations:
One DNS domain
Multiple DNS domain levels
If your TCP/IP configuration has multiple Notes network ports for

TCP/IP, see the topic Ensuring DNS resolves in advanced TCP/IP
configurations later in this chapter.
When you have one DNS domain
If your company uses only one DNS domain, doing the following
eliminates the need for CNAME records in DNS:
1. Assign the same name as both the Domino server common name and
the simple IP host name registered with DNS.
2. Make sure the Net Address field on the Server document contains
the servers FQDN.
3. Create an A record (or, for IPv6, AAAA record) in DNS.
For example, you set up the Domino server App01/Engr/Acme. Thus,
you register the server with DNS as app01, the servers common name.
The Net Address field in the Server document contains app01.acme.com
(the servers FQDN), and the A record is: app01.acme.com IN A
192.168.10.17.
When you have multiple DNS domain levels
If your company uses multiple DNS domain levels for example, when
each country in which a multinational company has offices is a
subdomain in DNS doing the following eliminates the need for
multiple CNAME records in DNS and ensures that DNS lookups always
work, regardless of the DNS domain level of the users system:
1. Assign the same name as both the Domino server common name and
the simple IP host name.
2. Make sure the Net Address field on the Server document contains
the servers FQDN.
4. If users systems are in a different DNS domain than that of their
home server or in a DNS subdomain of their home servers domain,
set up a secondary name server. Place this secondary name server on
the same physical network as the users systems or on a network that
the users can access.
5. Set up all Notes users or a subset of users affected by Step 4, or set

up an individual Notes user.
For more information on setting up groups of users, see the chapter
Using Policies. For more information on setting up an individual
Notes user, see the topic Setting up a secondary name server later
in this chapter.
For example, you register the Domino server ParisMail01/Sales/Acme
with DNS as parismail01.france.acme.com. Parismail01 is the home
server for some users in the DNS subdomain spain.acme.com. You set up
a secondary name server, Nameserver/Acme, register it with DNS as
nameserver.acme.com, and ensure that the Location documents of users
who need a secondary name server point to this server.
When a user in spain.acme.com attempts a first connection with the home
server (parismail01.france.acme.com), the connection fails because the
DNS subdomain for spain.acme.com has no records for the subdomain
france.acme.com. Notes then connects successfully with the secondary
name server (nameserver.acme.com), since the DNS subdomain for
spain.acme.com does include the records for acme.com. When the
secondary name server supplies the Notes workstation with the FQDN
from the Net Address field in the Server document for ParisMail01, DNS
resolves the FQDN to an IP address, and the user can access mail.
As long as all Server documents in the Domino domain have the TCP/IP
network address in FQDN format, this approach allows any Notes
workstation or Domino server to locate any Domino server, regardless of
its DNS domain level.
Ensuring DNS resolves in NRPC Alternative practices
The following procedures provide alternative name-resolution practices
for a Domino server using the default NRPC configuration on a TCP/IP
network (one Notes network port for TCP/IP).
Domino server names that differ from their DNS names
When your name scheme for Domino servers is different than that for
DNS, use one of the following methods to translate the Domino servers
name to the host name:
Create a local Connection document on each Notes client and Domino

server that needs to connect to the Domino server, and enter the
FQDN for the system that hosts the Domino server in the Net Address
field. For example, for the Domino server named App01/Sales/Acme
on the system registered with DNS as redflier, enter redflier.acme.com
in the Net Address fields of the Connection documents.
Installation
Note Register the secondary name server in the root of the

companys DNS domain.
Use an alias (CNAME) record in DNS to link the Domino server

common name to the simple IP host name. For example, for the
Domino server App01/Sales/Acme on the system registered with
DNS as redflier, use a CNAME record to link the name App01 to the
name redflier. When a Notes workstation first accesses this server, it
obtains the host name from the Net Address field of the Server
document and caches it, thereby making future connections faster.
IP addresses in Connection documents

In situations in which you dont want to use any name-resolver service
such as bringing up a new server system that you dont want known
yet, or having a server on the Internet that you want accessible but for
which you cant use DNS create Connection documents that directly
tell Notes workstations or Domino servers how to access this Domino
server by using the servers IP address in the documents Net Address
fields.
Network Address Translation (NAT)
NAT is a method of translating an IP address between two address
spaces: a public space and a private space.
Public addresses are assigned to companies by the Internet Corporation
of Assigned Names and Numbers (ICANN) or leased from the
companys ISP/NSP. Public addresses are accessible through the Internet
(routable) unless firewalls and isolated networks make them inaccessible.
Private addresses are IP address spaces that have been reserved for
internal use. These addresses are not accessible over the Internet
(non-routable) because network routers within the Internet will not allow
access to them.
The following address spaces have been reserved for internal use. It is
best to use these IP addresses and not make up your own.
Class A: 10.0.0.0 to 10.255.255.255
Class B: 127.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255
For example, users inside a company access the Domino server based on
its assigned IP address, which is a private address (192.168.1.1). Internet
users must access the Domino server through a NAT router, which
converts the private address to one of its static public addresses
(130.20.2.2). Therefore, a Notes client accessing the server from the
Internet uses the public address.
You can never assign more than one IP address in DNS to the
Domino server.
If the FQDN changes, the Domino server name will not match the
FQDN, thus invalidating the DNS resolve. You will then need to
create a new server and migrate users to it.
If you use network address translation (NAT), the servers FQDN

must be identical in both instances of DNS (internal and external
shadow DNS).
You cannot use other network protocols, as many of them use flat
network name services, and those that use hierarchical name systems
will not function unless the name hierarchy is exactly the same.
Diagnosing connectivity issues can be much harder.
When you have multiple DNS domain levels

If your company uses multiple DNS domain levels for example, when
each country in which a multinational company has offices is a
subdomain in DNS do the following:
1. Use the servers FQDN as the Domino server common name.
For example, if you register a server with DNS as app01.germany.acme.
com, you can also assign the Domino servers common name as
app01.germany.acme.com. In this case, the servers Domino hierarchical
name might be app01.germany.acme.com/Sales/Acme.
Advanced Domino TCP/IP configurations

A single Domino server can have multiple IP addresses if you use
multiple NICs, each offering an address, or if one NIC offers multiple
addresses. Having multiple IP addresses allows the server to listen for
connections at more than one instance of the TCP port assigned to NRPC
(1352) or at TCP ports that are assigned to other services such as LDAP
or HTTP. Both individual Domino servers and partitioned Domino
servers can have multiple NICs, each with its own IP address.
Installation
Ensuring DNS resolves in NRPC A practice to use with caution

The following practice, if followed precisely, should ensure good DNS
resolves in NRPC for companies with multiple DNS domain levels, but
might result in extra work if the infrastructure changes. Using this
practice has the following disadvantages:
Multiple IP addresses and NICs on a Domino server

Set up a Domino server with multiple IP addresses, each with its own
NIC, if you want to:
Split the client load for better performance
Split client-to-server access from server-to-server communication
Set up mail routing, replication, or cluster replication on an alternate

path (private network)
Partition a Domino server so that more than one partition offers the
same Internet service (SMTP, POP3, IMAP, LDAP, or HTTP).
Allow access to the Domino server via a TCP/IP firewall system over
a different network segment, a configuration known as a
demilitarized zone (DMZ)
Use a Domino passthru server as an application proxy
Provide network/server failover, used in mission-critical resource

access
Set up alternate window and/or maximum transmission unit (MTU)

settings for satellite uplink and downlink connections isolated from
local access connections
For a configuration with multiple IP addresses, you must bind each

listening port to the appropriate IP address to ensure that each TCP
service receives the network connections intended for it.
For more information, see the topics Binding an NRPC port to an IP
address and Binding an Internet service to an IP address later in this
chapter. For more information on private networks for cluster
replication, see the book Administering Domino Clusters.
Note A configuration with multiple NICs does not increase the number
of Domino sessions you can have on a server. In TCP/IP, machine
capacity depends on processors and memory.
Multiple IP addresses with one NIC
Reasons to use one NIC to serve multiple IP addresses include:
Isolating local versus WAN Notes named networks so local users can
see only local Domino servers
Preventing independent remote access dialup connections (ISDN

dialup router) from being arbitrarily accessed
When setting up redundant WAN path connections for server to

server access
When the use of a different TCP/IP port map is needed for firewall
connections
When offering HTTP services to a different group than NRPC

connections
As a service provider when offering Domino server access for either

Notes or Web clients to different groups/companies
For a configuration with multiple addresses and one NIC, you must
configure the TCP/IP stack and bind each listening port to an IP address.
Partitioned servers and IP addresses
When you set up a Domino partitioned server, it is usually best to assign
a separate IP address to each partition and use a separate NIC for each.
Using a separate NIC for each address can make the computers I/O
much faster.
Lotus Domino is designed to listen for TCP/IP connections on all NICs in
a computer system. If more than one partition is hosting the same service
(NRPC, SMTP, POP3, IMAP, LDAP, or HTTP), fine-tune which partitions
listen for which connections by associating each services TCP port with a
specific IP address.
For more information on associating services with IP addresses, see the
topics Binding an NRPC port to an IP address and Binding an
Internet service to an IP address later in this chapter.
As an alternative to using a separate NIC for each IP address, you can
use a single NIC and still assign a separate IP address to each partition.
For more information, see the topic Assigning separate IP addresses to
partitions on a system with a single NIC later in this chapter.
If you are unable to assign a separate IP address to each partition, you
can use port mapping.
For more information on port mapping, see the topic Configuring a
partitioned server for one IP address and port mapping later in this
chapter.
Note As an alternative to port mapping, you can use port address
translation (PAT), in which a firewall redirects the TCP port connection
to a different TCP port. Both port mapping and PAT require advanced
skills to implement correctly.
Installation
Ensuring DNS resolves in advanced TCP/IP configurations

When you have Domino servers with multiple Notes network ports for
TCP/IP, follow these procedures to ensure server name-to-address
resolution by DNS. This topic covers the following configurations:
Users in different DNS subdomains accessing one Domino server
User-to-server access and server-to-server access via different DNS

subdomains
For information on servers accessing a private LAN in a Domino cluster,

see the book Administering Domino Clusters.
Users in different DNS subdomains accessing one Domino server
If users are on two isolated networks and the Domino server has a NIC
for each network, use DNS to direct the users to the NIC the server
shares with them.
1. Assign an IP address to each NIC by creating A records (or, for IPv6,
AAAA records) in DNS. Use the ping command and the IP address
to test the responsiveness of the NIC.
Note If the Domino server is running Windows and there is a route
between the two networks, prevent the NetBIOS broadcasts from
exiting from both adapters by using the Windows Control Panel to
disable one instance of the WINS client. Use the Bindings tab of the
Network dialog box, select All Adapters, and select the name of the
NIC for which you want to disable WINS.
2. Create two CNAME records in DNS for the Domino server, linking
the servers common name to each NIC name in the A records.
(Using CNAME records for the Domino server provides diagnostic
fidelity to test the network pathway independently of the servers
name resolve.)
3. Add a second Notes network port for TCP/IP in Domino.
For more information, see the topic Adding a network port on a
server later in this chapter.
4. Bind each TCP/IP port to the IP address of the appropriate NIC. On
the server console, verify that both TCP/IP ports are active and
linked to the correct IP address.
For more information on binding ports to IP addresses, see the topic
Binding an NRPC port to an IP address later in this chapter.
5. In the Server documents Net Address field for each TCP/IP port,
use the servers common name only, not its FQDN.
6. On each Notes workstation, set the users DNS name lookup scope to
the correct DNS subdomain.
1. Create start of authority (SOA) table entries in DNS for the

subdomain east.acme.com, as follows:
chi-ethernet
10.20.20.2
chicago
CNAME
chi-ethernet
2. Create SOA table entries in DNS for the subdomain west.acme.com,

as follows:
chi-tokenring
10.10.10.1
chicago
CNAME
chi-tokenring
3. Change the name of the original Notes network port for TCP/IP to
TCPIP1, and name the second port TCPIP2.
4. Use the NOTES.INI file to bind TCPIP1 to the IP address for the
Ethernet network and to bind TCPIP2 to the IP address for the Token
Ring network.
5. In the Server documents Net Address field for each TCP/IP port,
enter chicago.
6. On the Ethernet users workstations, set the DNS name lookup scope
to east.acme.com, and on the Token Ring users workstations, set it to
west.acme.com.
User-to-server access and server-to-server access via different DNS
subdomains
If users need to access a Domino server over the LAN and other Domino
servers need to access the same server over the WAN, add a second NIC
to the server. Then use DNS to direct the users to the NIC for the LAN
and to direct other servers to the NIC for the WAN.
1. Assign an IP address to each NIC by creating an A record (or, for
IPv6, AAAA record) in DNS. Use the ping command and the IP
address to test the responsiveness of the NIC.
Note If the Domino server is running Windows and there is a route
between the two networks, prevent the NetBIOS broadcasts from
exiting from both adapters by using the Windows Control Panel to
disable one instance of the WINS client. Use the Bindings tab of the
Network dialog box, select All Adapters, and select the name of the
NIC for which you want to disable WINS.
Installation
Example
At the Acme company, some users connect to the Domino server
Chicago/Sales/Acme over an Ethernet network, others over a Token
Ring network. Register the Domino server with DNS as
chicago.east.acme.com for the users on the Ethernet network and as
chicago.west.acme.com for users on the Token Ring network.
2. Create two CNAME records in DNS for the Domino server, linking
the servers common name to each NIC name in the A records.
(Using CNAME records for the Domino server provides diagnostic
fidelity to test the network pathway independently of the servers
name resolve.)
3. Add a second Notes network port for TCP/IP in Domino.
For more information, see the topic Adding a network port on a
server later in this chapter.
4. Bind each TCP/IP port to the IP address of the appropriate NIC. On
the server console, verify that both TCP/IP ports are active and
linked to the correct IP address.
For more information on binding ports to IP addresses, see the topic
Binding an NRPC port to an IP address later in this chapter.
5. To direct the Domino servers first outbound connection to the
server-to-server network, edit the PORT setting in the NOTES.INI
file to read as follows:
PORT=serverportname, userportname
Where serverportname is the name of the Notes network port for

TCP/IP that other Domino servers will use to connect to this server,
and userportname is the name of the Notes network port for TCP/IP
that users will use to connect to this server.
6. In the Server documents Net Address field for the first TCP/IP port
(the port that users will use), enter the FQDN, using the servers
common name and the users DNS subdomain.
Note Listing the port that users will use first is important, as the
Notes Name Service cannot distinguish which NIC a user is
accessing and makes the connection based on the content of the Net
Address field for the first TCP/IP port listed in the Server document.
7. In the Server documents Net Address field for the second TCP/IP
port (the port that servers will use), enter the FQDN, using the
servers common name and the servers DNS subdomain.
An initiating server uses its local Domino Directory to detect the
Notes named network it has in common with this server.
8. Set each users DNS name lookup scope to the correct DNS
subdomain.
9. In each servers TCP/IP stack, set the DNS name lookup scope to the
correct DNS subdomain.
1. Create the following SOA table entries in DNS for the subdomain
boston.acme.com, as follows:
usr-bostonapp04
103.210.20.2
bostonapp04
CNAME
usr-bostonapp04
2. Create the following SOA table entries in DNS for the subdomain
domino.acme.com, as follows:
srv-bostonapp04
103.210.41.1
bostonapp04
CNAME
srv-bostonapp04
3. Change the name of the original Notes network port for TCP/IP to
TCPIP1, and name the second port TCPIP2.
4. Use the NOTES.INI file to bind TCPIP1 to the IP address for the user
network, to bind TCPIP2 to the IP address for the server-to-server
network, and to add the setting PORT=TCPIP2, TCPIP1.
5. In the Server documents Net Address field for port TCPIP1, enter
bostonapp04.boston.acme.com. For port TCPIP2, enter
bostonapp04.domino.acme.com.
6. On each users workstation, set the DNS name lookup scope to
boston.acme.com. In the TCP/IP stacks of the servers that need to
connect to this server, set the name lookup scope to
domino.acme.com.
IPv6 and Lotus Domino

Because support for IPv6 by hardware and operating system suppliers
and the Internet is still in the early stages, moving to the IPv6 standard
will be a gradual process for most organizations. In Lotus Domino, you
can enable IPv6 support for SMTP, POP3, IMAP, LDAP, and HTTP
services on AIX, Solaris, and Linux systems.
Domino supports both IPv6 and IPv4. Thus, if an IPv6-enabled Domino
server encounters an IP address in IPv4 format, the Domino server can
still make the connection to that address.
In DNS, records that store IPv6 addresses are called AAAA records.
After you enable IPv6 on a Domino server and add the servers AAAA
Installation
Example
At the Acme company, users connect to the Domino server
BostonApp04/Sales/Acme over the LAN, and other Domino servers
access it privately over the WAN. You register the server with DNS as
bostonapp04.boston.acme.com for the LAN users and as
bostonapp04.domino.acme.com for the server-to-server network over the
WAN.
record to DNS, another IPv6-enabled Domino server can connect to it

only over IPv6. Servers that dont support IPv6 can run Domino with
IPv6 support disabled, which is the default. These servers can
successfully connect to IPv6-enabled Domino servers only if the DNS for
the IPv6 servers contain A records.
Using IPv6 in a Domino network
For best results when using IPv6 with Domino servers, set up network
devices in the network pathway to connect directly with native IPv6,
rather than tunnel through the IPv4 network.
How Lotus Domino decides whether to connect over IPv6 or IPv4
A Domino server evaluates the address format and then, based on that
information, makes an IPv4 or an IPv6 connection.
Address format
Server response
IPv4
Makes an IPv4 connection.
IPv4 address mapped to IPv6 Attempts to make an IPv6 connection and waits
for the TCP/IP software to make either an IPv6
or IPv4 connection, depending on the remote
systems TCP/IP stack.
IPv6
Makes an IPv6 connection.
Server name
Uses DNS to resolve the name:

If only an A record is found, connects over
IPv4.
If only an AAAA record is found, connects
over IPv6 or waits for the TCP/IP software to
make the connection.
If both an A record and AAAA record are
found, uses the AAAA record.
Planning the NetBIOS network

The Domino network is compatible with NetBIOS, a set of IBM
session-layer LAN services that has evolved into a standard interface that
applications use to access transport-layer network protocols. Domino
supports the NetBIOS interface on Windows systems over the following
transport protocols: TCP/IP (on systems running TCP/IP), NetBEUI
(supplied with all Microsoft network products), and IPX (on systems
running IPX/SPX).
Note Although you can add some NetBIOS services to Linux and UNIX
systems, NRPC communication does not use them.
Deciding whether to use NetBIOS services

Including NetBIOS in the Domino network has both benefits and risks.
The benefits are as follows:
NetBIOS has low overhead relative to other protocol suites. NetBIOS

over NetBEUI has the least overhead; NetBIOS over IPX has more;
and NetBIOS over TCP/IP has the most.
Because it is not directly routable, NetBIOS over NetBEUI can

provide a secure means to access your server for administration
within a flat network. To access the server over a routed IP network,
you can create a data-link switching (DLSw) tunnel to limit the
administration access with NetBIOS over NetBEUI.
Because NetBIOS name-to-address resolution services offer dynamic

registration by name broadcasts, you can use NetBIOS to build a
mobile Domino network for temporary or emergency use.
The risks of using NetBIOS involve the security of the file system on
Domino servers. Depending on the access permissions of the operating
system and on the transport protocol being used, NetBIOS name and file
services might allow users to see or access the servers file system. When
a server provides NRPC services, mitigate this risk by disabling the
NetBIOS name and file services (SMB/CIFS) on the system so that the
systems name cannot be seen over the network. Other Notes/Domino
systems can still find the Domino server because Lotus Domino has its
own NetBIOS name service to propagate and register the Domino
servers NetBIOS name, but access is secure because it is controlled by
the authentication and certification features in NRPC.
If the system on which you run Domino requires NetBIOS name or
authentication services, mitigate the security risk by isolating the
NetBIOS services. Install an additional NIC on the system for NetBIOS
over a private administration network, and disable NetBIOS on the NIC
that the Domino server uses.
How to tell if NetBIOS is active on a system
The following are indications that NetBIOS is active:
On Windows systems, you can see or access another Windows

systems file system through the Network Neighborhood (indicates
Server Message Block/NetBIOS).
You can register with an NT domain (indicates Server Message

Block/NetBIOS).
Installation
For detailed system requirements for using NetBIOS with Lotus Domino,
see the Release Notes.
On Windows 2000 or XP systems, NetBIOS over IP is selected in

the systems TCP/IP protocol settings.
Note On Linux and UNIX systems, the SAMBA server service

(Windows file server) can offer Server Message Block/NetBIOS or
Common Internet File System/IP access, or both.
Server name-to-address resolution over NetBIOS

When a Notes workstation or Domino server running NetBIOS tries to
connect to a Domino server, the initiating system offers the destination
servers common name to the NetBIOS name service, which then
broadcasts that name and its associated network address over the
NetBIOS network.
name-resolver services such as the NetBIOS name service, see the topic
Resolving server names to network addresses in NRPC earlier in this
chapter.
When you use the Notes Name Service with the NetBIOS name service,
only a Notes or Domino system using the same NetBIOS transport
protocol as the destination Domino server can see the destination servers
NetBIOS name. If the Notes or Domino system has more than one NIC
for which the NetBIOS transport protocol is enabled, only the NetBIOS
port with the same LANA binding as that of the destination server can
see the destination servers name.
Which physical address is registered for a Domino server depends on the
transport protocol:
For NetBIOS over NetBEUI, the NICs 32-bit MAC address is used.
For NetBIOS over IPX, the IPX node number is used. In most cases,
this number is the same as the NICs 32-bit MAC address. For
information on how IPX node numbers are assigned and how to
change them, see the Novell documentation.
For NetBIOS over TCP/IP, the systems IP address is used.
Ways to ensure successful NetBIOS resolves

Because NetBIOS broadcasting has a limited range, you may need to
create a Connection document that includes the physical address of the
destination server. This process works as long as the network pathway
can carry the given lower transport protocol.
For NetBIOS over TCP/IP, you can also do one of the following:
Use a WINS server with a static entry.
In the initiating systems TCP/IP stack settings, enable NetBIOS

name lookup by DNS. This works even if you are not using any
NRPC services; however, the destination server must be registered
with DNS.
Note NetBIOS name space is flat, even with TCP/IP. If the client is not
within the same DNS domain level, access by name may not be possible.
Naming Domino servers on NetBIOS
NetBIOS names are limited to 15 characters. If the common name of the
Domino server is longer than 15 characters, NetBIOS truncates the name.
On NetBIOS over IPX, early versions of the resolver may confuse server
names if the first eight characters of the names are the same.
Caution The resolution of a Domino server name can be adversely
affected if the server name is the same as the NetBIOS name for a
Windows system.
To prevent this problem without making it difficult to manage system
files remotely, do the following:
On Windows NT, assign one name as the Domino server common
name and then alter that name slightly for the system name by
adding a preface such as NT-. In the Network dialog box on the
Windows NT Control Panel, specify the name in two places: the
Identification tab and the Protocols - TCP/IP properties - DNS tab.
On Windows 2000, add a preface such as W2K- to the system
name, using the Network Identification tab on the System
Properties dialog box.
For more information on the NetBIOS name service, see Microsofts
resource kit documentation for the Windows NT and 2000 operating
systems.
Planning the IPX/SPX network

To use Lotus Domino with IPX/SPX, at least one NetWare server must
exist on the network. Notes workstations and Domino servers access the
NetWare server and use its name services namely, the Bindery Service
or the Novell Directory Service (NDS) to locate other Domino servers
on the IPX/SPX network. The NetWare server and a Domino system may
be separated by a switch, bridge, or router and do not have to be on the
same LAN.
Installation
When you use the Novell Bindery Service with Lotus Domino, note the
following:
The NetWare server must not be more than one hop away from a
Domino server.
The NetWare server must not be more than one hop away from a
Notes workstation when the workstation connects to a Domino
server over a WAN.
While not required, it is best if the NetWare server is not more than a
few hops away from any Notes workstation.
If Lotus Domino and the NetWare server are on different LANs, make
sure that local routers are not filtering Bindery Service or NDS NetWare
Core Protocol (NCP) broadcasts.
The IPX protocol stack service (Novell or Microsoft) on a Domino server
or Notes workstation must point to the local NetWare server as its
preferred server and/or preferred tree. Other Domino servers or Notes
workstations do not need to access the same local NetWare server as
their preferred server or tree.
A Domino server can access only one NIC for the IPX protocol and only
one instance of the SPX port driver. Make sure you have not bound the
IPX protocol to more than one NIC or frame type on the system that is
running the Domino server.
Note The use of TCP/IP tunneling of NRPC-IPX/SPX connections is not
supported.
Note NDS access is supported only over the IPX/NCP protocol.
For detailed system requirements for using Lotus Domino on IPX/SPX,
see the Release Notes.
Server name-to-address resolution over IPX/SPX

Notes workstations and Domino servers use NetWare name-resolver
services to find a Domino server on an IPX/SPX network. When naming
Domino servers, consider the requirements of the name service or
services you are using.
Bindery Service Network services use the Service Advertising

Protocol (SAP) to update the NetWare servers network database,
called the Bindery. Notes workstations and Domino servers use the
Bindery to look up a servers network address. Domino servers use
the Bindery Service to advertise their NRPC services on the network.
The Bindery is a dynamic database; therefore, if a network service
does not update the Bindery within a few minutes, the Bindery
detects the entries for that service. A Domino server uses the Bindery
Service Object ID 0x039B.
Novell Directory Service (NDS) The Novell Directory Service is

based on the X.500 directory service. The IPX/SPX port driver is the
only port driver that supports NDS. Since NDS is a static database,
network services update the database only once. The information
stored in the database is persistent, so a Domino servers NDS object
can always be found in the NDS tree, whether or not the server is
currently running. NDS uses less network bandwidth than the
Bindery Service, which uses SAP broadcasts over IPX/NCP.
Both NDS and Bindery Service If both services are installed, the
Notes workstation or Domino server tries an NDS lookup first. If the
NDS lookup fails, the workstation or server tries a Bindery lookup.
After you install and set up a Domino server, you use the Domino
Administrator to select which NetWare service you want the Domino
server to use.
name-resolver services such those for NetWare, see the topic Resolving
server names to network addresses in NRPC earlier in this chapter.
For information on setting up NDS to work with Lotus Domino, see the
appendix Novell Directory Service for the IPX/SPX Network.
Naming Domino servers on a Netware Bindery Service network
The NetWare Bindery Service uses the common name of the Domino
server as the server name in the Bindery. For example, the Domino
server name Chicago/Midwest/Acme becomes CHICAGO in the
NetWare Bindery. To name a Domino server that uses the Bindery
Service, choose a common name that is unique within the Bindery and
contains no more than 48 characters. In addition, do not use any of these
characters: slash (/), backslash (\), colon (:), semicolon (;), plus (+),
comma (,), asterisk (*), question mark (?).
When a the common name of a Domino server is added to the Bindery,
the Bindery converts multibyte characters to hexadecimal characters,
Installation
Lotus Domino supports these NetWare services:
removes leading and trailing spaces, converts spaces to underscores, and

converts all alphabetic characters to uppercase.
Note When using Bindery emulation under NetWare 4.1 or later, all
systems that use the Bindery Service for name resolution must share one
Bindery context name. Separate the Notes named networks based on the
Bindery context name that the Notes workstations and Domino server
share for Bindery name resolution.
Naming Domino servers on a Novell Directory Service network
In NetWare Directory Services (NDS), Domino server names are the path
from the root of the NDS tree to the Domino server NDS object, in
distinguished name format. For example, if a Domino server name is
Chicago/Midwest/Acme, its NDS name is
CN=Chicago.OU=Marketing.O=Acme.
Within NDS, names must be unique. Although using the NDS
distinguished name guarantees uniqueness in NDS even if two
Domino servers have the same common name its best to specify
unique common names for Domino servers to ensure uniqueness in all
name services you are using.
To name a Domino server that uses NDS, choose a common name that
contains no more than 64 characters. Distinguished names can contain up
to 256 characters and can include the name types CN, OU, O, and C;
periods; and equal signs. Do not use any of the following in Domino
server names that use NDS: space ( ), slash (/), backslash (\), colon (:),
semicolon (;), plus (+), comma (,), asterisk (*), question mark (?).
Names in NDS are not case sensitive.
Setting up Domino servers on the network

Before installing a Domino server, make sure you have done the
following:
Installed one or more NICs on the system.
Installed protocol software if necessary.
Installed all network drivers in the correct directories.
Installed any network software required for the protocols. For more
information, see the vendors documentation.
After you install the server, you use the Domino Server Setup program to
accept network defaults or customize network settings.
After you run the setup program, you may need to complete one or more
of these tasks to finish setting up Lotus Domino on the network:
Change the default names assigned to Notes named networks to

make them consistent with actual network topography.
Fine-tune network port setup by adding, enabling, renaming,

reordering, disabling, or deleting ports or by enabling network
encryption or compression on a port.
Complete tasks specific to the TCP/IP, NetBIOS, or IPX/SPX

protocol.
For information on connecting Notes workstations to the network, see

Lotus Notes 6 Help.
Setting up Notes named networks

The Domino Server Setup program automatically places all servers that
are in a Domino domain and that run the same network protocol in the
same Notes named network (NNN). In the Server document, the setup
program assigns each NNN a default name in the format portname
network.
After you complete the Server Setup program, rename the NNN for each
network port in the Server document. It is useful if the name reflects both
the location of the network and its protocol. For example, if your
company has a TCP/IP network and has LANs in Boston and San
Francisco, change the name of the NNN in Boston to TCPIP Boston
network, and change the name of the NNN in San Francisco to TCPIP
SF network.
Caution Domino assumes that all servers in a NNN have a continuous
LAN or WAN connection. If this is not the case, serious delays in mail
routing between servers can occur. Be careful not to include servers with
only dialup connections in an NNN.
To change the name of a Notes named network
1. From the Domino Administrator, select the server you just set up.
2. Click the Configuration tab.
3. Expand the Server section in the view pane.
4. Click Current Server Document.
5. Click Edit Server, and then click the Ports - Notes Network Ports tab.
Installation
For more information, see the chapter Installing and Setting Up Domino
Servers.
6. In the Notes Network field for each port, enter a new name for the
servers Notes named network. The name can include space
characters.
7. Click Save and Close.
Fine-tuning network port setup on a server

After you install and set up a Domino server, review the list of network
ports that were enabled by the Server Setup program. Unless you
customize network settings during setup, Domino enables ports based on
the current operating system configuration. To conserve system
resources, disable the ports for protocols that you dont need.
For information on configuring a communication port for a dialup
modem, see the chapter Setting Up Server-to-Server Connections.
Use Domino Administrator to make these changes to a servers network
port setup:
Disable a network port
Enable a network port
Add a network port
Rename a network port
Reorder network ports
Delete a network port
Encrypt network data on a port
Compress network data on a port
Note On a Notes workstation, you use the User Preferences dialog box
to change port setup.
For more information on changing port preferences on a workstation, see
Lotus Notes 6 Help.
Disabling a network port on a server
Even after you disable a port, it still appears in the list of available ports
so that you can later enable it.
1. From the Domino Administrator or Web Administrator, click the
server on which you want to disable a port.
3. Do one of these:
From the Domino Administrators Tools pane, choose Server Setup Ports.
From the Web Administrators Port tool, choose Setup.
5. Click OK.
6. Click the Server - Status tab.
7. Do one of these so that the change takes effect:
From the Domino Administrators Tools pane, choose Restart Port.
(If you cant see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrators Ports tool, choose Restart.
8. In the Server document, on the Ports - Notes Network Ports tab,
specify Disabled next to the name of the port you are disabling.
9. Save the Server document.
Enabling a network port on a server
If the server port you want to enable will be the Notes workstations only
means of connecting with the server, do not use this procedure. Instead,
use the Ports setting in the servers NOTES.INI file.
For more information, see the appendix NOTES.INI File.
For information on creating a Connection document on a Notes
workstation, see Lotus Notes 6 Help.
To enable a network port
server on which you want to enable a port.
3. Do one of these:
4. Select the port you want to enable, and then select Port enabled.
5. Click TCP/IP Options, LANx Options, SPX Options, or COMx
Options, and specify information as appropriate.
For more information on TCP/IP, LANx, and SPX options, see the
topics Changing the TCP/IP connection time-out interval,
Defining a NetBIOS LANA number for a Notes network port, and
Defining a servers NetWare name service in Lotus Domino later
in this chapter.
For more information on COMx options, see the chapter Setting Up
6. Click OK.
Installation
4. Select the port you want to disable, and then deselect Port enabled.

Tasks view.)
9.
In the Server document, click the Ports - Notes Network Ports tab,
and edit these fields as necessary:
Field
Action
Port
Enter the port name. Lotus Domino assigns a default

port name to each network protocol detected on the
system.
Notes Network
Enter the name of the Notes named network for the

group of Domino servers that are in this location and
run on a particular protocol for example, Boston
TCPIP. Space characters are allowed in a Notes
network name.
Net Address
Enter the protocol-specific name of the server for

example, sales.acme.com. The name you use depends
on the convention of the network protocol. This field is
used to determine the address that other servers use to
access this server.
Disabled/Enabled Choose Enabled so that other servers will know the

port is enabled.

11. Make sure that this server is set up to replicate its Domino Directory
to other servers, or enter the preceding changes into the Server
document on a server that is set up to do the replication, or other
servers will not know that they can connect to this server over the
newly enabled port.
Adding a network port on a server
If the server port you want to add will be the Notes workstations only
means of connecting with the server, do not use this procedure. Instead,
use the Ports setting in the servers NOTES.INI file.
For information on creating a Connection document on a Notes
workstation, see Lotus Notes 6 Help.

3. Do one of these:
4. Click New.
5. Specify the port name and driver, and click OK.
6. Click TCP/IP Options, LANx Options, SPX Options, or COMx
Options, and specify information as appropriate.
For more information on TCP/IP, LANx, and SPX options, see the
topics Changing the TCP/IP connection time-out interval,
Defining a NetBIOS LANA number for a Notes network port, and
Defining a servers NetWare name service in Lotus Domino later
in this chapter.
For more information on COMx options, see the chapter Setting Up
7. Click OK.
Tasks view.)
10. In the Server document, click the Ports - Notes Network Ports tab,
and edit these fields as necessary:
Field
Action
Port
Enter the port name. Lotus Domino assigns a default

port name to each network protocol detected on the
system.
Notes Network
Enter the name of the Notes named network for the

group of Domino servers that are in this location and
run on a particular protocol for example, Boston
TCPIP. Space characters are allowed in a Notes
network name.
continued
Installation
To add a network port

server on which you want to add a port.
Field
Action
Net Address
Enter the protocol-specific name of the server for

example, sales.acme.com. The name you use depends
on the convention of the network protocol. This field is
used to determine the address that other servers use to
access this server.
Disabled/Enabled Choose Enabled so that other servers will know the

port is enabled.

12. Make sure that this server is set up to replicate its Domino Directory
to other servers, or enter the preceding changes to the Server
document on a server that is set up to do the replication, or other
servers will not know that they can connect to this server over the
newly enabled port.
13. If you are adding an additional TCP/IP port on a computer with
multiple NICs, see these topics:
Binding an NRPC port to an IP address
Binding an Internet service to an IP address.
14. If you are adding an additional NetBIOS port on a computer with
multiple NICs, see the topic Creating additional network ports for
NetBIOS.
Renaming a network port on a server
You might want to rename a port to reflect its function. For example,
suppose you add a second TCP/IP port named SRV-TCP so that
clustered servers can communicate over a private network. Then you
might want to might want to rename the original TCP/IP port through
which users will communicate with the server USR-TCP.
server on which you want to rename a port.
3. Do one of these:
4. Select the port you want to rename.
5. Click Rename, and then enter the new name. Do not use spaces in the
port name.
6. Click OK.

Tasks view.)
9. In the server document, on the Ports - Notes Network Ports tab,
change the name of the port to the new name and save the
document.
10. If this server is the source server for any Connection documents in
the Domino Directory, click Server - Connections.
11. Select a Connection document and click Edit Connection.
12. On the Basics tab, enter the new port name in the Use the port(s)
field.
13. Save and close the Connection document.
14. Repeat steps 11 to 13 for each Connection document for which this
server is the source.
Reordering network ports on a server
Changing the order in which ports are listed in the Setup Ports dialog
box also changes the Ports setting in the NOTES.INI file. List the ports in
the order in which you want them to be used for example, list nearest
or fastest connections first. Then when a server uses a Notes named
network or a Connection document to locate another server, the port
with a close or fast connection will be used as the preferred path.
If the Domino server has multiple TCP/IP ports, see the topic
Reordering multiple server ports for TCP/IP later in this chapter.
To reorder network ports
server on which you want to reorder ports.
3. Do one of these:
4. Select the port that you want to relocate in the list.
5. Click the up and down arrows, as necessary to relocate the port.
6. Click OK.
Installation

Tasks view.)
change the port order to the new order by cutting and pasting all the
necessary fields.
Note When you create a Connection document on a server, the
Connection document takes the port order from the order in the Setup
Ports dialog box. Then, whenever the server connects with the
destination server, the server obtains the port order directly from the
Connection document. If you change the port order after you create
Connection documents, you must save each Connection document again.
To have different Connection documents reflect different port orders,
change the port order, save a Connection document, change the port
order again, save another Connection document, and so on.
Deleting a network port on a server
If you delete a port, it no longer appears in the list of available ports in
the Setup Ports dialog box.
server on which you want to delete a port.
3. Do one of these:
4. Select the port you want to delete.
5. Click Delete.
6. Click OK.
Tasks view.)

Encrypting NRPC communication on a server port
You can encrypt network data on a servers Notes network ports to
prevent the network eavesdropping thats possible with a network
protocol analyzer. Network encryption occurs at the application layer of
a given protocol and is independent of other forms of encryption.
Network data is encrypted only while it is in transit. After the data is
received and stored, network encryption is no longer in effect.
Network data encryption occurs if you enable network data encryption
on either side of a network connection. For example, if you enable
encryption on a servers Notes network port for TCP/IP, you dont need
to enable encryption on the TCP/IP ports of workstations or servers that
connect to the server.
If you want the server to have one TCP/IP port for Notes traffic over the
Internet and another TCP/IP port for internal traffic over NRPC, you can
encrypt the port for Internet traffic and leave the port for internal traffic
unencrypted.
Be aware that multiple high-speed encrypted connections to a server can
affect server performance adversely. Encrypting network data has little
effect on client performance. For protocols other than NRPC, you use SSL
for encryption.
For more information, see the chapter Setting Up SSL on a Domino
Server.
To encrypt NRPC communication
1. From the Domino Administrator or Web Administrator, choose the
server for which you want to encrypt network data.
3. Do one of these:
4. Select the port you want to encrypt.
5. Select Encrypt network data.
6. Click OK.
Installation

delete the contents of all the fields next to the name of the port you
are deleting.

Tasks view.)
Compressing network data on a server port
To reduce the amount of data transmitted between a Notes workstation
and Domino server or between two Domino servers, enable network
compression for each enabled network port. Whether you should enable
compression on a network port depends on the type of network
connection and the type of data being transmitted.
For compression to work, enable it on both sides of a network
connection. To enable compression for a network port on a server, use
the Server tab in the Domino Administrator. To enable compression on
network ports on Notes workstations, from the Domino Administrator,
use a setup or desktop policy settings document or from a workstation,
use the User Preferences dialog box.
For information on policy settings, see the chapter Using Policies.
WAN connections
Enabling network compression on X.PC ports can significantly reduce
the time it takes to send and receive data over a remote connection
between a Notes workstation and a Domino server or between two
Domino servers.
You benefit from using network compression only if the data being
transmitted is not already compressed. In the case of a network dialup
service such as Microsofts Remote Access Service (RAS) which includes
built-in compression, enabling compression on Notes network ports does
not provide any additional benefit. The same is true of tasks involving
data that was compressed using the Lempel-Ziv algorithm (LZ1
compression) such as replicating a mail file with a large number of
compressed attachments.
LAN connections
While compression decreases bandwidth use on a LAN, you must weigh
this gain against increased memory and processor use, since network
compression works by buffering data before compressing it. The cost of
compression might be worth it only for a heavily loaded network.
To compress data on a server port
server for which you want to turn on network compression.
4. Select the port for which you want to turn on compression.
Note Make sure Port enabled is selected for that port.
5. Select Compress network data.
6. Click OK.
Tasks view.)
Server setup tasks specific to TCP/IP

After you run the Domino Server Setup program, complete these
procedures:
1. Set up a secondary name server for Notes clients.
2. Change the servers connection-time-out interval.
3. For servers that provide services to Internet clients, enable Domino
support for IPv6.
4. For configurations involving multiple NICs on a server or
partitioned server:
Reorder multiple Notes network ports for TCP/IP.
Bind an NRPC port to an IP address.
Bind an Internet service to an IP address.
5. For a partitioned server with a single NIC for the entire computer,
assign an IP address to each server partition
6. Change a default TCP or SSL port number.
7. Confirm that TCP/IP is configured properly.
Installation
3. Do one of these:
Setting up a secondary name server

To ensure that the Notes Name Service is always available to Notes
workstations, assign a secondary name server in users Location
documents. You can specify a different secondary name server for each
LAN location defined. The secondary name server is used when:
The users home server is down.
The users home server is not running TCP/IP.
The name of the users home server cannot be resolved over TCP/IP.
For examples of situations in which the name of a home server cannot be

resolved, see the topic Ensuring DNS resolves in advanced TCP/IP
configurations earlier in this chapter.
Note You can use setup or desktop policy settings to assign secondary
name servers to groups of users.
For more information, see the chapter Using Policies.
To set up a secondary name server
1. On the Notes workstation, choose File - Mobile - Locations, and open
the location for which you want to designate a secondary name
server.
2. Click Edit Location.
3. Click the Advanced - Secondary Servers tab. (The Advanced tab
appears only if you have a location defined as Local Area Network
or Both Dialup and Local Area Network.)
4. In the Secondary TCP/IP Notes server name field, enter one of the
following:
The common name of the Domino server for example,
Notesserver1
The hierarchical name of the Domino server for example,
Notesserver1/Acme
5. In the Secondary TCP/IP host name or address field, enter one of
the following:
IP address for example, 197.114.33.22
The fully qualified domain name for example,
notesserver1.acme.com
The simple host name for example, notesserver1
If you specify only the host name in this field, the workstation
must use the Domain Name System (DNS) or local hosts file to
locate the secondary name server. When you specify the IP
Changing the TCP/IP connection-time-out interval

You might want to increase the number of seconds that Lotus Domino
waits before terminating a connection attempt. For example, increasing
the time-out interval is often necessary on a server that dials up other
Domino servers. The default time-out interval is 5 seconds.
server for which you want to change the time-out interval.
3. Do one of these:
4. Select the TCP/IP port.
5. Click TCPIP Options, and enter a number.
Note Unless the connection is over a dial-on-demand ISDN modem,
remote bridge, or router, it is best to enter a number no greater than
10, as the Notes client or Domino server wont retry the connection
until the timer has expired.
6. Click OK.
Enabling support for IPv6 on a Domino server

You can enable support for IPv6 on a Domino server that runs the IMAP,
POP3, SMTP, LDAP, or HTTP service.
To enable IPv6, add this NOTES.INI setting to the servers NOTES.INI
file:
TCP_EnableIPV6=1
Reordering multiple server ports for TCP/IP

If a Domino server has multiple Notes network ports for TCP/IP, the
order in which these ports are listed in the NOTES.INI file and the Server
document affects how other servers and workstations connect to this
server. The Ports setting in the NOTES.INI file determines which port a
workstation or server tries first. In the absence of other settings that bind
an NRPC, POP3, IMAP, SMTP, or LDAP service to an IP address, all of
these services will try to use the port listed first in the NOTES.INI file.
Installation
address in this field, Lotus Domino resolves the hosts IP address

without having to perform a DNS or hosts file lookup.
Server-to-server communication
If you add a second Notes network port for TCP/IP in order to isolate
server-to-server communication for example, a private network for
cluster replication list this port first in the NOTES.INI file so that
server-to-server traffic will tend to occur over this connection, thus
decreasing the data flow on the port for the user network. To change the
port order in the NOTES.INI file, use the Port Setup dialog box.
For more information, see the topic Reordering network ports on a
server earlier in this chapter.
Note If you are setting up a private cluster network and do not list the
server port first, you must add the setting Server_Cluster_Default_Port
to the NOTES.INI file. The disadvantage of adding this setting is that if
the server encounters a problem connecting over this port, it will not try
another port, and replication will not occur.
For more information on the Server_Cluster_Default_Port setting, see the
appendix NOTES.INI File.
Workstation-to-server communication
If a Domino server has a port for workstations to connect on for
example, over a LAN and another port for servers to connect on for
example, over a WAN list the workstation port first in the Server
document so that users see only servers on the LAN when they choose
File - Database - Open.
To reorder the ports in the Server document, click the Ports - Notes
Network Ports tab, and edit the fields in the table.
Binding an NRPC port to an IP address

By default, all TCP/IP-based services on a Domino server listen for
network connections on all NICs and on all configured IP addresses on
the server. If you have enabled more than one Notes network port for
TCP/IP (TCP port for NRPC) on either a single Domino server or a
Domino partitioned server, you must associate the NRPC ports and IP
addresses by binding each port to an address.
For background information on Domino server setups with multiple IP
addresses, see the topic Advanced Domino TCP/IP configurations
earlier in this chapter.
To bind an NRPC port to an IP address
1. For each IP address, make sure you have added a Notes port for
TCP/IP. Also make sure that each port has a unique name.
For information on adding a Notes port, see the topic Adding a
network port on a server earlier in this chapter.
Ports=TCPIPportname
TCPIPportname=TCP, 0, 15, 0
Where TCPIPportname is the port name you defined.

3. For each port that you want to bind to an IP address, add this line to
the NOTES.INI file:
TCPIPportname_TCPIPAddress=0,IPaddress
Where IPaddress is the IP address of the specific NIC.

For example:
TCPIP_TCPIPAddress=0,130.123.45.1
Note For IPv6, enclose the address in square brackets, as it contains

colons. For example:
TCPIP_TCPIPAddress=0,[fe80::290:27ff:fe43:16ac]
4. (Optional) To help you later remember the function of each port, add
the default TCP port number for NRPC to the end of the line you
entered in Step 3, as follows:
:1352
Caution Do not change the assigned TCP port number unless you
have a way to redirect the inbound connection with Domino port
mapping or a firewall that has port address translation (PAT).
In a situation where you must change the default NRPC port
number, see the topic Changing a TCP or SSL port number later in
this chapter.
Binding an Internet service to an IP address

If the Domino server has multiple Notes network ports for TCP/IP
(NRPC ports) and the server is also hosting the SMTP, POP3, IMAP,
LDAP, or Internet Cluster Manager (ICM) service, you must specify the
NRPC port that you want the service to use in the NOTES.INI file. If you
do not specify an NRPC port for an Internet service, by default the
service will use the port listed first in the Ports setting in the NOTES.INI
file. You can specify the same NRPC port for multiple Internet services.
For the Domino Web server (HTTP service), you use the Server
document to bind HTTP to a host name IP address.
Installation
2. In the NOTES.INI file, confirm that these lines appear for each port
that you added:
To bind the SMTP, POP3, IMAP, LDAP, or ICM service

1. Bind each NRPC port to an IP address.
2. In the NOTES.INI file, specify the appropriate NRPC port for each
Internet service as follows:
Note If you dont know the port name to enter for an NRPC port,
open the Server document, click the Ports - Notes Network Ports tab,
and look at the ports associated with the TCP protocol.
Service
Action
POP3
Enter POP3NotesPort=port name

where port name is the name of the NRPC port that you want to
link the service to.
IMAP
Enter IMAPNotesPort=port name

SMTP
Enter SMTPNotesPort=port name

LDAP
Enter LDAPNotesPort=port name

ICM
Enter ICMNotesPort=port name

Example
The following example shows the lines (in bold) to add to the Ports
section of the NOTES.INI file to bind two NRPC ports to their IP
addresses and to specify the second NRPC port for the SMTP service.
Ports=TCPIP, TCP1P2
TCPIP=TCP, 0, 15, 0
TCPIP_TCPIPAddress=0,10.33.52.1
TCPIP2=TCP, 0, 15, 0
TCPIP2_TCPIPAddress=0, 209.98.76.10
SMPTNotesPort=TCPIP2
Note Domino adds the lines that are not bold when you use either
the Domino Server Setup program or the Domino Administrators
Setup Ports dialog box to enable a port.
2. Select Enabled in the Bind to host name field.

Note If the server is a partitioned server and has Web sites configured
with separate IP addresses, or has virtual servers (Domino 5) configured
for one or more partitions, enter the partitions IP address, and each Web
site or virtual servers IP address in the Host name(s) field, separated
by semicolons. Alternatively, you can use FQDNs in this field. Do not list
additional Web sites and virtual hosts that have IP addresses that are
already listed in this field.
Example 1 Server partition with Web sites
The partitions host name is app01 and there are two Web sites
configured for it: sales.acme.com and accounting.acme.com. The Web site
sales.acme.com uses the same IP address as the partition, and the Web
site accounting.acme.com has its own IP address. Enter the following in
the Host name(s) field:
9.88.43.113;9.88.46.110
where 9.88.43.113 is the IP address for both the partition and the Web
site sales.acme.com and 9.88.46.110 is the IP address for the Web site
accounting.acme.com.
Example 2 Server partition with virtual servers
The partitions host name is app01 and there are two virtual servers
(9.88.46.114 and 9.88.46.115) and one virtual host configured for it. Enter
the following in the Host name(s) field:
9.88.43.113;9.88.46.114;9.88.46.115
where 9.88.43.113 is the IP address for both the partition and the
virtual host sales.acme.com, 9.88.46.114 is the IP address for virtual
server 1 (accounting.acme.com), and 9.88.46.115 is the IP address for
virtual server 2 (northeastsales.acme.com).
For information on Web sites and Internet Site documents, see the
chapter Installing and Setting Up Domino Servers.
Installation
To bind the HTTP service

1. On the Internet Protocols - HTTP tab of the Server document, enter
one or more IP addresses or FQDNs for the server in the Host
name(s) field.
Assigning separate IP addresses to partitions on a system with a

single NIC
If you use a single NIC with multiple IP addresses, you must complete
additional configuration instructions, which are based on your operating
system, for each server partition.
Note Using separate IP addresses with a single NIC can have a negative
impact on the computers I/O performance.
For background information on partitioned servers and the TCP/IP
network, see the topic Partitioned servers and IP addresses earlier in
this chapter.
IBM AIX or Linux
You must be logged on as root.
To enable an IP address in IBM AIX
1. Add one entry in the local host names file /etc/hosts for each server
partition. The entry for the partition that uses the computer host
name should already exist.
2. To enable an IP address, enter this command under the heading
Part 2 -Traditional Configuration in the startup file (etc/rc.net). Do
not enter this command for the partition that uses the computer host
name.
/usr/sbin/ifconfig interface alias server_name
where interface is the name of the network interface, and server_name

is the name of the partitioned server for example:
/usr/sbin/ifconfig en0 alias server2
3. Restart the system if necessary, and test the configuration. From

another computer, use the ping command with the server names. To
show the network status, use the netstat command.
To disable an IP address in IBM AIX or Linux
Do not remove the IP address of a server partition that uses the computer
host name as its server name.
1. Enter this command at the console:
/usr/sbin/ifconfig interface delete server_name
where interface is the name of the network interface, and server_name

is the name of the partitioned server.
2. Remove the partitions name entry from the local host names
/etc/hosts file.
3. Remove the corresponding ifconfig command from the system
startup /etc/rc.net file.
To enable an IP address in Sun Solaris

1. Add one entry in the local host names /etc/hosts file for each server
partition. The entry for the partition that uses the computer host
name should already exist.
2. For each partition, create a file named:
/etc/hostname.device:n
where device is the device name of the NIC, and n is a number that
increments for each file name. The /etc/hostname.hme0 file should
already exist and contain the computer host name.
For example, if /etc/hostname.hme0 contains the name Server1,
create:
/etc/hostname.hme0:1
which contains the name Server2. and

/etc/hostname.hme0:2
which contains the name Server3.

3. Create the alias for each IP address that goes to the NIC which is
hme0. At the console, enter:
/sbin/ifconfig hme0 plumb
/sbin/ifconfig hme0:n IP_address
where n is the number you created in Step 2 for each file name, and
IP_address is the address assigned to the corresponding server in Step
1. For example:
/sbin/ifconfig hme0:1 111.123.11.96
/sbin/ifconfig hme0:2 111.123.11.22
4. To verify the IP addresses that you configured, enter:

/sbin/ifconfig -a
5. To enable each IP address that you configured in Step 3, enter:

/sbin/ifconfig hme0:n up
where n is the number assigned to the file that contains the server
name. For example:
/sbin/ifconfig hme0:1 up
/sbin/ifconfig hme0:2 up
Installation
Sun Solaris
This procedure is for Sun Solaris 2.6. You must have superuser privileges
to configure the NIC.
To disable an IP address, enter:

/sbin/ifconfig hme0:n down
6. To configure the NIC to support multiple IP addresses at system

startup, add this ifconfig command to the startup file (probably
/etc/rc2.d/S30sysident):
/sbin/ifconfig hme0:n IP_address
/sbin/ifconfig hme0:n up
where n corresponds to the number you created in Step 2 for each

file name, and IP_address is the address assigned to the
corresponding server in Step 1.
7. Test the configuration. From another computer, use the ping
command with the server names. To show the network status, use
the netstat command.
To disable an IP address in Sun Solaris
Do not remove the IP address of the server partition that uses the
computer host name as its server name.
1. To disable the IP address, type:
/sbin/ifconfig hme0:n down
where n is the number assigned to the file that contains the server
name. For example:
/sbin/ifconfig hme0:1 down
2. Remove the corresponding /etc/hostname.hme0:n file. For example,

to remove Server2, remove the /etc/hostname.hme0:1 file, which
contains the name Server2.
3. Remove the partitions server name entry from the local host names
/etc/hosts file.
Windows
To configure a single NIC for multiple IP addresses on Windows
systems, do the following:
On Windows NT, use the Network icon on the Control Panel. For
more information, see the Windows NT documentation.
For Windows 2000, use the Network and Dial-up Connections
icon on the Control Panel , and then the Local Area Connection
icon. Click the Properties button. For more information, see the
Windows 2000 documentation.
To configure server partitions to share the same IP address and the same
NIC, you use port mapping. With port mapping, you assign a unique
TCP port number to each server partition and designate one partition to
perform port mapping. The port-mapping partition listens on port 1352
and redirects Notes and Domino connection requests to the other
partitions.
If the port-mapping partition fails, existing sessions on the other
partitions remain connected. In most cases, Notes clients will not be able
to open new sessions on any of the partitions. However, because each
Notes client maintains information in memory about recent connections,
including those redirected by the port-mapping partition, a client may be
able to connect to a partition even when the port-mapping partition is not
running. A client or remote server that has a Connection document
containing both the IP address and the assigned port can always access
the port-mapping partition.
Because the port-mapping partition requires extra system resources,
consider dedicating the partition to this task only. To do this, remove all
other server tasks, such as mail routing and replication, from the
partitions NOTES.INI file.
Port mapping works for NRPC communication only. However, you can
use the Server document in the Domino Directory to configure IMAP,
LDAP, and POP3 services and Domino Web servers to use unique ports
for communication. When you do, you must make the port number
available to users when they try to connect to the servers.
Note Because Internet protocols carry a large amount of data, you may
encounter I/O bottlenecks if you use a single NIC with too many server
partitions. Consider adding additional NICs and isolating the data by
protocol.
To configure for one IP address and port mapping
When you set up port mapping, the port-mapping partition
automatically routes NRPC communication requests to the other server
partitions.
1. Decide which server partition will perform port mapping.
2. Choose a unique TCP/IP port number for each server partition on
the computer. The port-mapping partition uses the assigned port,
1352. It is best to use port numbers 13520, 13521, 13522, 13523, or
13524 for the additional server partitions.
Installation
Configuring a partitioned server for one IP address and port

mapping
3. In the NOTES.INI file of the port-mapping partition, include one line

for the port-mapping partition and one line for each of the other
partitions. For the port-mapping partition, enter:
TCPIP_TcpIpAddress=0,IPAddress:1352
where TCPIP is the port name, and IPAddress is the IP address of the
port-mapping partition.
For each of the other partitions, enter:
TCPIP_PortMappingNN=CN=server_name/O=org,IPaddress:TCP/I
P port number
where TCPIP is the port name, NN is a number between 00 and 04

assigned in ascending sequence, server_name is the server name of the
partition, org is the organization name, IPAddress is the shared IP
address, and TCP/IP port number is the unique port number you
chose for the partition.
Note You must assign the numbers for NN in ascending order
beginning with 00 and ending with a maximum of 04. If there is a
break in the sequence, Domino ignores the subsequent entries.
4. In the NOTES.INI file of each of the other partitions, include this line:
TCPIP_TcpIpAddress=0, IPAddress:IPport_number
where TCPIP is the port name, IPAddress is the shared IP address,

and IPport_number is the unique port number you chose for the
partitioned server.
5. In the Net Address field on the Ports - Notes Network Ports tab in
the Server document for each partition, enter the fully qualified
domain name for example, sales.acme.com or enter the
common server name for example, Sales.
6. Create an IP address entry for the port-mapping partition in the
DNS, NIS, or the local hosts file.
7. Include each partition name as a separate CNAME entry in the DNS,
NIS, or the local hosts file.
8. If you also plan to set up the partitions for IMAP, LDAP, and POP3
services and Web server communication, assign to each protocol a
unique port number in the TCP/IP port number field on the
appropriate subtabs (Web, Directory, and Mail) on the Ports Internet Ports tab of the Server document.
Note You must make these port numbers available to users when
they try to connect to these servers. For example, if you assign port
12080 to the Web server acme.com, users must include
acme.com:12080 in the URL in order to connect to the server, unless
they have a means to redirect the connection to this port assignment.
Partition 1 (the port-mapping partition)

TCPIP_TcpIpAddress=0,192.94.222.169:1352
TCPIP_PortMapping00=CN=Server2/O=Org2,192.94.222.169:135
20
21
22
23
24
Partition 2
Partition 3
Partition 4
Partition 5
Partition 6
Changing a TCP or SSL port number

The following sections describe the TCP ports that Domino services use
and provide guidelines should you ever need to change these ports.
Default port for NRPC
By default, all NRPC connections use TCP port 1352. Because the Internet
Assigned Number Authority (IANA) assigned Lotus Domino this port
number, non-Domino applications do not usually compete for this port.
Do not change the default NRPC port unless:
You can use a NAT or PAT firewall system to redirect a remote
systems connection attempt.
You are using Domino port mapping.
Installation
Example
This example shows the lines you add to the NOTES.INI files of the
server partitions to set up port mapping for six partitions.
You create a Connection document that contains the reassigned

port number.
To change the default NRPC port number, use the NOTES.INI setting
TCPIPportname_TCPIPAddress and enter a value available on the system
that runs the Domino server. TCP ports with numbers less than 5000 are
reserved for application vendors. You may use any number from 1024
through 5000, as long as you dont install a new application that requires
that number.
Default ports for Internet services
You may occasionally need to change the number of the TCP or SSL port
assigned to an Internet service. Lotus Domino uses these default ports for
Internet services:
Service
Default TCP port
Default SSL port
POP3
110
995
IMAP
143
993
LDAP
389
636
SMTP inbound
25
465
SMTP outbound
25
465
HTTP
80
443
IIOP
63148
63149
Server Controller
N/A
2050
Confirming that TCP/IP is configured properly

Before you can use TCP/IP for communication, use the following tests to
confirm that the configuration is properly set up:
1. Use the ping command with the remote systems TCP/IP address
for example, ping 192.9.200.1. If this is unsuccessful, the TCP/IP
software isnt properly installed and configured. TCP/IP must be
working before you can use it. Contact the TCP/IP software vendor
or operating system vendor if you need assistance.
2. Use the ping command with the FQDN of the remote server for
example, ping mail05.boston.acme.com. If this is unsuccessful, the
host-name-to-IP-address translation isnt working. If you cant ping
by host name, the server or workstation will not be able to
communicate with the server running on the remote system.
3. If you use a local hosts file, make sure that it contains the server
name and IP address of every Domino server with which you want
to communicate.
Note Make sure that your IP host names do not contain illegal
characters such as spaces, underscores, or ampersands.
5. If you use the Network Information Service (NIS), make sure that
you have properly configured the UNIX system for NIS. Make sure
that the NIS hosts map contains the server name and IP address of
every Domino server with which you want to communicate.
6. Depending on your name-resolution practices, do one of the
following:
If your Domino server names are the same as the DNS host names,
make sure you have followed the instructions in the topics
Ensuring DNS resolves on Windows systems All TCP
protocols, Ensuring DNS resolves in NRPC Best practices, and
Ensuring DNS resolves in advanced TCP/IP configurations.
If your Domino server names are different from the DNS host
names, use the ping command to verify that all of the DNS names
which represent the Domino server are responding from the
correct network areas, as well as the Domino server name, if
needed.
If you are using IP addresses in Connection documents, use the
ping command to verify the IP address itself.
If you are using network address translation (NAT), verify that
access is possible from both the internal network and external
Internet using the appropriate IP addresses. If you are using
name-resolver services, make sure that the external DNS offers out
the public address and the internal DNS offers out the private
address.
For more information on the last three practices in Step 6, see the topic
Ensuring DNS resolves in NRPC Alternative practices earlier in this
chapter.
Installation
4. If you use DNS, make sure that you have properly configured the
TCP/IP software on this system to query the correct DNS server.
Make sure that your DNS records include the server name and IP
address of every Domino server with which you want to
communicate.
Server setup tasks specific to NetBIOS

procedures:
1. Use the Domino Administrator to define a NetBIOS LANA number
for the NetBIOS port.
2. If you want the server to connect to different segments of a NetBIOS
network, create one or more additional Notes network ports for
NetBIOS.
Defining a NetBIOS LANA number for a Notes network port

To run NetBIOS on a server, after you complete the Server Setup
program, you must determine the NetBIOS LANA number to which the
Notes network port will be bound. The NetBIOS LANA number is a
logical number that represents a NetBIOS transport protocol stack on a
NIC. You must know which transport protocol (NetBEUI, IP, or IPX)
Notes workstations and other Domino servers are using for NetBIOS
within your workgroup or company.
For example, if the computer has two NetBIOS protocol stacks such as
NetBIOS over NetBEUI and NetBIOS over IPX NetBIOS/NetBEUI
uses LANA number 0, and NetBIOS/IPX uses LANA number 1.
Depending on how often you configure or reconfigure your system, the
LANA numbers may be different than the ones in this example.
If the computer running the Domino server has more than one NIC
running the same protocol stack, you must define a different NetBIOS
LANA number for each Notes network port for NetBIOS.
NetBIOS systems using the same transport protocol should be in the
same Notes named network. If you create Connection documents on the
server, the LAN port you select must also be for the same transport
protocol.
To define a LANA number in Lotus Domino
server for which you want to define a LANA number.
3. Do one of these:
5. Click Portname Options, and choose Manual.

6. Enter the correct LANA number.
7. Click OK.
To find the LANA number for a NetBIOS protocol on a Windows NT
server
1. Select the Network Control Panel - NetBIOS Interface.
2. Click the Properties button. The NT information appears in the
Network Route list.
Windows NT typically has multiple NetBIOS networks configured in the
operating system. The most common NetBIOS networks on Windows NT
systems are listed below:
Name
Protocol
NwlnkNb
Novell NetBIOS
Nbf
NetBEUI
NetBT
NetBIOS over TCP/IP (RFC 1001/1002)
Some protocols can be associated with multiple LANA numbers, one for
each network card or dialup network interface. For example, the
Network Route entry Nbf->Elnk3 is NetBEUI on a 3Com Etherlink III
card, and Nbf->NdisWan5 is NetBEUI on a Microsoft Remote Access
Service (RAS) connection.
To find the LANA number for a NetBIOS protocol on a Windows
95/98, XP, or 2000 system
Unlike a Windows NT system, a Windows 95/98, XP, or 2000 system
does not have a direct means to see the LANA associations. For
Windows 95/98, XP, or 2000 systems you can either review the systems
registry bindings or use a Microsoft tool called LANACFG to see and
change the LANA number assignments.
The following is an example of the tools output from a Windows 2000
server. Note that the network route linkages shown are the same as in
Windows NT.
lanacfg [options]
showlanapaths - Show bind paths and component
descriptions for each exported lana
setlananumber - Change the lana number of a bind path
Installation
4. Select the Portname port, where Portname is the name of the NetBIOS
port for which you are defining a LANA number.
rewritelanainfo - Verify and write out lana info to the

registry
showlanadiag - Show lana diagnostic info
From the DOS prompt, enter

C:\>lanacfg showlanapaths
You see the following:

Lana:
-->NetBEUI Protocol-->3Com EtherLink III ISA

(3C509/3C509b) in Legacy mode
Lana:
-->NetBEUI Protocol-->WAN Miniport (NetBEUI, Dial Out)

Lana:
-->NWLink NetBIOS
Lana:
-->WINS Client(TCP/IP) Protocol-->Internet Protocol

(TCP/IP)-->3Com EtherLink III ISA (3C509/3C509b) in
Legacy mode
Creating additional network ports for NetBIOS

After you run the Domino Server Setup program, you can create network
segments for multiple NetBIOS interfaces on the same computer by
adding a Notes network port for NetBIOS for each additional NIC. The
NICs do not need to use the same transport protocol; each can use
TCP/IP, NetBEUI, or IPX.
In addition to adding each port for NetBIOS, do the following:
Associate each Notes network port for NetBIOS with a specific

NetBIOS interface by defining a LANA identifier for each port.
Make sure that all Domino servers that will access each other have an
interface that uses a common transport protocol. It is best if they are
also in the same Notes named network.
Make sure that the network segments to which the server systems
NICs are attached do not have a pathway in common. The NetBIOS
name service (NetBIOS over IP) can fail if it detects the same system
name or Domino name echoing back between the pathways. If you
are using both the NetBIOS name service and DNS or a hosts file for
name resolution, make sure that the server name in DNS or the hosts
file is different from the system name.
procedures:
1. Use the Domino Administrator to define a NetWare name service for
the server.
2. If the name service you use is NDS, record the servers NDS
distinguished name in the Server document.
3. (Optional) Control which IPX/SPX address (socket number) the
server uses.
Defining a servers NetWare name service in Lotus Domino

If you enabled the servers Notes network port for SPX through the
Server Setup program, you must use the Domino Administrator to select
which NetWare name service a Domino server uses with IPX/SPX.
For descriptions of supported name services, see the topic Server
name-to-address resolution over IPX/SPX earlier in this chapter.
To select a name service
server for which you want to select an IPX/SPX name service.
3. Do one of these:
4. Select the SPX port, and select Port enabled if it is not already
selected.
5. Click SPX Options, and choose a name service.
6. Restart either the server or the SPX port in order for the change to
take effect.
Tip Record any errors that appear on the console while the server is
restarting.
7. Click OK.
Installation
Server setup tasks specific to IPX/SPX
Recording a servers NDS distinguished name

The Server Setup program adds the common name of the Domino server
to the Net Address field in the Server document. If you are using the
Novell Directory Service (NDS) for the IPX/SPX network, you must edit
this field to contain the servers NDS distinguished name.
1. From the Domino Administrator, select the server for which you
want to record the NDS distinguished name.
5. Click Edit Server, and then click the Ports - Notes Network Ports
tab.
6. In the Net Address field for the SPX port, enter the servers NDS
distinguished name. For example, enter
CN=App04.OU=Chicago.O=Acme
Note NDS names are case-sensitive. Make sure that the NDS tree
object for the Domino server has exactly the same distinguished
name as the one you enter here.
Assigning the IPX socket number for a Domino server

The IPX/SPX protocol provides two types of sockets: dynamic sockets
and static, or well-known, sockets. Novell assigns well-known sockets to
products for their exclusive use. Applications using well-known sockets
always listen on the same socket number. Novell manages the
registration of these sockets, allocating them from a range of 0x2000
through 0x3FFF. Dynamic sockets are allocated from a range of 0x4000
through 0x7FFF. Applications using dynamic sockets use whichever
socket number the IPX/SPX stack allocates during the registration of the
service to the local NetWare server by the application. Using dynamic
sockets usually ensures that a socket number is not used twice.
Connections initiated by a Domino server or Notes workstation use a
dynamic socket. For the listener socket, the SPX port driver uses a
modified algorithm for allocating sockets and always tries to use the
same socket number. If the socket number is unavailable, the Domino
server lets the IPX/SPX stack assign one. When a Domino server using
SPX starts for the first time, it uses a dynamic socket and then saves the
socket number. Subsequent invocations of the Domino server use the
saved socket number. Therefore, the socket is called a persistent dynamic
socket.
Assigning a socket number

Controlling the socket number used by the Domino server is useful in
large IPX/SPX networks because an assigned socket number prevents
server name-to-address resolution problems that result when name
service records lag behind a dynamic socket number assignment when a
server is restarted.
To control the socket number, use the NOTES.INI setting
NetWareSocket. NetWareSocket applies only to the listener socket.
Connections initiated by a workstation or server still use a dynamic
socket.
Note If NetWareSocket is set in the NOTES.INI file and the Domino
server cannot bind to the specified socket on the local systems IPX/SPX
protocol stack, the Domino server will not start. This condition may
occur if the socket number the server normally uses is in use by another
application on the same system.
For example, if the NOTES.INI file contains the setting
NetWareSocket=9135 (which is the decimal value of 23AF), and another
application is assigned that socket number through the dynamic
assignment process, the Domino server can fail to start.
To minimize the chance of the servers not starting, assign the
NOTES.INI setting NetWareSocket to the address of a well-known
socket. If the problem still occurs, either close the application that is
using the same socket as Domino or reassign a new socket to the Domino
server.
To determine the socket number the Domino server is using, do one of
the following:
Enter SHOW PORT SPX at the console, where SPX is the SPX port
driver name.
Check the NetWareSpxSettings setting in the NOTES.INI file. The

number after the last comma in the value is the decimal value of the
servers IPX socket. For example, in the setting
NetWareSpxSettings=0,0,0,0,0,3,17393, the 17393 is the sockets
decimal value.
Installation
If for some reason this saved socket number is in use for example, if
another application using dynamic sockets allocated the socket the
Domino SPX server allocates a new socket number and saves it for future
invocations.
NOTES.INI settings for networks

The following tables contain the NOTES.INI settings that pertain
specifically to networks.
For more information on these settings, see the appendix NOTES.INI
File.
Settings for all NRPC networks

Setting
Description
portname_MaxSessions
Restricts the number of sessions on a

specified port.
Ports
Specifies which Notes network ports are

enabled on a system.
Settings for the TCP/IP network

Setting
Description
ICMNotesPort
Specifies the name of the Notes network

port for TCP/IP with which you are
linking the Internet Cluster Manager
(ICM) service.
IMAPNotesPort

linking the IMAP service.
LDAPNotesPort

linking the LDAP service.
POP3NotesPort

linking the POP3 service.
SMTPNotesPort

linking the SMTP service.
TCP_EnableIPV6
Specifies whether or not to enable

Domino for IPv6.
TCP/IPportname_PortMappingNN
Specifies the TCP/IP port number of

each partitioned server sharing the IP
address of the port-mapping server.
TCP/IPportname_TCPIPAddress
Defines the IP address and the port

number for a Domino server.
Setting
Description
NetWareSocket
Specifies the IPX socket number used by

the Domino server.
NetWareSpxSettings
Specifies the decimal value of the

Domino servers IPX socket.
NWNDSPassword
Specifies the password for Domino to

log in to the Novell Directory Service
(NDS) tree on system startup.
NWNDSUserID
Specifies the user ID for Domino to log

in to the Novell Directory Service (NDS)
tree on system startup.
Installation
Settings for the IPX/SPX network
Installation
Chapter 3
Installing and Setting Up Domino Servers
This chapter describes how to plan a hierarchical name tree and how to
install, set up, and register Domino servers.
Installing and setting up Domino servers

Before you install and set up the first Domino server, you must plan
server and organizational naming and security. In addition, you must
understand your existing network configuration and know how Domino
will fit into the network. If you are adding an additional server to an
existing Domino infrastructure, you must have already registered the
server and its server ID and password must be available.
For information on system requirements, see the Release Notes.
To install and set up a server

Installing a Domino server that is, copying the server program files
onto the designated machine is the first part of deploying a server. The
second part is using the Domino Server Setup program to configure the
server.
1. Choose a name for the server. Refer to the hierarchical name scheme
that you created based on your companys structure.
2. Identify the function of the server for example, will it be a mail
server or an application server? The function of the server
determines which tasks to enable during configuration.
3. Decide where to locate the server physically and decide who
administers it.
4. Decide whether the server is part of an existing Domino domain or is
the first server in a new Domino domain.
For more information on Steps 1 through 4, see the chapter
Deploying Domino.
5. If this is the first server in a Domino domain, do the following:
a. Install the server program files.
b. Use the Domino Server Setup program to set up the server.
3-1
c. Complete network-related setup.

d. Create organization certifier IDs and organizational unit certifier
IDs, as required by the hierarchical name scheme.
e. Distribute certifier IDs to administrators.
f. Implement Domino security.
6. If this server is part of an existing Domino domain, do the following:
a. Use the Domino Administrator to register the server.
b. Install the server program files on each additional server.
c. Use the Domino Server Setup program to set up each additional
server.
For more information on Steps 5 and 6, see the procedures that
follow and the chapters Setting Up the Domino Network and
Planning Security.
7. Perform additional configuration procedures, based on the type of
services, tasks, and programs that you want to run on this server.
Entering system commands correctly

Some of the procedures that follow include instructions for entering
commands at the system command prompt. The instructions tell you to
enter the command from the Domino program directory or Notes
program directory, depending on whether you are performing the
procedure on a Domino server or a Notes workstation. Before entering
commands, make sure you understand the following definitions of these
terms as they apply to your operating system.
Windows operating systems
On a Domino server, the Domino program directory is c:\lotus\domino,
unless you installed the program files to a different location. On a Notes
workstation, the Notes program directory is c:\lotus\notes, unless you
installed the program files to a different location.
UNIX operating systems
For Domino on a UNIX server, the actual location of the server program
files is different from the directory you use for entering commands.
Always use the following path for entering commands:
lotus/bin/server
The server portion of the path is a script that initializes a UNIX shell
so that Domino programs can run on UNIX.
Server installation
The first step in deploying a Domino server is installation, or copying the
program files to the systems hard drive.
To install Domino, see the following procedures:
Installing Domino on Windows systems
Installing Domino on UNIX systems
For information on installing servers for hosted environments, see the
chapter Setting Up the Service Provider Environment.
Installing Domino on Windows systems

You can install Domino on a Windows system by following this
procedure, or you can do a silent install of a local server or remote
servers. To perform a silent install, use setup.exe -r at the command
prompt to record the install configuration to a file, and then use
setup.exe -s to install the configuration. For more information on silent
install, see the InstallShield documentation.
1. Before you install the Domino server program files on a Windows
system, do the following:
Make sure that the required hardware and software components
are in place and working.
Read the Release Notes for operating system and network protocol
requirements and for any last-minute changes or additions to the
documentation.
Temporarily disable any screen savers and turn off any
virus-detection software.
Make sure that all other applications are closed. Otherwise, you
may corrupt any shared files, and the Install program may not run
properly.
If you are upgrading to Domino from a previous release, see the
Upgrade Guide.
2. Run the install program (SETUP.EXE), which is on the installation CD.
3. Read the Welcome screen, and click Next. Then read the License
Agreement and click Yes.
Installing and Setting Up Domino Servers 3-3
Installation
While by default the actual location of the lotus directory is /opt/lotus,

you can change it to any location, for example, /local/lotus or
/usr/lotus.
4. Enter the administrators name and the company name.

5. Choose whether you want to install partitioned servers.
6. Choose the program and data directory in which to copy the
software, and then click Next. If you are installing partitioned
servers, you choose only a program directory.
7. Select the server type you acquired:
Domino Utility Server Installs a Domino server that provides
application services only, with support for Domino clusters. The
Domino Utility Server is a new installation type for Lotus Domino
6 that removes client access license requirements. Note that it does
NOT include support for messaging services. See full licensing
text for details.
Domino Messaging Server Installs a Domino server that
provides messaging services. Note that it does NOT include
support for application services or Domino clusters.
Domino Enterprise Server Installs a Domino server that
provides both messaging and application services, with support
for Domino clusters.
Note All three types of installations support Domino partitioned
servers. Only the Domino Enterprise Server supports a service
provider (xSP) environment.
8. Click Customize to choose which components to install, or click Next
to accept all components.
9. If you are installing partitioned servers, specify a data directory for
each partition.
10. Specify the program folder or accept Lotus Applications as the
program folder that will contain the software.
11. Click Finish to complete the install program.
12. Choose Start - Programs - Lotus Applications - Lotus Domino Server
to start the Server Setup program.
Installing Domino on UNIX systems

Before you install the Domino program files on a UNIX system, do the
following:
Make sure that the required hardware and software components are
in place and working.
Read the Release Notes for operating system and network protocol
requirements and for any last-minute changes or additions to the
documentation.

Make sure that all other applications are closed. Otherwise, you may
corrupt any shared files, and the Install program may not run
properly.
If you are upgrading to Domino from a previous release, read the

Upgrade Guide.
You can install multiple instances of the Domino server on a single

system. The instances can all be the same release of Domino or different
releases. If you install different releases, only one instance can be earlier
than Domino 6.
If you want all instances to be the same release, it is best to install a
Domino partitioned server. Then all Domino partitions share one
program directory and, by doing so, conserve system resources. If you
install a single Domino server and later want to make it a partitioned
server, you can do so without removing the initial installation. When you
have multiple instances of the Domino server, each with a separate
program directory, one or more of the instances may be a partitioned
server.
For more information on partitioned servers, see the chapter Deploying
Domino.
To install the Domino program files on a UNIX system, you can use
either interactive mode or script mode.
To use interactive mode
You use interactive mode to install the Domino program and data files
on the local machine or to use a Telnet connection to install the Domino
program and data files on specified remote systems.
During the interactive mode installation, you can use these keys at the
UNIX command prompt:
Type h for help
Type e to exit the Install program
Press ESC to return to the previous screen
Press the spacebar to change the setting until you get the one you
want
Press TAB to accept a setting and continue to the next screen
Installation
1. Make sure the Domino server kit is available from your network or
CD ROM drive.
2. Log in to the root account for Domino Server installation.
3. Change to the directory containing the install script.
4. Enter the following at the root command prompt to run the script:
./install
5. Follow the on-screen instructions and specify these options:

Option
Action
Add data directories Choose one:

only
Yes to change a single Domino server into a
partitioned server or add data directories to an
existing partitioned server
No to keep a single Domino server
Domino Server
installation type
Choose the server type that you acquired. For an xSP

server, you must have the Domino Enterprise Server.
Install template files Choose one:

Yes to install new templates
No to retain templates from a previous release
Install xSP server
(for Domino Enterprise Server only)
Choose one:
Program directory
Specify the directory in which Domino will store

program files.
Create /opt/lotus
soft link
Choose one:
Yes if this is an xSP server

No if this is not an xSP server
Yes if this system will have only one Domino

installation (program directory)
No if this system will have multiple Domino
installations (multiple program directories)
Data directory
Specify the directory in which Domino will store

data files. If you are installing a partitioned server,
indicate that and specify multiple data directories.
UNIX User name
Specify the person who will own the server

configuration data. If you are installing a partitioned
server, you may specify a different person for each
data directory.
UNIX Group name
Specify the group to which the UNIX User belongs.

If you are installing a partitioned server, you may
specify a different group for each data directory.
SCRIPT.DAT, the default sample script file, contains information you

need to install the Domino server program files, including descriptions of
each parameter and instructions for using the -script option to install
partitioned servers.
1. Change the directory to the kits install directory on either the
CD-ROM or network drive.
2. Copy SCRIPT.DAT from the kits install directory to your local
system as
filename.dat
Where filename is the name you want to give to the local script file
that will contain the installation settings.
3. Open the local script file, filename.dat, and set the parameters as
needed. It is usually best to use the default settings, as follows:
Install target host name parameter = target_hosts
Domino server installation type Choose the server type that you
acquired.
Install template files template_install_option = 1
Add data directories only add_data_directories_only = 0
Install xSP server asp_install_option = 0
Program directory Use the directory where Domino stores
program files.
Create /opt/lotus soft link opt_lotus_softlink = 0
Data directory Use the directory where Domino stores data
files.
UNIX User name Person who will own the server configuration
data
UNIX Group name The group to which the UNIX User belongs
4. Save the local file, filename.dat.
5. Log in to the root account from your local system.
6. Switch back to the kits install directory (CD-ROM or network).
7. To install using the local script file, enter this command at the UNIX
console prompt:
install -script filename.dat
Installation
To use script mode

Script mode installation provides silent install functionality for UNIX
platforms and allows you to install saved installation settings to a local
server or remote servers.
The Domino Server Setup program

The Domino Server Setup program guides you through the choices you
make to configure a Domino server. Setting up the first Domino server in
a domain establishes a framework that consists of the Domino Directory,
ID files, and documents. When you set up additional servers, you build
upon this framework.
Setting up the first Domino server does the following:
Creates a Domino domain.
Creates the certification log file, names it CERTLOG.NSF, and saves

it in the Domino data directory.
Uses the PUBNAMES.NTF template to create the Domino Directory

for the domain, names the directory NAMES.NSF, and places it in
the Domino data directory.
Creates an organization certifier ID, names it CERT.ID, and saves it

in the Domino data directory.
Optionally creates an organizational unit certifier ID, names it

OUCERT.ID, and stores it in the Domino Directory.
Creates a Certifier document, which describes the organization

certifier ID, in the Domino Directory.
Creates a server ID, names it SERVER.ID, and saves it in the Domino

data directory.
Uses the organization certifier ID to certify the server ID.
Creates a Server document in the Domino Directory and includes in

it information that you specified during the setup program.
Creates a Person document in the Domino Directory for the Domino

Administrator that you specified during the setup program.
Creates a user ID and password for the Domino Administrator and

attaches it as a file named USER.ID to the administrators Person
document in the Domino Directory.
Uses the organization certifier ID to certify the administrators user ID.
Gives the administrator and the server Manager access in the ACL of
the Domino Directory.
Adds the server name to the LocalDomainServers group in the

Domino Directory.
Creates the log file, names it LOG.NSF, and saves it in the Domino
data directory.
Enables the appropriate network and serial ports.
Creates a mail directory in the Domino data directory and creates a

mail file in that directory for the Domino Administrator.
Creates the Reports file, names it REPORTS.NSF, and saves it in the

Domino data directory.
Updates network settings in the Server document of the Domino

Directory.
Configures SMTP, if selected during the setup program.
If DOLS Domino Off-Line Services was selected during the setup

program, creates the Off-Line Services file, names it
DOLADMIN.NSF, and saves it in the Domino data directory.
Updates the Access Control List in all databases and templates in the
Domino data directory tree to remove Anonymous access and/or
add LocalDomainAdmin access, depending on the selections made
during the setup program.
Configures xSP Service Provider information, if selected during the

install program.
Setting up an additional Domino server does the following:
Copies the Domino Directory, if a file location was specified during

the setup program, names it NAMES.NSF, and saves it in the
Dials the existing Domino server if the connection is made through a

modem (possible only on Windows systems).
Copies the servers ID from the location specified during the setup
program, either from a file, a copy of the directory, or the existing
Domino servers directory; names it SERVER.ID; and saves it in the
Retrieves the Domain name and Administrator name from the Server
Creates the log file, names it LOG.NSF, and saves it in the Domino
data directory.
Copies or replicates the Administration Requests file, names it

ADMIN4.NSF, and saves it in the Domino data directory.
Copies or replicates the Monitoring Configuration file, names it

EVENTS4.NSF, and saves it in the Domino data directory.
Replicates the Domino Directory, if it doesnt already exist, names it

NAMES.NSF, and saves it in the Domino data directory.
Creates a Connection document to the existing Domino server in the

Domino Directory.
Installation
Creates the Reports file, names it REPORTS.NSF, and saves it in the

Updates network settings in the Server document of the Domino

Directory.
Configures SMTP, if selected during the setup program.
If DOLS Domino Off Line Services was selected during the setup
program, creates the Off-Line Services file, names it
DOLADMIN.NSF, and saves it in the Domino data directory.
Updates the Access Control List in all databases and templates in the
Domino data directory tree to remove Anonymous access and/or
add LocalDomainAdmin access, depending on the selections made
during the setup program.
Configures xSP Service Provider information, if selected during the

install program.
Replicates changes made to the Server document with the existing

server, if any.
Removes the SERVER.ID attachment from the Domino Directory, if

applicable.
Using Domino Off-Line Services (DOLS) and iNotes Web Access

To provide iNotes Web Access users with the ability to work off line,
you must enable DOLS when you set up the server. DOLS enables users
to work off line, disconnected from the network, and provides many
replication features that Notes users expect when working in the Notes
client.
Users require a Notes ID so that DOLS can synchronize the offline mail
file with the server. The default DOLS configuration will prompt the user
for a Notes ID the first time they go offline with iNotes Web Access.
If you rename a user, the user must reinstall the DOLS offline
subscription in order for the offline mail file to synchronize with the
server. After a name change, the user must wait for the old Notes ID and
password to stop working, accept the name change using a Notes client,
then log on to iNotes Web Access with the new Notes ID and password.
For more information, see the chapters Setting Up Domino Off-Line
Services and Setting Up iNotes Web Access.
Domino Off-Line Services (DOLS) must be configured on the Domino

server for users to be able to take applications off-line and use only a
browser to work with them. You can enable any application for DOLS.
The following templates are enabled for DOLS by default:
iNotes Web Access (iNOTES60.NTF and the R5 version)
iNotes Web Access for Outlook (MAIL6EX.NTF)
Extended Mail (MAIL6EX.NTF)
Discussion - Notes and Web (R6) database (DISCSW6.NTF).
To configure DOLS during Domino Server Setup

1. Under Setup Internet services for, select Web Browsers (HTTP
services), and then click Customize.
2. In the Domino tasks list, select DOLS Domino Off-Line Services.
3. At the end of setup, when you have the option to create an access
control list entry, add the group LocalDomainAdmins to all
databases and templates.
4. Accept the default option Prohibit Anonymous access to all
databases and templates. If you deselect this option, you must open
the ACL for each DOLS application and assign No Access to
Anonymous.
5. Make sure the following names are identical:
The TCP/IP DNS host name In Windows, choose Start Programs - Windows Explorer. Then choose Network
Neighborhood properties - TCP/IP properties. On the DNS
Configuration tab, look at the Host field.
The server name Open the Server document and look at the
Server name field.
The Internet host name Open the Server document and look at
the Fully qualified Internet host name field.
Note DOLS runs on Domino servers configured to work through a
Microsoft IIS server.
To configure DOLS manually
If you do not configure DOLS during Domino Server Setup, you can
configure DOLS manually by editing the Server document.
1. Open the Server document.
2. Click Internet Protocols - HTTP.
Installation
Setting up DOLS on a server
3. In the DSAPI filter file names field, enter the DSAPI filter file name
that corresponds to the operating system that the server is running,
and then restart the server:
Win32 - ndolextn
Linux - libdolextn
AIX - libdolextn
Solaris/Sparc - libdolextn
S390 - libdolextn
iSeries - libdolextn
Note On the iSeries platform, the Server document is updated when
a new server is configured or an existing server is modified using the
CFGDOMSVR or CHGDOMSVR CL command with DOLS(*YES)
specified.
For more information on configuring an iSeries server with DOLS,
see the Lotus Domino 6 for iSeries Release Notes.
4. Create a DOLADMIN.NSF database from the template
DOLADMIN.NTF.
5. After the database is created, restart the Domino administrator and
click the Configuration tab. The name of the DOLADMIN.NSF is an
option in the Navigation pane.
To set up DOLS on clustered servers
Before using DOLS on a clustered Domino 6 server, make sure that:
The Domino server is either a Domino Utility Server or Domino
Enterprise Server.
All servers in the cluster run the same release of Domino with
DOLS
Clustered server management is running to handle both failover
of replication and HTTP
Internet Cluster Manager is running
Subscription directories must have the same name on every
clustered server. For example, if a subscription is under
\data\Webmail user\7CD5957CB669AE2285256BDF00567AD8\,
this name cannot be different on a different server in the cluster.
To configure DOLS on a server that uses Web Site documents
If you create a Web Site Document (a type of Internet Site document) on
the Domino server, you must add the appropriate DOLS DSAPI filter
filename to the DSAPI field in the Web Site document for DOLS to be
enabled.
1. Open the Web Site document.

3. In the DSAPI filter field, enter the DSAPI filter file name that
corresponds to the operating system that the server is running, and
then restart the server:
Win32 - ndolextn
Linux - libdolextn
AIX - libdolextn
Solaris/Sparc - libdolextn
S390 - libdolextn
iSeries - libdolextn
For more information on Internet Site documents, see the topic
Configuring Internet sites with Web Site and Internet Site documents.
Setting up iNotes Web Access on a server

iNotes Web Access provides Notes users with browser-based access to
Notes mail and Notes calendar and scheduling features. Using iNotes
Web Access, a user can send and receive mail, view the calendar, invite
people to meetings, create to do lists, keep a notebook, and work off line.
To set up iNotes Web Access, choose Web Browsers (HTTP Web
services) during Server Setup. If you want to give users the ability to
work off line, also choose Domino Off-Line Services (DOLS). DOLS is not
required to run iNotes Web Access.
In the Domino Administrator, make sure the following names are
identical:
The servers TCP/IP name, which appears on the DNS tab of the
Network properties - TCP/IP properties box.
The servers common name, which appears on the Basics tab of the
Server document
The machine name of the fully qualified Internet host name, which
appears on the Basics tab of the Server document.
For example, if acme.lotus.com is the fully qualified Internet host name,

acme is the machine name, the host name for DNS, and Domino server
common name.
Installation
If there are several Web Site documents, you must add the DSAPI filter
filename to each one. To add the DOLS DSAPI filter filename to a Web
Site document:
Setting up iNotes Web Access with Sametime

iNotes Web Access integrates Sametime so that users can send and
receive instant messages. Sametime is called Chat in iNotes Web
Access.
Do not install Sametime and iNotes Web Access on the same Domino
server. Sametime must be installed on a dedicated server. For complete
information on installing Sametime, see the Sametime Installation Guide.
Part 1 - Set up iNotes Web Access on a Domino server
1. Set up iNotes Web Access on a server by making the appropriate
selections during Server Setup.
2. Register users with the iNotes Web Access (R6.0) mail template.
Part 2 - Create a Connection document on the iNotes Web Access
server
1. From the Domino Administrator, click the Configuration tab.
2. Select the iNotes Web Access servers Domino Directory in the Use
Directory on field.
3. Click Server, and then click Connections.
4. Click Add Connection.
5. Select Local Area Network in the Connection type field.
6. Enter the Sametime servers name in the Destination server field.
For example: Sametime/Acme.
7. Enter the source domain of the iNotes Web Access server and the
destination domain of the Sametime server. The domain must be the
same in both fields.
8. Click Save & Close.
For more information on Connection documents, see the chapter Setting
Up Server-to-Server Connections.
Part 3 - Edit each users Person document and specify the Sametime
server in the Sametime server field
1. From the Domino Administrator, click the People & Groups tab.
2. Select the iNotes Web Access Domino directory, then click People.
3. Double-click a name to open the users Person document.
4. Click Edit.
CN=Sametime/OU=Sales/O=Acme/C=US
where: CN is the common name, OU is the organizational unit, O is
the organization, and C is the country code
7. Repeat Steps 3 though 6 for each person.
Part 4 - Set up the Sametime server
Follow the instructions in the Sametime Installation Guide for installing
Sametime in a Domino domain on a dedicated server. Make sure that the
installation uses the same Domino domain in which the iNotes Web
Access server resides.
Part 5 - Create a Connection Document on the Sametime server
2. Select the Sametime servers Domino Directory in the Use Directory
on field.
6. Enter the iNotes Web Access servers name in the Destination
server field.
7. Enter the source domain of the Sametime server and the destination
domain of the iNotes Web Access server.
Part 6 - Create a one-time replica of the Tokens database on the iNotes
Web Access server
The Sametime server implements a security policy to ensure Sametime
clients that establish connections to the Sametime services are
authenticated. This security policy involves the Secrets (stauths.nsf)
database on the Sametime server.
1. Using a Notes client, choose File - Database - Open.
2. Enter the name of the Sametime server (for example,
Sametime/Acme).
3. Enter the Secrets database filename: stauths.nsf
4. Click Open.
5. Choose File -Replication - New Replica.
Installation
5. Enter the name of the Sametime server in canonical format in the

Sametime server field. For example, the canonical format for the
server Sametime/Sales/Acme/UK is:
6. Enter the name of the iNotes Web Access server (for example,
iNotes/Acme)
7. Ensure that the database is replicated to the data directory:
...\domino\data\stauths.nsf.
8. Click OK to create the replica.
Part 7 - Push replication changes from the iNotes Web Access server to
the Sametime server
1. From the Domino Administrator, click the Server tab.
2. Click the Server Console.
3. Enter a push command to replicate the Domino directory to the
Sametime server.
For example: push Sametime/Acme names.nsf
4. Click Send.
5. Enter a push command to replicate the Secrets database to the
Sametime server.
For example: push Sametime/Acme stauths.nsf
6. Click Send.
Part 8 - Copy the Sametime applets to the Sametime server
1. Copy the contents from the Sametime applets folder on the iNotes
Web Access server to the Sametime server. On the iNotes Web
Access server, the applets are located in the sametime directory:
<data directory>\domino\html\sametime
2. Create a folder on the Sametime server in which to copy the iNotes
Web Access Sametime applet files. At a DOS prompt on the
Sametime server, create the folder:
>mkdir <data directory>\domino\html\SametimeApplet
Note The folder name is case-sensitive and must be named
SametimeApplet.
Part 9 - Verify that Sametime works with iNotes Web Access
1. Make sure that replication is complete and the Person documents
exist on the Sametime server.
2. Following the instructions in the Sametime Installation Guide for
logging into the Sametime server using the Sametime Connect Client.
Sametime must be functioning properly before you can test whether
it is working with iNotes Web Access clients.
3. Launch iNotes Web Access in a browser and click Chat to test the
Sametime connection.
Using the Domino Server Setup program

The following procedures describe the ways you can use the Server
Setup program.
Use the Server Setup program on the server you are setting up
Use the Server Setup program from a client system or from another
server
Create a setup profile by recording your choices during the Server

Setup program
Use a setup profile to set up multiple servers with the same

requirements
Use a setup profile without viewing the setup screens (silent setup)
Indic language support in the Domino Server Setup program

You can change both the font and the alphabet that displays when you
enter text in a field on a Server Setup program screen. Normally, the
alphabet that displays is that of the default language.
The Domino Server Setup program supports the following alphabets:
Bengali
Devanagari
Gujarati
Gurmukhi
Kannada
Malayalam
Oriya
Tamil
Telugu
Installation
Note If the chat link does not appear in iNotes Web Access, check the
users Person document in the Domino directory. Verify that the name of
the Sametime server in the Sametime server field is correct.
To change the font

Note Changing the font is required for the Devanagari alphabet, as the
default font does not work with it.
1. Start the setup program by starting the Domino server.
2. On the Welcome screen, click Font.
3. Select a font that will work with the alphabet you plan to use.
4. To select an alphabet different from that of the default language, see
the following procedure.
To change the alphabet
Changing the alphabet is supported for the Windows, AIX, and Linux
operating systems only.
1. Start the setup program by starting the Domino server.
2. Right-mouse click on the title bar of the screen in which you want to
enter text that uses an alphabet different than that of the default
language.
3. Select Select Input Method.
4. Select the alphabet that you want to use.
5. Enter text in one or more fields on the screen.
Note Clicking Next to go to the next screen restores the alphabet to that
of the default language. Repeat the preceding procedure for each screen
on which you want to use a different alphabet.
Using the Domino Server Setup program locally

After installing the Domino server program files on a server, you can run
the Domino Server Setup program locally by starting the server.
The Server Setup program asks a series of questions and guides you
through the setup process. Online Help is available during the process.
Using the Domino Server Setup program remotely

After you install the program files for a Domino server on a system, you
can use either a Windows client system or another Domino server to run
the Server Setup program remotely. Running the Server Setup program
from a Windows client is easier if the client has Domino Administrator
installed to run the program from a client without Domino
Administrator, you need the Java runtime environment plus some files
from the program directory of an installed Domino server.
For more information, see the topic Entering system commands
correctly earlier in this chapter.
Selected Remote Server Setup when you installed Domino

Administrator on the client system (on the Windows desktop,
choose Start - Programs - Lotus Applications and see if Remote
Server Setup appears in the list)
Know the host name or network address of the remote system
2. Install the Domino server program files on a server system, but do
not run the Domino Server Setup program.
3. At the command prompt on the server system, from the Domino
program directory, do one of the following:
On a Windows server, enter nserver -listen
On a UNIX server, enter server -listen
4. On the client system, choose Start - Programs - Lotus Applications Remote Server Setup.
5. In the Connect to Remote Domino Server dialog box, click Ping to
ensure that you can connect to the remote server.
6. Enter the host name or network address of the remote server.
7. Click OK to start the Domino Server Setup program.
To run the Server Setup program from a Windows client without
Domino Administrator, or from a UNIX workstation
1. Make sure that you know the host name or network address of the
remote system.
3. At the command prompt on the server, from the Domino program
directory, do one of the following:
On a UNIX server, enter /lotus/bin/server -listen
4. On the client system, install the Java runtime environment.
5. Create a temporary directory on the client system. For example, enter
the following at the command prompt:
On a Windows client: mkdir c:\temp
On a UNIX workstation: mkdir /temp
Installation
To run the Server Setup program from a Windows client with

Domino Administrator
1. Make sure that you:
6. Do one of the following:

From a Windows client, copy the remote setup files
CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP.CMD
from the server to the directory you created on the client system.
These files are in C:\Domino program directory on the server.
From a UNIX workstation, copy the remote setup files
CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP from
the server to the directory you created on the workstation. These
files are in /Domino program directory/lotus/notes/latest/ibmpow/
on an AIX server, /Domino program directory/lotus/notes/latest/
linux/ on a Linux server, and /Domino program directory/lotus/
notes/latest/sunspa/ on a Solaris server.
7. At the command prompt on the client system, from the directory you
created, do one of the following:
On a Windows client, enter remotesetup.cmd
On a UNIX workstation, enter remotesetup
To run the Server Setup program from another server system
1. Install the Domino server program files on both server systems, but
do not run the Domino Server Setup program.
2. Make sure that you know the host name or network address of the
remote system.
3. At the command prompt on the local server system, from the
Domino program directory, do one of the following:
On a Windows server, enter nserver -remote
On a UNIX server, enter server -remote
Tip Entering nserver -help or server -help displays all
parameters available for working with remote server setups.
A server setup profile is a file that you use to quickly configure servers.
To create a server setup profile, you run the Server Setup program in
record mode, either at the server you are setting up or from a Windows
client. Creating a server setup profile from a Windows client is easier if
the client has Domino Administrator installed to create a profile from
a client without Domino Administrator, you need the Java runtime
environment plus some files from the program directory of an installed
Domino server.
To create a setup profile at a server
1. Install the Domino server program files on the server system, but do
On a Windows server, enter nserver -record
On a UNIX server, enter server -record
Tip Entering nserver -help or server -help displays the
parameters available for working with server setup profiles.
3. Enter a name and description for the profile.
4. Continue through the setup program.
Domino saves your selections in a file with the name you specified in
Step 3. By default this file is created in the Domino program directory.
To create a setup profile from a Windows client with Domino
Administrator
1. Make sure that you selected Remote Server Setup when you
installed Domino Administrator on the client system.
3. At the command prompt on the client system, from the Notes
program directory, enter
serversetup -record

Step 4 and stores the file in the Notes program directory on the client
system.
Installation
Creating a server setup profile
To create a setup profile from a Windows client without Domino

Administrator, or from a UNIX workstation
on an AIX server, /Domino program
directory/lotus/notes/latest/linux/ on a Linux server, and
/Domino program directory/lotus/notes/latest/sunspa/ on a
Solaris server.
created, enter:
remotesetup -record

Step 6 and stores the file in the client-system directory that you
created in Step 3.
Using a server setup profile

You can use a server setup profile at the server you are setting up or
from a client system. Using a server setup profile from a Windows client
is easier if the client has Domino Administrator installed to use a
profile from a Windows or UNIX client without Domino Administrator,
you need the Java runtime environment plus some files from the
program directory of an installed Domino server.

To use a setup profile at the server
On a Windows server, enter nserver -playback
On a UNIX server, enter server -playback
3. Choose the profile to use. If you dont see the profile you want in the
list, click Browse to locate the directory that contains the profile.
4. To change the existing profile, select Modify selected profile. Click
OK to start the server setup.
To use a setup profile from a Windows client with Domino
Administrator
4. At the command prompt on the Windows client, from the Notes
program directory, enter:
serversetup -playback

ensure that you can connect to the server.
6. Enter the host name or network address of the server.
7. Click OK.
list, click Browse to locate the directory that contains the profile.
Installation
When you use a setup profile, you choose whether or not to view the
setup screens as you run the profile. Running a profile without viewing
the screens is sometimes referred to as a silent setup.
9. To change the existing profile instead of running it to set up a new

server, select Modify selected profile.
10. Click OK to start the server setup.
To use a setup profile from a Windows client without Domino
Solaris server.
created, enter:
remotesetup -playback

ensure that you can connect to the server.
8. Enter the host name or network address of the server.
9. Click OK.
11. Click OK to start the server setup.
Doing a silent server setup

A silent setup is one in which you do not view the setup screens as you
run the server setup profile. You can do a silent setup at the server you
are setting up or from a client system. Doing a silent setup from a
Windows client is easier if the client has Domino Administrator installed
to do a silent setup from a Windows or UNIX client without Domino
Administrator, you need the Java runtime environment plus some files
from the program directory of an installed Domino server.
Tip When doing a silent setup, display a progress bar (Windows) or
have percent-complete written to the command line (UNIX) by adding
the -pb parameter to the end of the command.
To do a silent setup at the server
On a Windows server, enter nserver -silent c:\myprofile.pds
On a UNIX server, enter server -silent /myprofile.pds
where myprofile is the name you gave to the profile file.
Note If the profile file is not in the root directory, use the profiles
full path in the command.
3. If the profile uses existing server, certifier, or administrator IDs that
require passwords, do the following:
a. Create a text file that contains the passwords for the existing IDs.
The keywords in this are:
Server=
AddServer=
Certifier=
OUCertifier=
Administrator=
Installation
list, click Browse to locate the directory that contains the profile. To
change the existing profile, select Modify selected profile.
b. Add a parameter in the command line for the name of the

password file. For example, on Windows enter:
nserver -silent c:\myprofile.pds c:\passwd.txt
4. If this is a partitioned server setup, add the = parameter to the

command line to specify the NOTES.INI file in this partitions
Domino data directory. For example, on Windows enter:
nserver -silent c:\myprofile.pds
=c:\lotus\domino\data2\notes.ini
5. Check the ERRORLOG.TXT file in the Domino data directory to

confirm that the setup is complete, or to view any error messages
that were generated during setup.
To do a silent setup from a Windows client with Domino
Administrator
serversetup -silent c:\myprofile.pds -remote serveraddress
Where myprofile is the name you gave the setup profile and
serveraddress is the host name or network address of the server you
are setting up.
Server=
AddServer=
Certifier=
OUCertifier=
Administrator=
serversetup -silent c:\myprofile.pds c:\passwd.txt

-remote serveraddress

serversetup -silent c:\myprofile.pds -remote
serveraddress =c:\lotus\domino\data2\notes.ini
7. Check the ERRORLOG.TXT file in the Notes data directory to

confirm that the setup is complete, or to view any error messages
that were generated during setup.
To do a silent setup from a Windows client without Domino
Solaris server.
Installation


remotesetup -silent c:\myprofile.pds -remote
serveraddress
Where myprofile is the name you gave the setup profile and
serveraddress is the host name or network address of the server you
are setting up.
Server=
AddServer=
Certifier=
OUCertifier=
Administrator=
remotesetup -silent c:\myprofile.pds c:\passwd.txt -remote
serveraddress
remotesetup -silent c:\myprofile.pds -remote
serveraddress =c:\lotus\domino\data2\notes.ini
9. Check the ERRORLOG.TXT file to confirm that the setup is complete,

or to view any error messages that were generated during setup.
The Certification Log

When you set up the first Domino server in a domain, the Server Setup
program creates the Certification Log. If you delete the log, you can
recreate it, but be aware that the new log will not contain the information
it previously stored.
Name and license type
Date of certification and expiration
Name, license type, and ID number of the certifier ID used to create

or recertify the ID
Create a replica of the Certification Log on every server that is a

registration server and on every server that stores a Domino Directory
that is used for user management for example, renaming and
recertifying users. If the server whose Domino Directory replica you are
using does not have a Certification Log, user-management actions will
fail.
Server registration
Before you install and set up additional servers, you must register them.
In effect, registering a server adds the server to the system. The server
registration process creates a Server document for the server in the
Domino Directory and creates a server ID. After registering and
installing a server, you use the Server Setup program to obtain a copy of
the Domino Directory for the new server and to set up the server to run
particular services and tasks for example, the HTTP service, the Mail
Router, and so on.
Note When setting up an additional server, obtaining the Domino
Directory from the registration server via dialup over a modem is
possible for Windows systems only. For other operating systems, the
additional server must be on the network in order to communicate with
the registration server.
Before you register servers, plan and understand your companys
hierarchical name scheme. The name scheme defines which certifier ID to
use when you register each new server. In addition, make sure that you
have access to each certifier ID, know its password, and have created ID
recovery information for it.
If you have decided to use the Domino server-based certification
authority (CA), you can register servers without access to the certifier ID
file and its password.
Installation
The Certification log records information related to recertification and

name changes. When you add servers and users to Domino, the
Certification Log maintains a record of how you registered them. For
each registered server and user, the Certification Log stores a document
containing the following information:
For more information on the hierarchical name scheme, see the chapter
Deploying Domino. For information on ID recovery, see the chapter
Protecting and Managing Notes IDs. For more information on using
the Domino server-based CA, see the chapter Setting Up a Domino
Server-based Certification Authority.
The registration server, which is the server that initially stores changes to
documents in the Domino Directory until the Domino Directory
replicates with other servers, must be up and running on the network. To
register servers from your workstation, you must have access to the
registration server and have at least Author access with the Server
Creator and Group Modifier roles in the ACL of the Domino Directory.
When you register a server, Domino does the following:
Creates a server ID for the new server and certifies it with the
certifier ID
Creates a Server document for the new server in the Domino

Directory
Encrypts and attaches the server ID to the Server document and

saves the ID on a disk or in a file on the server
Adds the server name to the LocalDomainServers group in the

Domino Directory
Creates an entry for the new server in the Certification Log

(CERTLOG.NSF)
If you have a Domino server-based CA for issuing Internet certificates,

you can choose to configure the new server to support SSL connections
by providing a server key ring password and the servers host name.
Then, Domino does the following:
The registration process creates a certificate request in the

Administration Requests database (ADMIN4.NSF) to be processed
by the servers Internet CA
The registration process creates a create SSL key ring request in

ADMIN4.NSF
Once you set up and start the new server and the create SSL
keying request has replicated to it, the create SSL key ring request
creates the server key ring file and an enable SSL ports request for
the administration server of the Domino Directory
The enable SSL ports request enables all the SSL ports on the new
server and creates a monitor SSL status request for the new server
The monitor SSL status request restarts all of the Internet tasks
currently running on the new server so that the tasks will accept SSL
connections
For more information on these requests, see the appendix

Administration Process Requests.
Registering a server
Note If you have not specified a registration server in Administration
Preferences, this server is by default:
The server specified in the NewUserServer setting in the NOTES.INI file
The Administration server
1. If you are supplying the certifier ID, make sure that you have access
to it and that you know its password.
2. If you are using the Domino Administrator and would like the new
server to support SSL, make sure that you have an Internet CA
configured.
Configuration tab.
4. From the Tools pane, click Registration - Server.
5. If you are using the Domino Administrator, do the following:
a. If you are using the CA process, click Server and select a server
that includes the Domino Directory that contains the Certificate
Authority records, and the copy of the Administration Requests
database (ADMIN4.NSF) that will be updated with the request
for the new certificate. Then click Use the CA Process, select a
CA-configured certifier from the list, and click OK.
b. If you are supplying the certifier ID, select the registration server.
Then click Certifier ID and locate the certifier ID file. Click OK,
enter the password for the certifier ID, and click OK.
c. In the Register Servers dialog box, click Continue if you want to
apply the current settings to all servers registered in this
registration session; otherwise, complete these fields:
Field
Action
Registration
Server
Click Registration to specify the registration server.
Certifier
If the certifier ID displayed is NOT the one you want to

use for all servers registered in this session, or if you
want to use the Domino server-based CA instead of a
certifier ID, click Certifier and you return to Step 4.
continued
Installation
Note You must use the Domino Administrator if you want to use this
server registration process to configure a new server for SSL.
Field
Action
Internet
Certificate
Authority
If you want the server to support SSL, select an Internet

CA from the list.
Security type Choose either North American (default) or

International. In practice, there is no difference between
a North American and an International ID type.
Certificate
expiration
date
(Optional) To change the expiration date of the Server

Certificate, enter the date in mm-dd-yyyy format in the
Certificate Expiration Date box. The default date is 100
years from the current date, minus allowances for leap
years.
d. Click Continue.
6. If you are using the Web Administrator, do the following:
a. Select a registration server that includes the Domino Directory
that contains the Certificate Authority records, and the copy of
the Administration Requests database (ADMIN4.NSF) that will
be updated with the request for the new certificate.
b. Select a CA-configured certifier from the list, and click OK.
7. In the Register New Server(s) dialog box, complete these fields for
each server that you want to register:
Field
Action
Server name
Enter the name of the new server.
Server title
Enter the server title, which appears on the

Configuration tab in the All Server Documents view
and in the Server Title field of the Server document.
Domino domain
name
The default domain name is usually the same as the

name of the organization certifier ID.
Server
administrator
name
Enter the name of the person who administers the

server.
ID file password
Required if you are going to store the server ID in the

Domino Directory.
Optional if you store the server ID in a file.
The password is case-sensitive and characters you use
will depend on the level you set in the Password quality
scale.
Password quality Choose the level of complexity for the password. By

scale
default, the level is 0, where 16 is the highest.
continued
Action
Location for
Select In Domino Directory to store the server ID in
storing server ID
Select In File to store the server ID file in a file.
Then click Set ID File, select the name and path for
the file, and click Save.
Note You dont see this field from the Web
Administrator, as the server ID is stored in the Domino
Directory.
8. (Domino Administrator only) If you chose an Internet CA in the

Register Servers dialog box and you want the server to support SSL
connections, click Advanced, select Enable SSL ports, and
complete the following fields:
Server key ring password Enter a password for the server key
ring
Server host name Enter the fully qualified domain name of the
server, for example, app01.acme.com
9. Do one:
Click the green check box to add the server to the registration
queue.
Click the red X to clear the fields.
10. The server registration queue displays the servers ready to be
registered. To display the settings for a server, select the server name
in the queue.
11. Click one:
New Server To clear fields in the Register New Server(s) dialog
box
Register All To register all servers in the registration queue
Register To register the highlighted server in the registration
queue
Remove To remove the highlighted server from the registration
queue
Done To close the Register Server(s) dialog box. Any servers
remaining in the registration queue will not be registered.
12. After you register a server, install it and then run the Server Setup
program to configure it.
Installation
Field
Optional tasks to perform after server setup

After running the Server Setup program, you may want to perform one
or more of the following tasks, depending on the needs of your company:
Create an additional organization certifier ID.
Create an organizational unit certifier ID.
Use Internet Site documents to configure Internet protocol server

tasks:
Enable the Internet Sites view
Create an Internet Site document
Set up security for Internet Site documents
Creating an additional organization certifier ID

When you set up the first server in a domain, you create an organization
certifier. If your hierarchical name scheme calls for having multiple
organizations but only one Domino Directory, you must create an
additional organization certifier ID.
For more information on organization certifier IDs, see the chapter
Deploying Domino.
2. From the Tools pane, choose Registration - Organization.
3. (Optional) To change the registration server, which is the server that
initially stores the Certifier document until the Domino Directory
replicates, click Registration Server, select the correct server, and
then click OK. If you have not specified a registration server in
Administration Preferences, the registration server is by default:
The local server, if there is one and it contains a Domino Directory
The server specified in the NewUserServer setting in the
NOTES.INI file
4. (Optional) Click Set ID file to change the location where Domino
stores the certifier ID. Be sure to keep the certifier ID file in a secure
place so that it is readily accessible to register new servers and users,
but safe from misuse. By default, the certifier ID is stored in C:\.
Field
Action
Organization
name
Enter the name of the organization. Enter a name

different from the one used on the organization certifier
ID created when you set up the first Domino server.
Country code
(Optional) Adding an organizational country or region

code for the country or region where the organizations
corporate headquarters are located minimizes the
chance that another organization has the same
organization name as yours. Enter the country or region
code only if you have registered your organization
name with a national or international standards body.
For multinational companies, you can enter a country
or region in which the company has offices, as long as
the organization name is registered there.
Certifier
password
Enter a case-sensitive password for the certifier. The

characters you use for this password depend on the
level set in the Password quality scale field.

scale
Security type
Choose either North American (default) or

Mail certification Enter the name of the administrator who handles

recertification requests. The name specified here
requests to
(Administrator) appears in the Certifier document in the Domino
Directory. If you are creating a certifier ID for an off-site
administrator, enter that administrators name in this
field.
Location
(Optional) Enter text that appears in the Location field

of the Certifier document.
Comment
(Optional ) Enter text that appears in the Comment field

6. Click Register.
Creating an organizational unit certifier ID

You can create up to four levels of organizational unit (OU) certifiers. To
create first-level OU certifier IDs, you use the organization certifier ID.
To create second-level OU certifier IDs, you use the first-level OU
certifier IDs, and so on.
For background information on OU certifier IDs, see the chapter
Deploying Domino.
Installation
5. Complete these fields:
For background information on OU certifier IDs, see the topic Certifier

IDs and certificates.
Note The registration server is the server that initially stores the
Certifier document until the Domino Directory replicates. If you have not
specified a registration server in Administration Preferences, the
registration server is by default:
The local server if there is one and it contains a Domino Directory
The server specified in NewUserServer setting of NOTES.INI
To create an organizational unit certifier ID

2. From the Tools pane, select Registration - Organizational Unit.
3. (Optional) To change the registration server, click Registration
Server, select the correct server, and then click OK.
4. Do one:
Select Supply certifier ID and password. Click Certifier ID,
select the certifier ID, click Open, and click OK. Enter the ID
password, and click OK.
Select Use the CA Process and then choose a CA certifier from
the list.
5. Click OK. If you are supplying the certifier ID, enter its password
and click OK.
6. (Optional) To change the registration server, click Registration
Server, select the correct server, and then click OK.
7. (Optional) To change which certifier ID to use to register the new
certifier ID:
a. Click Certifier ID.
b. Select the certifier ID, click Open, and click OK.
c. Enter the ID password and click OK.
8. (Optional) Click Set ID File if you want to change the location
where Domino stores the certifier ID. Be sure to keep the certifier ID
file in a secure place so that it is readily accessible to register new
servers and users, but safe from misuse. By default the ID is stored in
C:\.
Field
Action
Organizational
Unit
Enter a name for the new organizational unit.
Certifier
password
Enter a case-sensitive password for the certifier. The

characters you use for this password depend on the
level set in the Password quality scale field.

scale
Security type
Choose either North American (default) or

Mail certification
requests to
(Administrator)
Enter the name of the administrator who handles

recertification requests. The name specified here
appears in the Certifier document in the Domino
Directory. If you are creating a certifier ID for an
off-site administrator, enter that administrators name
in this field.
Location
(Optional) Enter text that appears in the Location field

Comment
(Optional) Enter text that appears in the Comment field

10. Click Register.
Internet Site documents

Internet Site documents are used to configure the Internet protocols
supported by Domino servers. A separate Internet Site document is
created for each protocol Web (HTTP), IMAP, POP3, SMTP Inbound,
LDAP, and IIOP which is then used to provide protocol configuration
information for a single server, or for multiple servers in a Domino
organization. Specifically, you can create:
Web Site documents. You create a Web site document for each Web
site hosted on the Domino server.
LDAP Site documents. You create an LDAP site document for

LDAP protocol access to an organization in a directory.
IMAP, POP3, and SMTP Site documents. You create an individual

Internet Site document for each mail protocol for which you enter an
IP address.
Installation
IIOP Site documents. You create an IIOP Site document to enable

the Domino IIOP (DIIOP) task on the server. This task allows
Domino and the browser client to use the Domino Object Request
Broker (ORB) server program.
Internet Site documents make it easier for administrators to configure

and manage Internet protocols in their organizations. For example, prior
to Domino 6, if you wanted to set up a Web site in your organization, it
was necessary to configure each Domino server in the domain with
Mapping documents, Web realms, and File Protection documents. If you
had virtual servers and virtual hosts, you had to do the same thing for
them. In Domino 6, you can configure a Web Site document so that all
servers and hosts use it to get configuration information for a Web site,
including mapping information, file protection information, and Web
realm authentication information.
You must use Internet Site documents if you:
Want to use Web-based Distributed Authoring and Versioning

(WebDAV) on a Domino Web server.
Have enabled SSL on your server and want to use Certificate

Revocation Lists to check the validity of Internet certificates used to
authenticate with the server.
Are using a service provider configuration on your server (see For

service providers only below).
Modifications to Internet Site documents (including the creation of new

Site documents) are dynamic. The server or protocol does not need to be
restarted after you create a new Site document, or after you modify or
delete an existing one. Changes generally take effect minutes after the
change is made. The ability to dynamically create, modify, or delete
Internet Site documents is especially valuable in service provider
environments, so that existing hosted organizations are not interrupted
when a new hosted organization is configured.
The Domino server is configured to use Internet Site documents if this
option is enabled on the server document. If the option is not enabled,
the server defaults to Server document settings to obtain configuration
information for Internet protocols.
Internet Site documents are created in the Internet Sites view, which is
used to help manage Internet protocol configuration information by
listing the configured Internet Site documents for each organization in
the domain.
While most protocol settings are configured in Internet Site documents,

there are some settings that need to be configured in the Server
document to support Internet protocol configurations. These include
settings for:
Enabling and configuring the TCP/IP port.
Enabling and configuring the SSL port (including redirecting TCP to

SSL).
Accessing the server such as who can access the server and how.
For more information on server access settings, see the chapter

Controlling Access to Domino Servers.
Setting up Internet Site documents on a Domino server
Do the following to set up basic Internet Site functionality on a Domino
server.
1. Create Internet Sites document for the Internet protocols you want to
use.
2. Set up security for each Internet Site document.
3. Enable Internet Site documents on the server.
For service providers only
Internet Site documents are required for hosted organizations. These
documents control each hosted organizations use of Internet protocols.
A hosted organization can only use an Internet protocol if the hosted
organization has an Internet site document for that protocol. A shared IP
address may be used for all hosted organizations, or unique IP addresses
may be set up for each hosted organization. Internet Site documents link
IP addresses to the individual hosted organizations for each Internet
protocol.
When registering hosted organizations, you have the option to create
Internet Site documents during hosted organization registration, or you
can choose to create them later.
Installation
Caution If you use an Internet site document to configure one Internet

protocol on a server, you must also use Internet site documents for all
Internet protocols on that server. For example, you cannot set up an
LDAP Internet Site document and, on the same server, use the Server
document to configure HTTP.
Service providers need to consider the following when using Internet Site
documents:
Each hosted organization has one Web Site document that can be
created during hosted organization registration. You must create this
initial Web Site document to activate the HTTP protocol. If you have
multiple Web sites, you need one individual Web Site document for
each additional Web site for each organization. If the hosted
organization supports DOLS, the Web Site document must contain
the name of the DSAPI filter file name. For more information, see the
topic To configure DOLS on a server that uses Web Site documents
in this chapter.
You must create one mail protocol Site document (IMAP, POP3, or
SMTP) for each protocol used by each organization.
In a hosted environment, Domino IIOP (DIIOP) can use the

information in the IIOP Internet site document to define the scope of
the Domino Directory used to validate users. With DIIOP, you can
use any Java code running on any server on the network.
If your configuration has one IP address that is shared by multiple

hosted organizations, HTTP, IMAP, LDAP, POP3, and SMTP are the
available protocols. For IMAP, LDAP, POP3, and SMTP users, the
name provided during authentication must be the users Internet
e-mail address, so that the server knows the organization of which
each user is a member. Anonymous access to LDAP is not supported
in this configuration.
To enable SSL for a hosted organization, you must enter the server IP
address in the field Host names or addresses mapped to this site
on the Basics tab of the Internet Site document.
Creating an Internet Site document

You can create Internet Site documents for Web, IMAP, POP3, LDAP,
SMTP Inbound, and IIOP Internet protocols. You create one document at
a time.
To create an Internet Site document
1. From the Domino Administrator, click Configuration - Web - Internet
Sites.
2. Click Add Internet Site, and select the type of Internet Site document
to create.
Field
Action
Descriptive name for

this site
(Optional) Enter a name that differentiates this site

from all others that you create. This name appears
in the Internet Sites view in this format: the type of
Internet Site, the descriptive name, and the host
name or address. For example:
Web Site: MyWebSite (www.acme.com)
If you do not enter a name, the default name is the

type of Internet Site document with the host name
or address appended. For example:
POP3 Site: (www.acme.com)
Organization
(Required for all Internet Site documents) Enter the

name of the registered organization that hosts the
Internet Site document. The name must correspond
to the organizations certifier.
Note For Web Sites set up in a non-service
provider configuration, this name can be any
suitable word or phrase.
Use this Web site to

handle requests
which cannot be
mapped to any other
Web sites
(Web Site documents only) Choose one:

Yes This Web site processes incoming HTTP
requests if Domino cannot locate the Web sites
that were entered in the Host names or
addresses mapped to this site field.
No (default) This Web site does not process
incoming HTTP requests for which Domino
cannot locate a Web site.
Host names or
addresses mapped to target host names or IP addresses that trigger a
this site
connections use of this Internet Site document.
If the site is set up for SSL, you must specify IP
addresses.
Domino servers that
host this site

name of one or more Domino servers that host this
site. You can use any variation of distinguished
name (for example, Server1/Sales/Acme) as well
as wildcards (for example, */Acme).
The default is (*), which means that all servers in
the domain can host this site.
If you leave the field blank, the Internet Site will
not be loaded on any Domino server.
Installation
3. Click the Basics tab, and complete these fields:
4. For all Internet Site documents, complete the settings on the Security
tab.
5. Some Internet Sites require additional configuration. The table below
indicates the Internet Site documents that require additional
configuration, and the locations for settings in those documents for
enabling additional configuration information unique to those
protocols.
Document
Complete
Web Site
Configuration tab
Domino Web Engine tab
IMAP Site
Public Folder tab
IIOP Site
Configuration tab
6. Save and close the document.
Setting up security for Internet Site documents

To set up security for Internet Site documents, you can enable SSL server
and client authentication, name-and-password authentication, or
anonymous access for Internet and intranet clients.
In order to enable SSL for Internet Sites, you must configure the SSL port
on the Server document and set up SSL on the server by obtaining a
server certificate and key ring from an Internet certificate authority.
To set up SSL authentication, you must create a server key ring file for
each Internet Site document. However, if the Internet site documents are
for the same organization, but are created for different protocols, a single
server key ring file can be used. Be sure to enter the server key ring file
name in the appropriate field on the Security tab of each site document.
If you want to use Certificate Revocation Lists (CRL) for Internet
certificate authentication, the server must be using a Domino
server-based certification authority for issuing Internet certificates.
To enable SSL for a hosted organization, you must use the server IP
address in the field Host names or addresses mapped to this site on the
Basics tab of the Internet Site document.
Note For Web sites, the common name on the server key ring must
match the DNS name to which the IP address in the Web Site document
is mapped. The IP address must be stored in the field Host name or
addresses to map to this site, which is located on the Web Site
document. If you enable Redirect TCP to SSL in a Web Site document,
both the host name and the IP address must be stored in this field.
For more information about SSL authentication, see the chapter Setting
Up SSL on a Domino Server.
For more information about name-and-password authentication and
anonymous access, see the chapter Setting Up Name-and-Password
Authentication and Anonymous Access on a Domino Server.
To set up security for Internet Site documents
Note In Domino 6, it is possible to effectively prohibit access to an
Internet Site by selecting no for all authentication options in an Internet
Site Document. These options include TCP authentication, SSL
authentication, and TCP anonymous access.
1. From the Domino Administrator, click Configuration - Web - Internet
Sites.
2. Choose the Internet Site document to modify, and click Edit
Document.
3. Click Security, and complete these fields:
Field
Enter
TCP Authentication
Anonymous
(Applies to all Internet sites, except IMAP and

POP3)
Choose one:
Yes To allow anonymous access to this site
No To prohibit anonymous access
Name & password
Choose one:
Yes To require a user to authenticate with the
users name and Internet password to access the
site
No To not require name and password
authentication
Redirect TCP to SSL
(Applies to Web Site only) Choose one:

Yes To require clients and servers to use the
SSL protocol to access the Web site
No To allow clients and servers to use SSL or
TCP/IP to access the Web site
continued
Installation
You should be familiar with SSL authentication, name and password

authentication, and anonymous access before completing these steps.
Field
Enter
SSL Authentication
Anonymous
(Applies to all Internet sites, except IMAP and

POP3)
Choose one:
Yes To allow users access over the SSL port
without authenticating with a name and
password
No To deny users anonymous access
Name & password
Choose one:
Yes To require a user to authenticate with
user name and Internet password in order to
access this site using SSL
No To not require a name and password
Client certificate
(Applies to Web Site, IMAP, POP3, and LDAP)

Choose one:
Yes To require a client certificate for access to
this site
No To not require a client certificate
SSL Options
Key file name
Enter the name of the server key ring file.
Protocol version
Choose one:
V2.0 only Allows only SSL 2.0 connections.
V3.0 handshake Attempts an SSL 3.0
connection. If this fails and the requester detects
SSL 2.0, attempts to connect using SSL 2.0.
V3.0 only Allows only SSL 3.0 connections.
V3.0 with V2.0 handshake Attempts an SSL
handshake, which displays relevant error
messages. Makes an SSL 3.0 connection if possible.
Negotiated (default) Attempts an SSL 3.0
connection. If this fails, attempts to use SSL 2.0.
Use this setting unless you are having
connection problems caused by incompatible
protocol versions.
Accept SSL site

certificates
Choose one:
Yes To accept the certificate and use SSL ,
even if the server does not have a certificate in
common with the protocol server
No (default) To prohibit the acceptance of SSL
site certificates for access
continued
Enter
Accept expired SSL

certificates
Choose one:
Yes To allow clients access, even if the client
certificate is expired
No To prohibit client access using expired SSL
certificates
Check for CRLs
Choose one:
Yes To check the certifiers Certificate
Revocation List (CRL) for the user certificate you
are attempting to validate. If a valid CRL is
found and the user certificate is on the list, the
user certificate is rejected.
No To not use Certificate Revocation Lists
Trust expired CRLs
Choose one:
Yes To use expired but otherwise valid
Certificate Revocation Lists when attempting to
validate user certificates
No To reject expired Certificate Revocation Lists
Allow CRL search to Choose one:

fail
Yes If the attempt to locate a valid Certificate
Revocation List fails, proceed as if Check for
CRLs is set to No.
No If a valid Certificate Revocation List for
the user certificate is not found, reject the
certificate. If Trust expired CRLs is set to Yes,
an expired CRL is valid. If Trust expired CRLs
is set to No, the authentication will fail for every
user certificate for which a matching valid CRL
is not located.
SSL Security
SSL ciphers
Click Modify to change the SSL cipher settings for

this site document. These settings apply only to SSL
v3. SSL v2 ciphers cannot be changed.
Enable SSL V2
Choose Yes to enable SSL v2 for this site document.
4. Save the document.
Enabling Internet Sites on a server

If you enable the use of Internet Sites on a Domino server, the server
obtains Internet protocol configuration information from site documents.
Comparable configuration settings in the Server document are not used.
If the use of Internet Sites is not enabled, comparable Server document
settings are used to obtain protocol configuration information.
Installation
Field
You can only use the Internet Sites view for Domino 6 servers. Servers
running Domino 5.0x or earlier do not have the option for enabling the
Internet Sites view.
Note Each time you start or restart HTTP, a console message indicates
whether the HTTP task is using Internet Sites or the Server document
(Web Server Configurations view) to obtain Internet protocol
configuration information.
To enable Internet Sites on a server
1. Open the Server document you want to edit, and click Edit Server.
2. Click the Basics tab.
3. In the Basics section, enable Loads Internet configurations from
Server/Internet Sites documents.
5. Restart the server.
Note The HTTP task is backward-compatible with the Web Server
Configurations view.
Starting and shutting down the Domino server

Start the Domino server so users can access shared databases and obtain
other server services. Do not enter keystrokes or click the mouse while
the Domino server is starting or shutting down.
Note If the server program is running, do not use CTRL+S to stop
scrolling the console, because no server services take place until you
press a key to continue.
To start the server

Operating system
Action
Windows NT and 2000
Choose Start - Programs - Lotus Applications Lotus Domino Server.
UNIX
Enter the path for the Domino program

directory. For example, if you installed
Domino in the /opt directory, enter:
/opt/lotus/bin/server
To shut down the server

Enter either exit or quit at the console. It may take ten seconds or more
for the server to shut down.
Chapter 4
Setting Up Server-to-Server Connections
Planning server-to-server connections

Servers must connect to each other to exchange data, for example to
replicate databases and exchange mail. You can create connections
between servers across a local area network (LAN) or wide area network
(WAN); using a dialup modem or remote access service; using a passthru
server, which is a server that acts as an intermediary server between a
client and its destination; or over the Internet.
For a calling server to connect to a given destination server, it requires
information about how and when to contact the destination server. The
information about how to contact the destination server includes the
network to use to reach the target server, and, depending on the type of
network, the network addresses, phone number, and other information
needed to make the connection.
When a server needs to connect to a destination server on the same Notes
Named Network, the information needed to make the connection is
readily available and the connection occurs automatically, without any
administrative intervention. However, when two servers dont share a
common network, the calling server must be able to obtain this
information by some other method. In a Domino network, administrators
create Connections documents in the Domino Directory to store
information about how to connect to a destination server.
In addition to providing the network information required to contact a
destination server, Connection documents can also specify when to
contact the destination server. Depending on the type of communications
required, a calling server may attempt to establish contact with the
remote server immediately, or only at scheduled intervals. For example,
a server looking up a name on, or performing cluster replication with a
given destination server requires immediate access to a remote server.
4-1
Configuration
After you configure servers, create Connection documents to enable mail

transfer, replication, and remote access between servers on different
networks.
On the other hand, to perform tasks such as routing mail or replicating

databases, a calling server may require only periodic access to the
destination server. When setting up a Connection document for a task that
doesnt require immediate access, you can specify when the calling server
attempts to make the connection. Network information in a Connection
document is used to create the connection to the specified destination
server, whether or not the connection is related to a task defined in the
schedule part. In other words, a calling server can use the network
information in a Connection document to contact a specified destination
server when contacting that server for reasons other than mail routing or
replication.
Connections between servers that is, your connection topology
should enable servers to exchange information reliably and efficiently,
maximizing the capacity of the physical network, while minimizing
connection-related costs.
When creating Connection documents for scheduled operations or to
enable contact with a destination server, keep the following factors in
mind:
The physical network to which the servers belong Are servers in

the same, or different Notes named networks?
Function of the server What is the primary role of the server? For
example, is it an application server, Web server, or Directory server?
Does the server provide passthru or dialup access to connect remote
or disparate networks?
Tasks running on the server Does the server require Connection

documents for both replication and mail routing?
Access requirements Does the server need to be reached over a

modem connection or as a passthru destination?
Does the planned connection topology make the best use of the
available network infrastructure? It the server hardware adequate to
support its role in replication or routing? For example, if a server is
to be used as a replication hub, does it have a fast processor,
sufficient memory, and enough disk space? Does the server require
multiple NICs? Is there enough bandwidth between servers to
support the anticipated traffic?
Keep the number of Connection documents and the number of

hops that is, the number of between the connecting and
destination servers to a minimum.
The Domino domain location of the servers Are servers in the

same domain, adjacent domains, non-adjacent domains?
The number of Connection documents that you create for a server

depends on whether the server is running the replication task and/or the
mail task. When you configure a server, the Server document, by default,
enables mail routing. When you create a Connection document,
replication is enabled. Depending on how you use the server that is,
whether you store mail files and/or application databases on it you
must create a minimum of one or two Connection documents.
Mail routing requires one Connection

document on each server
Replication requires one Connection

document on either server
Hub-W
Hub-E
Hub-E
For more information on configuring replication, see the chapter

Scheduling Replication.
For more information on mail routing, see the chapter Overview of the
Domino Mail System.
Servers can also use information gathered from an External Domain
Network Information (EDNI) document to make a connection. As an
administrator, you configure this document to retrieve names and
addresses of servers in another domain so that users and servers do not
require Connection documents to connect to servers in that domain.
For more information on EDNI documents, see the topic Setting up
external domain lookups later in this chapter.
Remote (modem) access and server topology

Servers that are not on the same LAN or WAN can use modem
connections to communicate with each other. For example, servers in
remote field offices can establish modem connections with servers in a
central office to route mail or replicate databases.
To create a topology for remote servers, first determine which databases
the workstations and servers access frequently. In particular, think about
how you want to route mail and replicate databases. Determine if users
and servers in remote locations need access to certain mail and other
databases. If so, consider these methods to make the databases available:
Create replicas of the databases on a remote server

For information about using database replicas, see the chapter
Scheduling Replication.
Setting Up Server-to-Server Connections 4-3
Configuration
Hub-W
Place modems on local servers that remote users need to access.

For information about connecting servers by modem, see the topic
Planning for modem use later in this chapter.
Set up a passthru server for use by remote servers or users.

For information about setting up passthru servers, see the topic
Setting up a server as a passthru server later in this chapter.
Because users who connect to a remote server over a Notes Direct Dialup
connection typically have only one modem on their workstations, by
default, they can connect to that one server only. Creating replicas of
frequently used databases on that server enables remote users to access
multiple databases over a single dialup connection.
Setting up a passthru server enables remote workstations or servers that
connect to one Domino server to access additional Domino servers also.
Using a passthru server consolidates modem resources on a few Domino
servers and centralizes administration and troubleshooting.
How a server connects to another server

A connecting server uses the following steps to determine how to
connect to a destination server. As soon as the connecting server
successfully connects to the destination, it stops searching for additional
connection methods.
1. The connecting server tries to connect using the same method it used
the last time it made a successful connection to the destination
server. Note these two exceptions:
If the server never connected to the destination server, the server
searches for a path (consisting of a network port and any passthru
servers) to the destination server.
If the server has connected previously, but the connection now
fails, the server conducts a new path search if it is the first attempt
of the day.
2. The connecting server checks to see if it already has a WAN port
connection to the destination server.
3. The server examines normal-priority Connection documents in the
Domino Directory for information on what path to use to connect to
the destination server. A normal-priority Connection document is
one that has Normal selected in the Usage priority field. If multiple
normal-priority Connection documents exist for the same destination
server, the server chooses the Connection document to use based on

the type of connection in the following order:
Local Area Network
Network Dialup
Notes Direct Dialup
Passthru server
Note A server that uses a passthru connection to reach the
destination server must first be able to connect to the passthru server.
To provide information on how to connect to the passthru server,
you may have to create an additional Connection document.
4. The connecting server checks information stored in memory about
other servers in the servers Notes named network. It uses this
information to define a path to the destination server. The server
reads this information from Server documents in its local Domino
Directory.
5. If the connecting servers local Domino Directory does not contain
information about the destination server, it tries to connect directly to
the destination server on the LAN by using the server common name
as its address.
6. The connecting server checks the low-priority Connection
documents. A low-priority Connection document is one that has Low
selected in the Usage priority field.
7. If the connecting server still cannot find a path to the destination
server, it issues a message that a connection is not possible.
Note For workstations connecting to servers, the search logic is the
same except that the workstation tries to use the passthru server listed as
default in the Location document to make the connection if Steps 1
through 5 fail. If the Location document does not define a default
passthru server and the workstation is already connected to a server over
a Notes Direct Dialup connection, the workstation uses that server as a
passthru to reach the destination server.
To display information about how a server makes a connection, open the
Miscellaneous Events view in the log file (LOG.NSF). To change the
amount of information Domino records about connections in the log file,
change the log level.
For more information on log files, see the chapter Using Log Files.
Configuration
Hunt group of passthru servers
Replication and server topology

As the number of Domino servers on your network increases, so does the
amount of replication required to distribute information across the
network. Because replication uses memory and processing time, plan
how servers connect to perform replication. If you allow servers to
replicate at random, so that a given server replicates a single database
with multiple servers, or perhaps replicates different databases with
different servers, servers can become so overloaded with replication
requests that it interferes with their ability to respond to client requests.
To provide for efficient replication, consider setting up some servers as
dedicated replication servers. Using dedicated servers to handle
replication greatly reduces the amount of work that database servers have
to devote to replication, because the database servers have to replicate with
the replication servers only, instead of having to replicate with every
server that maintains a copy of a given database. To control replication,
you create Connection documents that specify which servers to replicate
with and when.
How you connect servers for replication depends on many factors,
including the layout of physical network and the size of your
organization, as well as the extent to which you want to re-use existing
Connection documents created for mail routing. There are several
different configurations, or topologies, you can use to control how
replication occurs between servers:
Hub-and-spoke
Peer-to-peer
Ring
Choose the replication strategy that provides the most efficient

replication performance. In many cases, youll use different topologies in
different parts of the network.
Using a hub-and-spoke topology to manage replication
A hub-and-spoke topology is generally the most common and efficient
replication topology in larger organizations, because it minimizes
network traffic. Hub-and-spoke replication establishes one central server
as the hub, which schedules and initiates all replication with all of the
other servers, or spokes. The spokes update the hub server by replication
(and mail routing), and the hub in turn updates each spoke. Hub servers
replicate with each other or with master hub servers in organizations that
use more than one hub. In short, the hub server acts as the traffic
manager of the system, overseeing system resources, ensuring that
replication takes place with each spoke in an orderly way, and
guaranteeing that all changes are replicated to all spoke servers.
To set up replication in a hub-and-spoke system, you create one

Connection document for each hub-and-spoke connection. To ensure that
the replication task on the hub, rather than the spokes, assumes most of
the work always, in each Connection document specify the hub server as
the source server, the spoke server as the destination server, and
pull-push as the replication method.
The major drawback of hub-and-spoke topology is that it is vulnerable to

single point of failure if the hub is not working. Deploying a backup
server that replicates the hub and can quickly be reconfigured into a hub
server if the primary hub goes down can alleviate this shortcoming.
Benefits of a hub-and-spoke topology
1. Install multiple protocols on hub servers to enable communication in
a Domino system that uses more than one protocol. This places hub
servers in multiple Notes named networks, another source of
efficiency. Hub servers can connect multiple Notes named networks,
where a single hub server and its spoke servers often make up one
Notes named network.
2. Bridge parts of a network for example, a LAN and a WAN.
3. Centralize administration of the Domino Directory, standardize
database ACLs, and limit access to the hub. You can designate the
hub with Manager access and the spokes with Reader access so that
you make those changes on one replica on the hub to synchronize the
spokes.
4. Designate hubs by role for example, replication hubs and mail
hubs.
5. Place server programs such as message transfer agents on hubs to
make them easily accessible.
6. Connect remote sites with a hub server.
7. Minimize network traffic and maximize network efficiency.
8. Centralize data backup at the hub. By backing up databases on the
hub only, you conserve resources on spoke servers.
9. Improve server load balancing. However, network traffic increases
on the hub LAN segment. If you have more than 25 servers per hub,
Configuration
A hub-and-spoke topology can be especially useful at large,

multiple-server sites or in a centralized office that needs to connect via
phone or leased lines to smaller, regional offices. If you have a large site,
you can use a combination of topologies for example, two
hub-and-spoke arrangements and one peer-to-peer arrangement between
the two hub servers.
establish tiers of hubs. If a hub goes down, replication for that hub
and its spokes is disabled until the hub is repaired or replaced.
Note Do not use hub-and-spoke replication for databases larger than
100MB that have replicas on less than four servers. Instead, schedule
replication for these databases to occur separately from other
replications.
Using a peer-to-peer topology to manage replication
In a peer-to-peer topology, replication is less centralized than in a
hub-and-spoke configuration, with every server being connected to every
other server. Because peer-to-peer replication quickly disseminates
changes to all servers, it is often the best choice for use in small
organizations, or for sharing databases locally among a few servers.
However, it can be inefficient when a database resides on more than a
few servers.
In a peer-to-peer topology, the potential for replication problems
decreases, because only two servers communicate for each replication
and no hub or intermediary servers are involved. However, peer-to-peer
replication requires many Connection documents, increases
administration since you must avoid overlap in replication schedules,
and prevents you from standardizing ACL requirements.
Other topology strategies
Another method of managing replication is to use Cluster replication.
This ensures constant access to data, because data on one server is
duplicated on one or more cluster mates. If the primary server becomes
unavailable, data can be obtained from other servers in the cluster.
For more information on using clusters, see the book Administering
Domino Clusters.
Other replication topologies include:
End-to-end - Also known as a chain topology, connects two or more

servers in a chain. Information travels in one direction along the
chain and then travels back in the other direction. End-to-end
replication is less efficient than ring replication but is useful in
situations where information needs to travel in only one direction.
Ring - Similar to an end-to-end topology, but connects servers in a

circle so that replication occurs within a closed loop. Ring replication
can be useful in a large organization for replicating information
between hub servers.
Binary tree - Connects servers in a pyramid fashion: the top server

connects to two servers below, each of which connects to two servers
below, and so on. Information travels down the pyramid and then
back up.
Unlike mail routing, which works in one direction and requires a pair of
Connection documents to enable two-way routing, replication between
servers works in both directions, and requires only one Connection
document between each pair of servers. Because the server that initiates
replication takes on the larger share of the replication workload, if decide
to add replication to one of the Connection documents already used for
mail routing between two servers, add the replication task to the
document on the more powerful server in the pair.
Examples of server topology

This topic provides examples of the following server topologies:
Example of hub server topology
Hub-and-spoke topology
Hub-and-spoke with peer-to-peer topology
Application server topology
Mail and directory server topology
Remote server topology
Example of hub server topology
Hub-W/West/Acme Firewall-W/West/Acme
Firewall-E/East/Acme
Hub-E/East/Acme
The hub servers at Acme Corporation handle server communication

between servers located on the East and West Coasts. These servers are
geographically distant and connect over the Internet using a modem or
ISDN line. Controlling communication through hub servers is beneficial
because it centralizes administration for connections that may be costly
or time consuming.
By using hub servers, only two servers, not every server in the
organization, need to make the remote connection.
Configuration
Using existing mail routing connections for replication

As you plan for replication, consider re-using the connections you may
have already set up for Notes mail routing. If you previously created a
Connection document for mail routing, you can easily enable the
replication task on that document.
The firewall server is a Domino server that protects Hub-E/East/Acme

and Hub-W/West/Acme from outside users. Because the firewall server
uses Domino instead of some other type of firewall software, the hub
servers can use Domino features, such as mail and replication, to send
and receive information.
Example of hub-and-spoke topology
HR-W/West/Acme
Hub-E/East/Acme
HR-E/East/Acme
HR-S/South/Acme
In this example, the Acme Corporation has one hub server,

Hub-E/East/Acme, and three spoke servers. The spoke servers
HR-E/East/Acme, HR-S/South/Acme, and HR-W/West/Acme
contain an Employee Benefits application. Employees on the East Coast
access the application on HR-E/East/Acme; employees on the West
Coast access a replica of the application on HR-W/West/Acme; and
employees in the South access a replica of the application on
HR-S/South/Acme. Any changes to the application replicate through
Hub-E/East/Acme to the HR servers. The HR servers send changes to
the hub, which then sends changes back to the HR servers. With the three
Connection documents that Acme created, the hub server performs the
replication, reducing the load on the spokes. Making the application
available to East, West, and South users prevents them from making
costly WAN connections to the application.
Example of hub-and-spoke with peer-to-peer topology
Hub_E/East/Acme
Hub-W/West/Acme
Webstage-W/West/Acme
HR_E/East/Acme
Directory-W/West/Acme
Webstage_E/East/Acme
Directory_E/East/Acme
In this example, the Acme Corporation has two hub servers

Hub-W/West/Acme and Hub-E/East/Acme connected peer-to-peer.
Each hub server replicates with several spoke servers. Any changes
replicate through the hubs to the spoke servers. The spoke servers send
changes to the hub, and then the hubs replicate with each other and send
changes back to the spoke servers.
Example of application server topology
Hub-E/East/Acme
Web/East/Acme
Webstage-W/West/Acme
HR-W/West/Acme
(Benefits
application)
HR-E/East/Acme
(Benefits
Webstage-E/East/Acme
application)
Firewall
Depending on where you locate applications, they can be accessible to

Notes users, to browser users, or to both Notes and browser users. To be
available to browser users, an application must be on a Domino Web
server.
In this example, Web/East/Acme stores a Web application for the
organizations Web site. The application is accessible to browser users
who are outside the Acme Corporation. Webstage-E/East/Acme and
Webstage-W/West/Acme have replicas of the Web application. Users
can make changes to the Web application on Webstage-E/East/Acme
and Webstage-W/West/Acme. Webstage-W/West/Acme uses a
Configuration
HR-W/West/Acme
schedule that sets up replication through the hub servers to

Webstage-E/East/Acme. Webstage-E/East/Acme does not have a
replication schedule, so once changes to the Web application are
complete, users manually replicate changes from
Webstage-E/East/Acme to Web/East/Acme. This replication makes the
changes available to users outside the Acme Corporation.
The Acme Corporation also has two servers that do not host Web
applications HR-E/East/Acme and HR-W/West/Acme. These
servers contain an Employee Benefits application that only internal
employees who use a Notes workstation can access. Employees on the
East Coast access the application on HR-E/East/Acme, and employees
on the West Coast access a replica of the application on
HR-W/West/Acme. Any changes to the application replicate through
the hub servers to the HR servers. Making the application available to
East and West Coast users prevents them from making costly WAN
connections to the application.
In this example, three firewalls on Domino servers are used to protect the
Acme network from external intruders: one firewall exists between the
hub server in Acmes West Coast office and the public network over
which it communicates with the East Coast Office; a second firewall
protects the hub server at the East Coast office; a third firewall protects
Webstage-E/East/Acme from attacks that might come from the Internet
through Web/East/Acme.
Example of mail and directory server topology
Mail-W/West/Acme
Hub-E/East/Acme
Mail-E/East/Acme
Mail clients
Mail clients
The Acme Corporation uses two mail servers one for each geographic
location. All users send mail using a mail database located on either
Mail-E/East/Acme or Mail-W/West/Acme. The mail databases are
accessible to all mail client software Notes workstations, IMAP, POP3,
and browsers.
Routing mail messages is similar to replicating changes made in
databases. In this example, the mail servers route messages through the
hub servers to the mail server in the other location. For example, when
Alan Jones/Sales/East/Acme sends a message to Susan

Salani/HR/West/Acme, the message routes from Mail-E/East/Acme to
Hub-E/East/Acme, from Hub-E/East/Acme to Hub-W/West/Acme,
and then from Hub-W/West/Acme to its final destination
Mail-W/West/Acme. Susan Salani/HR/West/Acme reads the message
on her mail server, Mail-W/West/Acme.
In this example, a condensed directory catalog is on each Notes client

and a Domino Directory is on each server Mail-E/East/Acme,
Hub-E/East/Acme, Hub-W/West/Acme, and Mail-W/West/Acme. To
resolve names, clients check the local directory catalog first; if the name is
not there, Domino checks the Domino Directory.
Domino uses replication, which is the process by which Domino updates
one directory database with changes from a directory database on
another server. For example, if a change is made on Mail-E/East/Acme,
the change is sent to the replicas on Hub-E/East/Acme,
Hub-W/West/Acme, and Mail-W/West/Acme. Users cannot access the
directories on the hub servers; users access directories only on the mail
servers.
At Acme Corporation, replication occurs automatically at a scheduled
time. The replication schedule determines how long it takes for changes
to appear on the directory servers.
Again, a firewall using a Domino server lets you use Domino features to
send information across the WAN in this case, you use the mail
routing and replication features.
Configuration
Directory servers provide users and servers with information about other
users and servers for example, information needed to address or send
mail. Directories contain information about how to communicate with all
Notes and Internet users and Domino servers. In many cases, you can set
up a mail server as a directory server.
Example of a remote server topology
Mail-E/East/Acme
Modems on a
hunt group of
telephone lines
HR-E/East/Acme
Local Area Network
Passthru/East/Acme
Notes Clients
Remote
Server
Remote Notes
Clients
The Acme company chose this remote server topology so that remote
users and servers have access to the entire system by connecting to one
server (the passthru server). Acme uses the passthru to function only as a
bridge between the remote user or server and the rest of the system. To
keep the load on the passthru to a minimum, the server does not contain
application or mail databases.
Users who work remotely dial in through the passthru server and can
access any server in the system. As most of Acmes users who dial in
remotely have only one modem on their system, using the passthru
server allows them to access multiple servers with one connection. To
reduce traffic on the passthru server, Acme recommends that its remote
users replicate databases and then work on the local replicas. Then users
can work in their local replicas and dial in and replicate occasionally with
the server replicas.
Acme dedicated five modems to the passthru server. The remote server
also dials into one of these modems for replication. Because this server
makes its connection in the early morning hours, the connection does not
conflict with users trying to access the system.
Acme uses a hunt group configuration for its modems so that users have
only one phone number to dial when connecting. Acmes phone
infrastructure is set up so that multiple modems can have one phone
number. For this type of hunt group (all modems are on one server),
Acme does not need to create a Connection document to set up the hunt
group.
The remote server is in Acmes satellite office in Ohio. Employees who

work in this office focus on marketing and use this server to access
various marketing related databases. The remote server contains replicas
of relevant databases, and it replicates once a day to update the
databases. By using the remote server, users in the Ohio office save time
and resources because they dont have to dial into Acmes system as
often.
You must create a Connection document to schedule mail routing to and

replication between servers on a LAN. You might also need to create a
Connection document to provide the information needed to ensure a
server uses a certain protocol when connecting to another server on the
LAN.
A LAN Connection document can also be used to provide the
information needed for servers to make other types of connections, such
as constant connections to Internet servers.
2. Select the connecting servers Domino Directory in the Use
Directory on field.
Field
Description
Connection Type Select Local Area Network.

Source server
The name of the connecting server.
Source domain
The name of the connecting servers domain. This field is

required only for mail routing.
Use the port(s)
The name of the network ports (or protocols) that the

connecting or source server uses to connect to the
destination server.
continued
Configuration
Creating a LAN connection
Field
Description
Usage priority
Choose one:
Normal (default) - Select this option if this document
defines the primary path to a server.
Low - Select this option to define a backup path to a
server.
For more information about the effect of specifying the
usage priority for a connection, see the topic Forcing a
server connection to use a specific protocol later in this
chapter.
Destination
server
The name of the answering server.
Destination
domain
The name of the answering servers domain. This field is

required only for mail routing.
Optional network Provide an optional network address to facilitate

attempts to locate the destination server over a TCP/IP
address
connection. If the field contains no entry, Domino
attempts to determine the address of the destination
server from the following sources: the servers memory
cache, an External Domain Network Address document,
or system services that search the local hosts file or DNS
to resolve the name.
Enter a fully-qualified host name or IP address for
example, HR-E.Acme.com or 192.22.256.36. Because IP
addresses are subject to change, for ease of management,
its best to use host names in Connection documents.
When a host name is used, if the IP address changes, the
connecting server obtains the updated IP address from
the DNS.
7. Click the Replication/Routing and Schedule tabs to define the tasks

you want to run, and select the times you want the server to contact
its destination.
Forcing a server connection to use a specific protocol

If multiple protocols are available for connecting a source server to a
given destination, you can specify which protocol to use by setting the
usage priority in a Connection document describing how the source
server contacts the destination. The usage priority specified in a
Connection document determines the order in which Domino selects the
Connection document when searching for how to connect a source server
to a destination. If multiple ports are enabled on the two servers, you can
force Domino to use a specific port by specifying it in the Connection

document and setting the Usage priority field to Normal.
If multiple normal-priority Connection documents exist for the same

destination server, the connecting server chooses one based on the type
of connection in the following order of preference:
1. Local Area Network
2. Network Dialup
3. Notes Direct Dialup
4. Passthru server
5. Hunt group of passthru servers
You can also use the usage priority setting to configure a backup path to
a destination server. When you set the usage priority for a Connection
document to Low, the connecting server only uses the information in the
document to connect to the destination server as a last resort, after it has
exhausted all other possible means of locating connection information.
For more information on how a server determines the route to a
destination, see the topic How a server connects to another server
To set the usage priority for a connection
3. Select the Connection document for which you want to set the usage
priority, and click Edit Connection.
Configuration
For example, suppose that both SPX and TCP/IP are enabled on Server
A, the source server, and Server B, the destination server. You create a
Connection document from Server A to Server B specifying that Server A
uses the port TCP/IP to contact Server B and set the usage priority in this
document to Normal. When determining how to connect to Server B,
Server A first checks the Domino Directory for a normal-priority
Connection document governing the connection. After locating the
document, Server A learns that the TCP/IP port is specified, and
proceeds to use that port to attempt a connection to Server B. Setting the
usage priority works for all types of Connection documents: LAN, Notes
Direct Dialup, Network Dialup, Passthru, and so forth.
4. Complete this field, and then click Save & Close:

Field
Enter
Usage priority
Choose one:
Normal - This Connection document defines a primary
path to the destination server. The connecting server
attempts to use this Connection document to make the
connection to the destination server.
Low - This Connection document defines a backup path
to the destination server. The connecting server uses this
Connection document only as a last resort when trying to
connect to the destination server.
Setting up external domain lookups

By default, a Notes user who wants to open a database on a server
outside the local Domino domain, can do so only if there is a Connection
document in either their Personal Address book, or in the Domino
Directory on their home server that describes how to reach the target
server. To enable Notes users to connect more easily to servers outside of
their domain, you can create an External Domain Network Information
(EDNI) document in the Domino Directory.
The EDNI document works in conjunction with a server task called
GETADRS to import address information from another Domino domain
so that Notes users can connect to servers in the external domain. In the
EDNI document, you specify the external Domino domain containing the
servers you want users to connect to and the protocols for which you
want connection information. In many cases, TCP/IP is the only protocol
for which you may need a document. You also specify a server in your
local domain that requests the information (Requesting Server) and a
server in the external domain that supplies the information (Information
Server).
To gather information, the requesting server runs the GETADRS
program, which asks the specified information server for a list of the
servers in the external Domino domain. GETADRS returns the address
information it obtains to an AdminP request for processing. When the
Administration server processes the request, it places the information in
the Domino Directory as a response document to the original EDNI
document.
After AdminP adds the server address information to the local Domino
Directory users attempting to open databases on servers in the external
domain can use the information from this document to make the
connection without requiring a connection document.
Using EDNI documents, you can reduce the number of Connection

documents in the Domino Directory, eliminating those that are not
required for replication or routing.
To share information across domains, the Domino domain requesting the

information must be cross-certified with the external domain.
Because the Requesting Server gathers information from Server
documents in an external domain, these documents need to be
configured properly to enable successful server name lookups. For
example, a document with a fully qualified host name or IP address
would enable a successful lookup, but a document with only the server
common name may not (unless that common name were a full host
name).
The data from an external domain server lookup resolves client requests
for a server address only; it does not add additional server names to a
clients request for a list of servers.
To set up an External Domain Network Information document
1. Verify that the local domain is cross-certified with the external
domain.
3. Open the Server folder, and then click External Domain Network
Information.
4. Click Add Ext Domain Net Info.
Configuration
Before creating an EDNI document, determine if the connection

information is useful for the domain. For example, if you are using the
NetBIOS protocol, which isnt a routable protocol, a direct connection to
the external domain may not be possible even if you have the network
address of the server in an EDNI document. Also, if an external domain
server has multiple TCP/IP ports, the host name or address returned to
the EDNI document may not be the address of the appropriate port to
use. Because each protocol has its own restraints, you should thoroughly
research and test the external domain lookup capability using the
network system configuration at your organization before using it.
5. Complete these fields, and then click Save & Close:

Field
Description
Requesting
server
The name of the local domain server that performs the

request for external domain information. This server runs
the GETADRS task to obtain information from the
information server in the external domain.
Information
server
The name of the server in the external domain from

which the requesting server obtains information.
Domain to query The name of the external domain.

Protocols to
query
The name of one or more protocols in the external

domain to query. Specify only protocols that are used in
both domains.
6. Run the GETADRS program on the Requesting server. You run

GETADRS using any of these methods:
Run the program manually from the server console by entering:
LOAD GETADRS
Create a program document to run the program as a scheduled

task. Running GETADRS as a scheduled task ensures that
information in the local Domino Directory remains synchronized
with updates from the external domain.
For information about running server tasks in a program document,
see the appendix, Server Tasks.
Add GETADRS to the ServerTasks or ServerTasksAt lines in the
NOTES.INI file of the requesting server; the task runs at server
startup, or at the specified time, respectively.
After GETADRS obtains information from the external domain, for
each protocol specified in the EDNI, AdminP creates an External
Domain Network Address document as a response document to the
original EDNI. Each response document contains the names and
addresses of the servers in the queried domain that use that protocol.
By default, AdminP processes the information returned by
GETADRS to create the External Domain Network Address
documents at the interval scheduled in the Server document. You
can run AdminP manually to force it to process the request
immediately.
For more information about scheduling AdminP requests, see the
chapter Setting Up the Administration Process. For information
about Tell commands used with AdminP, see the appendix Server
Commands.
Internet connections
Servers can connect to the ISP using a direct connection or by way of a

Domino or non-Domino proxy server. If the local network uses a proxy
server to connect to the Internet, the calling Domino server does not need
to connect to the ISP directly, because the proxy server establishes this
connection to the ISP.
Servers connecting to the Internet require networking software that is
compatible with the Internet. If TCP/IP is not already installed on the
Domino server, install the protocol using the installation instructions
included with the operating system. If you do not have a Domino
TCP/IP port enabled for the server, add and enable the port.
For information about adding a network port to a Domino server, see the
Direct (leased-line) connection
A leased-line connection is considered a direct connection to the Internet.
If you have a leased-line connection, Domino servers on the internal
LAN connect to the Internet through a firewall or router over a leased
phone line.
ISP
Leased-line
Corporate LAN
Firewall/router
Webstage-E
A firewall filters traffic passing between the internal network and the
Internet and is usually part of a TCP/IP router. Most firewalls work by
hiding the IP addresses of computers on your internal network from the
Internet, thus breaking the connection between the internal and external
networks, so that while there is a connection between the internal LAN
and the firewall, and from the firewall to the Internet, theres no direct
connection between the Internet and the local network.
To connect a Domino server to an Internet server over a direct
connection, create a LAN Connection document to the target server.
Configuration
To enable a Domino server to connect to another server across the

Internet, you must establish Internet access with an Internet Service
Provider (ISP) and register an Internet domain name with the ISP for
example, acme.com. After you contract Internet service, create
Connection documents to instruct the local Domino servers how to
contact the target server.
For more on how to create a LAN Connection document, see the topic
Creating a LAN connection earlier in this chapter.
Proxy connections
A proxy is a server that provides indirect access to the Internet. A proxy
server usually runs in conjunction with firewall software to pass
incoming and outgoing requests between servers on either side of a
firewall. If your organization uses a proxy server for its Internet
connection, a Domino server on the internal LAN connects to the Internet
through the proxy and firewall servers, which, in turn, connect to your
ISP. Because the proxy server establishes the connection with the ISP, the
Domino server does not connect to the Internet directly.
Corporate LAN
ISP
Leased-line
Firewall/router
Proxy server
Webstage-E
A Domino proxy server is one type of proxy server. You set up a Domino
passthru server as a proxy for the Internet the same way that you set up a
passthru server for internal Domino communication. You do not need to
configure the server differently for Internet connections. The proxy
server does not have to be a Domino server.
Creating a server-to-server Internet connection through a proxy

server
When two Domino servers both have direct, constant connections to the
Internet, each can use the IP address of the other to contact it as though
both servers were on the same LAN. To define the connections between
the two, you create a LAN Connection document.
However, when a server is connected through a proxy server, rather than
having a direct connection, after you create a LAN Connection document
to define the connection, you must complete the proxy information in the
Server document of the calling server as described in the following
procedure:
1. From the Domino Administrator, click the Configurations tab and
expand the Server view.
2. Select the Server document of the server to connect to the Internet
through the proxy, and click Edit Server.
3. Click the Ports - Proxies tab, and then do one of the following:
To connect through an HTTP proxy, in the HTTP Tunnel proxy
field, enter the proxys fully-qualified domain name or IP address
and specify the port to use for the connection. For example, enter
httpproxy.company.com:8080 or 192.168.77.34:8080.
Note If you enter values for both fields, Domino uses the HTTP
Tunnel proxy.
Note By default, if the server is configured to use a proxy, it uses the
proxy for all connections. To prevent use of the proxy for connections to
certain servers, enter the server names in the No Proxy for these hosts or
domains field on the Ports - Proxies tab on the Server document.
Passthru servers and hunt groups

Passthru is a process that runs on a server and establishes connections
between the users and servers connected to that server and other servers.
Passthru connections use an intermediary server as a stepping stone to
connect the two servers. Passthru is useful in two instances:
When two servers connect directly When a client (in this case,
either a Notes client or a Domino server) does not share a common
protocol with a destination server, you can set up an intermediary
server that runs both protocols as a passthru server to enable the
client to connect to the destination. For example, suppose that Server
A, which runs only NetBIOS, needs to connect to Server C, which
runs only TCP/IP. If Server B runs both NetBIOS and TCP/IP,
Server B can act as a passthru server to allow communication
between Server A and Server C.
When you want to provide additional security Domino lets you

apply additional access controls to passthru connections, enabling
you to use passthru connections to act as an proxy server for filtering
NRPC traffic. You can specify the users and servers that can access a
server as a passthru destination, as well as those that can use a server
to make passthru connections to another server. Internet protocols
such as HTTP, IMAP, and LDAP cannot use a Domino passthru
server to communicate with a destination server.
Configuration
To connect through a SOCKS proxy, in the SOCKS proxy field,

enter the proxys fully-qualified domain name or IP address of the
SOCKS proxy and specify the port to use for the connection. For
example, enter socks.company.com:1080 or 192.168.77.34:1080.
You can set up a passthru server so that it leads to additional passthru

servers as well as directly to a passthru destination server. Thus, you can
chain together multiple passthru connections to enable a client to pass
through several servers until it connects to a given target server.
Passthru access is valuable to Notes client users as well. When you
provide a Notes client with access a to a passthru server, the client user
can connect to a single server to access other network servers. For mobile
users, this enables access to multiple destination servers on the same
LAN over a single phone connection. Using a passthru server this way
saves the time and expense of configuring many individual servers to
support modem connections and of requiring Notes client users to use
multiple phone calls to access multiple servers.
Passthru Logging
To enable to monitoring of passthru traffic for security reasons, after you
configure a server as a passthru server, the server log (LOG.NSF) records
information about passthru sessions established through that server. For
example, the log records information about users who access this server
for to make passthru connections to other servers.
For more information about server log files, see the chapter Using Log
Files.
Hunt groups
If your telecommunications infrastructure supports a hunt group that
is, a pool of modems that are connected to different phone lines but that
use a single phone number you can configure Domino servers and
Notes client users to connect to a hunt group on a passthru server.
Whenever a call is made to the hunt group number, the incoming call is
routed to the first available modem in the group.
You can use a hunt group with one or more passthru servers. If more
than one passthru server is used in the hunt group, to allow any passthru
server in the hunt group to receive a call and route it to the destination
server, the calling server or user must use a Hunt Group Connection
document.
For more information about configuring Lotus Notes clients to use a
passthru server, see Lotus Notes 6 Help.
Planning the use of passthru servers

Perform these steps to set up passthru servers:
1. List all the workstations and servers that need to access a passthru
server. Also list the protocols that the workstations and servers run.
3. Determine where in the topology to locate the passthru server based

on which workstations and servers need access and which servers
are the destinations. The passthru server must run all of the protocols
that the workstations and servers that access it run, as well as all of
the protocols of the destination servers. In addition, the passthru
server must have enough modem connections to handle the
anticipated dial-in traffic.
If you anticipate high traffic through the passthru server, create a
dedicated passthru server. A dedicated passthru server does not
contain applications and mail databases. It functions solely to
provide workstations and servers with access to destination servers.
Also, determine if you want to use more than one passthru server in
a hunt group. In a hunt group, one phone number represents all
passthru servers in the group, and the load is automatically spread
among the passthru servers. Be sure to set up all passthru servers in
a hunt group to pass through to the same destination servers.
4. Determine the users and servers whose access to the passthru servers
and destination servers you need to restrict. Create policy settings
documents that include setup and desktop settings to prevent access
to the servers.
5. List the Notes client users that need to use a passthru server and
determine a default passthru server for each. If you have many Notes
client users, create user setup policies to evenly assign them among
the default passthru servers to ensure optimal server performance.
If you plan to use hunt groups, list which Notes client users will
connect to each hunt group. Record the name and phone number of
the hunt group and the names of all the destination servers that
members of the hunt group pass through to.
For more information about using policies to manage server access, see
the chapter Using Policies.
Configuration
2. List the destination servers that the workstations and servers need to
access. Also list the protocols that the destination servers run.
Example of a passthru server topology

TCP
TCP
SPX
Webstage-E
Mail-E
HR-E
TCP SPX XPC
Local Area Network

Passthru
TCP
Remote Notes
Clients
XPC TCP
Remote
Server
TCP
Remote Notes
Client
XPC
Remote Notes
Clients
The Acme company has a dedicated passthru server that functions only
to provide workstations and servers with access to destination servers.
This server does not contain any databases. The passthru runs all the
protocols that the destination servers run so that users and servers that
connect to it have access to the entire system.
Note that passthru can benefit users and servers on the same network as
the passthru server as well as remote users and servers. For example,
some of the Notes clients in the above diagram are on the same LAN as
Webstage-E and HR-E, but because they do not share any protocols, they
cannot access these servers without using passthru.
The above topology requires the following configuration:
Notes Direct Dialup Connection document on the remote server for

connection to passthru server.
Passthru Connection document on the remote server to specify

passthru.
Connection documents on the remote server for connection to each

destination server.
Modified Location document on local Notes clients to specify name

of passthru server.
Notes Direct Dialup Connection document on remote Notes clients

for connection to passthru.
Passthru Connection documents on remote Notes clients to specify

passthru connection.
Modified Server documents (to allow appropriate access rights) on

passthru and destination servers.
Setting up a server as a passthru server

2. Click Server - All Server Documents.
3. Open the Server document for the server that you want to set up as a
passthru server, and click Edit Server.
4. Click the Security tab, and in the Passthru Use section, complete
these fields and then click Save & Close:
Field
Description
Access this
server
If this server is not a passthru destination, leave this field

blank.
For information about setting up a server as a passthru
destination, see the topic Setting up a server as a
passthru destination later in this chapter.
Route through
Specifies the names of the users, groups, and servers

allowed to connect to a destination server through this
server. When this field is blank (the default), the server
does not allow passthru connections.
Enter an asterisk (*) to provide passthru access for all
users and servers, even those not listed in the Domino
Directory. Enter a hierarchical name with an asterisk as
the common name to provide access for all users and
servers certified by a particular organization or
organizational unit. For example, the entry */Acme
allows access to all users in the Acme organization.
Separate multiple entries with commas or semicolons.
Entries in this field are granted passthru access, even if
denied general access to the server in the Server Access
section of the Server document Security tab.
continued
Configuration
Set up a server as a passthru server to enable users and other servers to

route through it to connect to a passthru destination server.
Field
Description
Cause calling
Specifies the names of users, groups, and servers allowed

to use the modem on this server to connect to a remote
destination server. By default, this field is blank and the
server prohibits all incoming connections from
generating calls to other servers. Enter an asterisk (*) to
allow incoming connections from any source to initiate a
call to a destination server.
If you allow incoming connections from any source to
initiate calls, when recording the event in the Passthru
Connections view of the Notes Log, Domino indicates
only that the connecting client was not authenticated,
rather than specifying the name of the source.
Destinations
allowed
Specifies the names of the remote servers this server can

connect to as passthru destinations.
By default, this field is blank and the server allows
routing to all servers configured as passthru destinations.
Adding entries to this field restricts passthru access from
this server to the specified destination servers only.
5. Set up servers as passthru destinations.

For information about setting up a server as a passthru destination,
see the topic Setting up a server as a passthru destination later in
this chapter.
6. Create Connection documents as necessary to connect the passthru
server to destination servers that do not share the same LAN.
Setting up a server as a passthru destination

Set up a server as a passthru destination to enable users and servers to
access it through a passthru server.
2. Click Server - All Server Documents.
3. Open the Server document for the server that you want to set up as a
passthru destination, and click Edit Server.
4. Click the Security tab, enter values in this Passthru Use field, and
then save the document:
Description
Access this
server
Specifies the names of the users, groups, and servers

allowed to access the server as a passthru destination.
When this field is blank (the default), the server is not
available as a passthru destination.
Enter an asterisk (*) to provide access for all users and
servers, even those not listed in the Domino Directory. An
asterisk followed by a certifier name provides access for all
users and servers certified by a particular organization or
organizational unit. For example, the entry */Acme allows
access to all users in the Acme organization.
Separate multiple entries with commas or semicolons.
Note Access to a passthru destination is subject to restrictions set in the

Server Access section of the Server documents Security tab. These fields
define general access to the server.
You can grant a user or server general access to a server and prohibit
access to the same server as a passthru destination. However, if you deny
a user or server general access to a server, those users and servers cannot
access the server as a passthru destination.
Creating a passthru connection

After you set up the passthru and destination servers, you can set up
servers to connect to passthru servers. Creating a passthru connection
enables the server to forward requests from users and other servers to
connect to a specified destination server.
Note The passthru Connection document specifies the server to use for
passthru, but does not define how to connect to the passthru server. If a
server does not have a direct connection to the passthru server over the
LAN, you must create a separate Connection document to define the
path to the passthru server.
Before creating a passthru connection, verify that the current server is not
configured to use a default passthru server. When a server is configured
to use a default passthru server and it receives a request to connect to a
destination server for which no other connection is defined, it attempts to
route through the named server to the requested destination. If the
named server is not set up to allow passthru connections to the requested
destination server, the passthru attempt places an unnecessary load on
both servers.
Configuration
Field
To verify that a server is not configured to use a default passthru

server
2. Click Server - Current Server document.
3. Click the Basics tab and expand the Server Location Information
section.
4. Verify that the Passthru server field is empty.
To create a passthru connection
Directory on field.
Field
Description
Connection type
Select Passthru server
Source server
The name of the server connecting to the passthru

server
Source domain
The name of the connecting servers domain
Use passthru server The name of the passthru server or hunt group that
or hunt group
this connection uses to reach the destination server
Usage priority
Choose one:
Normal (default) - Select this option if this
document defines the primary path to a server.
Low - Select this option to define a backup path to
a server.
For more information about the effect of specifying
the usage priority for a connection, see the topic
Forcing a server connection to use a specific
protocol earlier in this chapter.
Destination server
The name of the destination server to connect to

through the passthru server.
Destination domain The name of the destination servers domain

you want to run, and select the times you want the server to call its
destination.
Connecting a server to a hunt group

A hunt group is a collection of telephone extensions that is assigned one
phone number. Each call that comes in to that number is assigned to the
next free line in the group. If your telecommunications infrastructure
supports hunt groups, any passthru server in the hunt group can receive
a call and route it to a specified destination server.
A Hunt group connection document is required whenever a hunt group

has multiple passthru servers. If a hunt group has a single passthru
server, create a Network dialup Connection document to define the
connection, rather than a hunt group Connection document.
To create a Hunt group connection document
Directory on field.
5. Complete these fields and then click Save & Close:
Field
Description
Connection type Hunt group

Source server
The name of the server connecting to the hunt group
Source domain
The name of the connecting servers domain. Required

only if the source server and destination server are in
different Domino domains.
Use the port
The modem port
Always use area Specifies when the modem on the source server includes
the area code to dial a number. Choose one:
code
Yes - The server always includes the area code to dial,
even when dialing numbers in the local exchange.
No - (default) The server includes the area code only
when dialing numbers outside the local area code.
continued
Configuration
After you set up a hunt group, create a Hunt Group Connection

document to enable servers to connect to the hunt group servers.
Field
Description
Usage priority
Choose one:
server.
server connection to use a specific protocol earlier in this
chapter.
Hunt group
Enter a unique name to identify the hunt group, for

example, AcmeEastHuntGroup. If you create passthru
Connection documents that use this connection, the hunt
group name you enter in them must match the name
entered here.
The name you enter name here is also used to apply
commands to the hunt group servers. For example, to
replicate a database that is located on a hunt group
server, enter:
rep hunt_group_name database
In this case, the calling server initiates the modem

connection to the designated hunt group and then
replicates the specified database on each server where it
resides.
Destination
domain
The name of the domain to connect to through the hunt

group. Required only if the source server and destination
server are in different Domino domains. Enter a domain
name to ensure that the hunt group connects to a server
in the specified domain.
Destination
country code
The country code to use when dialing the number of the

hunt group modem.
Destination area The area code to use when dialing the number of the
code
hunt group modem.
Destination
phone number
The phone number of the hunt group modem.
Login script
name
The name of the login script file to use when connecting

to the hunt group.
Login script
arguments
Arguments required during processing of the specified

login script; for example, name and password. Enter
arguments from left to right in the order of use.
Planning for modem use

For a Domino server to communicate with a remote Domino server by
modem, you must
Install one or more modems on the calling and receiving servers.
Configure the communication port.
Create a dialup modem connection from the calling server to the

receiving server. Domino uses either a Notes Direct Dialup
connection or a Network Dialup Connection to communicate with
another server over a modem. The type of connection required
depends on whether each server is directly connected to a modem.
For information about creating dialup connections, see the topics
Creating a Notes Direct Dialup connection and Creating a
Network Dialup connection later in this chapter.
Installing modems
The number of modems that you can use on a server is dependent on the
operating system and system resources for example, the number of
available communication ports. Each modem needs its own
communication port.
If you expect heavy dialup use, install additional modems or install a
multiple-port communication board to connect multiple modems to
multiple communication ports on a single board.
Use these questions to help you determine the number of modems:
1. How many users and servers do you want to be able to use the
server simultaneously?
The number of modems that you install on a remote server
determines the number of users and servers that can access it
simultaneously. Consider the expense of purchasing more modems
against server accessibility.
2. Do users take advantage of workstation-to-server replication when
accessing the server?
To reduce server demand, encourage users to keep local replicas of
databases on their workstations, work on them without a dialup
modem connection, then connect to the central server to exchange
new and updated documents with the central servers database.
3. What types of users connect to this server?
If the server supports a high number of users who connect
exclusively over dialup connections for example, when a servers
primary users are field personnel who are always on the road
Configuration
dialup demand for the server is higher than on a server where users
only occasionally use modem connections.
Modems and modem command files

After you install a modem on a server, configure the communication port
by specifying the modem type and port number.
Specifying a modem type automatically associates a modem with a
modem command file. A modem command file is a text file containing
commands that Domino issues to the modem. If none of the available
modem types matches your modem, you can modify a generic modem
command file or contact IBM support to obtain the appropriate modem
file.
Modem command files, which have the file extension MDM, tell the
modem how to operate. They are specific to Domino and the type of
modem you are using. When you choose a modem type, you must select
a matching modem file. Domino comes with specific modem command
files for a wide variety of modems.
Domino installs modem files in the Domino Data\Modems subdirectory.
Commands in the modem command file are arranged as required by the
X.PC protocol provided with Domino.
Domino provides a generic all-speed modem file, GEN_ALL.MDM,
which you can modify. For information on modem command files and
instructions on modifying them, use a text editor to read the file
TEMPLATE.MDM. Use this file in conjunction with the documentation
that came with the modem to modify modem command files.
Modify a modem command file only under the following circumstances:
If you need additional commands that a Domino modem command

file does not provide
If Domino does not provide a modem command file that is

compatible with your modem
If the default modem command file, AUTO.MDM, does not work
If you cannot obtain a modem file that works with your modem from
IBM support
Creating a Notes Direct Dialup connection

When both the local and remote Domino servers have their own
modems, you can use a Notes Direct Dialup (dialup modem) connection
to connect them. After the local server connects to the remote server, it
can perform tasks, such as route mail and replicate databases.
When using Notes Direct Dialup connections, Domino uses the X.PC
protocol driver. The X.PC protocol driver is installed automatically when
you install a Domino server. It links Domino to a computers operating
system and the hardware devices that handle the communication.
Notes Direct Dialup connections use Domino security and thus offer
tighter security than Network Dialup connections to a remote access
server.

5. Select Notes Direct Dialup in the Connection type field.
Field
Description
Source server
The name of the calling server.
Source domain
The name of the calling servers domain.
Use the port(s)
The name of the communications port that the calling or

source server uses.
Always use area Specifies whether the source server always uses the area
code when dialing. Choose one:
code
Yes - The server always includes the area code to dial,
even when dialing numbers in the area code defined
in the source servers Server document. Use this
option if your phone system requires an area code for
local calls.
No - (default) The server includes the area code only
when dialing numbers outside the local area code.
Usage priority
Choose one:
server.
server connection to use a specific protocol earlier in
this chapter.
continued
Configuration
1. Make sure that you already installed a modem and that one exists on
the destination server.
Field
Description
Destination
server
The name of the remote server.
Destination
domain
The name of the remote servers domain.
Destination
country code
The country code for the remote server. Enter this

number only if its required to complete the call.
Destination area The remote servers area/city code. Enter this number
code
only if its required to complete the call.
Destination
phone number
The phone number of the remote server.
Login script file

name
The name of the connect script to use when connecting to

the remote server. Supply this file name only if
additional information is required to authenticate with
the destination server after dialing completes.
Login script
arguments
Between 1 and 4 values used by the login script when

authenticating with the destination server. For example,
enter a login name and password if the login scripts must
provide these elements when connecting to the
destination server. The script uses the values in the order
in which they are entered. Values entered in this field are
not encrypted and are displayed in the clear.

destination.
Note To ensure the best performance for connections that use
data-compressing modems, dont apply Domino network data
encryption to ports using these modems. Rather than reducing the size of
the transmitted data, the modems hardware compression techniques can
increase it, negating the benefits of the modem compression.
For more information about encrypting data on an NRPC port, see the
Creating a Network Dialup connection

To connect a local Domino server with a remote server that does not have
its own modem, create a Network dialup connection. Domino uses
Microsoft Dial-Up Networking (DUN) and the Microsoft Remote Access
Service (RAS) to make a dialup connection to a non-Domino server on
the remote network. After establishing the connection, the local server
uses the remote access service to communicate with the destination
server. Domino can interact with resources on the other network as if it

were connected directly to the network, routing mail and replicating
databases with servers on the remote network.
Because RAS uses its own compression, Domino compression should not
be used with RAS.
To create a Network dialup connection

1. Configure the modem port on the source server.
2. Make sure that the remote access service is properly set up on the
local Domino server and on the remote network server.
On the local server, configure DUN to dial out to the RAS server.
On the non-Domino remote server, configure RAS to answer calls.
For details on how to configure RAS, refer to the documentation
provided with the operating system.
Field
Description
Connection type Network Dialup

Source server
The fully-distinguished Notes name of the connecting

server. For example, Server1/Sales/ACME.
Source domain
The name of the connecting servers Domino domain.

Required only if the source server and destination server
are in different Domino domains
Use LAN port(s) Specifies the port that the server uses to establish the
network dialup connection using the remote access
service.
continued
Configuration
Notes clients and Domino servers who establish a Network Dialup

connection to a Remote Access Server can access the entire remote
Domino network over the remote LAN. After establishing a connection,
the calling client or server can communicate with servers on the remote
LAN using the network protocols defined in RAS only, that is, TCP/IP
and Netbios.
Field
Description
Usage priority
Choose one:
server.
server connection to use a specific protocol earlier in this
chapter.
Destination
server
The fully-distinguished Notes name of the Domino

server you want to access.
For SMTP routing connections, enter the host name of the
destination server, for example, internet.isp.com.
Destination
domain
The name of the destination servers Domino domain.

Required only if the source server and destination server
are in different Domino domains.
Leave this field blank when configuring SMTP routing to
an ISP server.
Optional
Provide an optional network address to facilitate
network address attempts to locate the destination server over a TCP/IP
connection. If the field contains no entry, Domino
attempts to obtain the destination servers IP address
from the IP protocol stack.
Enter a fully-qualified host name or IP address for
example, HR-E.Acme.com or 192.22.256.36. Because IP
addresses are subject to change, for ease of management,
its best to use host names in Connection documents.
When a host name is used, if the IP address changes, the
connecting server obtains the updated IP address from
the DNS.
7. Click the Network Dialup tab and complete the following fields:
Field
Description
Choose a
Select Microsoft Dial-up Networking
service type
Configure
service
Phone number - The phone number of the remote access

server. If the server uses pulse dialing, do not enter a phone
number in this field. Also, be sure to select Pulse in the
servers modem configuration options and in the Microsoft
Dial-up Networking dialog, provide a phone number and
check the Use Telephony dialog properties box.
Area code - Area code of the remote access server.
Country code - Country code of the remote access server.
Dial-back phone number - The phone number of the source
server. If the remote access server has call-back enabled, it
calls this number after authentication completes.
Domain - The Windows logon domain of the remote access
service
The remaining fields on this tab are read-only and display information
only if you completed the corresponding field in the previous step.
Configuration
Lets you specify the Dial-up Networking entry that the server
uses when connecting to this destination. Click Edit
Configuration, and complete this field in the Microsoft Dial-up
Networking dialog box:
Dial-up Networking name - Name of the Microsoft Dial-up
Networking phonebook entry on the source server
containing the information on how to dialup the remote
server.
Optionally, you can complete the following additional
fields in the dialog box. If you complete these fields, the
settings override those configured in the specified Dial-up
Networking entry on the server. These settings are used by
the remote access service, not by Domino. Complete the
fields and then click OK
Login name - The name that the server uses to log in to the
remote access server.
Password - The password the server uses to log in to the
remote access server. For security reasons, when you enter
the password, it appears as a series of asterisks. After you
save the Connection document, before storing the
document Domino encrypts the password with the public
keys of the source server and the users and servers listed in
the Owners and Administrators fields of the document.

destination.
increase it, negating the benefits of the modem compression.
For more information about encrypting data on an NRPC port, see the
Coordinating dialup ISP connections between servers

When two geographically distant servers are both connected to the
Internet, they can use the Internet connection to replicate databases or
route mail. When both servers have constant connections to the Internet,
scheduling these tasks is easy. But if either servers Internet connection is
intermittent, for example, if one server uses a dialup connection to an
ISP, it can be difficult to schedule tasks to coincide with times when both
servers are available.
To automate the coordination of dialup schedules, Domino lets you
create an AutoDialer connection. An AutoDialer connection provides a
link between two Connection documents: one document that controls
when a source server initiates the given replication or mail routing task;
and one document that controls when the destination server dials up an
ISP to establish an Internet connection. An AutoDialer task on both
servers tracks the task schedule set in the source servers Connection
document and prompts the destination server to come online in time to
receive requests from the calling server.
The source server uses the destination servers IP address to establish the
connection. Because this requires a stable IP address, the destination
servers ISP must provide static IP addresses; that is, it must assign the
server the same IP address every time the server connects to the ISP.
AutoDialer connections honor the timeout settings specified for the
modem communication port. If a connection is idle for the amount of
time specified, Domino closes the connection.
Example of using an AutoDialer connection
Two remote servers, Jupiter and Pluto, share a common Domino
Directory and must replicate once a day with each other. Jupiter, a
powerful server with a direct connection to the Internet, is located at
company headquarters in New York. Pluto, a much less powerful
computer, located at a branch office in San Francisco, connects to the

Internet by dialing up a local ISP number. To enable Jupiter to assume
the greater share of the workload, the administrator chooses to have it
serve as the source server and initiate the replication. Because a direct
dialup connection between the servers would require a costly
long-distance call, the administrator decides to connect the servers over
the Internet to perform the replication.
1. Creates a Pluto-to-ISP Network Dialup connection document that

provides information on how to connect the destination server, Pluto,
to the ISP, using a local phone number. In the Pluto-to-ISP
connection document, the administrator then does the following:
Enables AutoDialer and specifies that Pluto will begin to dial up
the ISP three minutes before the scheduled replication with
Jupiter.
Assigns the AutoDialer connection the name PlanetReplication.
2. Creates a Jupiter-to-Pluto LAN connection document that provides
information on how the source server, Jupiter, connects to Pluto. In
the Jupiter-to-Pluto LAN connection document, the administrator
then does the following:
To enable Jupiter to locate Pluto on the Internet, specifies Plutos
IP address in the Optional Network Address field.
Enables AutoDialer and assigns the AutoDialer connection in this
document the same name as the AutoDialer connection in the
Pluto-to-ISP Connection document: PlanetReplication This
name provides the link between the two documents.
Sets the schedule on the Jupiter-to-Pluto connection document to
begin replication at 10:00 AM.
3. After saving both documents, the Domino Directory must be
replicated so that both servers are aware of the change. The
administrator on Pluto dials the server into the ISP and then issues
the replicate command from the server console to replicate the
Domino Directory between the two servers.
4. The administrator on Pluto then adds the AutoDialer task to the
ServerTasks item in the NOTES.INI file to start the AutoDialer task
on Pluto.
Domino then searches the available Connection documents to locate any
that have the AutoDialer connection name PlanetReplication. After it
finds the matching documents, Domino calculates when Pluto must dial
up its ISP to answer the replication request from Jupiter, and sets this
Configuration
To enable replication, the administrator creates an AutoDialer connection

for the two server by doing the following:
schedule in the Pluto-to-ISP connection document. In this example,

because Pluto is in the time zone GMT -08:00, it must dial up the ISP at
6:57 AM local time to come online three minutes before Jupiter, in the
time zone GMT -05:00, initiates replication at 10:00 AM local time.
At 6:57 AM the AutoDialer on Pluto requests the dialup information
from the Pluto-to-ISP connection document and dials the ISP. Three
minutes later, Jupiter sends a replication request over the Internet to
Pluto.
Using AutoDialer with Notes Direct Dialup connections
Although AutoDialer is intended primarily for use in coordinating
connections over the Internet between two servers, you can also use
AutoDialer to enable a remote Domino server to dial directly into
another Domino server, or into a passthru server.
For more information, see the topic Coordinating Notes Direct Dialup
connections between servers later in this chapter.
To set up an AutoDialer connection
1. Create a Network Dialup connection document that defines how the
destination server for the scheduled task connects to its ISP.
For information on creating a Network Dialup connection, see the
topic Creating a Network Dialup connection earlier in this chapter.
2. On the Replication/Routing tab of the Connection document you
created in Step 1, complete the following fields in the AutoDialer
section:
Field
Description
AutoDialer Task Select Enabled

AutoDialer
Specifies a name for this AutoDialer connection. Enter
connection name any unique name, for example, InternetReplication. Its
best to use a name thats short and descriptive.
The name you enter in this field must also appear in the
AutoDialer connection name field in the Connection
document that provides the schedule for this task (see
Step 5).
Connect remote
server to
network
Specifies how many minutes before a scheduled action

that this server will dial up to connect to the Internet. To
ensure availability, specify a time value that enables the
server to be online several minutes before the start of the
scheduled action.
4. Create a LAN Connection document that defines how the source

server for the scheduled task connects to the destination server.
5. Enter the following information in the Connection document you
created in Step 4 and the click Save & Close:
Field
Description
Basics
Optional
Enter the IP address of the destination
network address server.
Replication/
Routing
Use AutoDialer Select Enabled.

to connect
remote server to
network
The AutoDialer connection name
AutoDialer
connection name specified in the Network Dialup
connection document you created in
Step 2, for example,
InternetReplication.
Schedule
Schedule
Select Enabled
Connect at times Specify the time to replicate with or

route mail to the destination server.
Enter a specific time only, for example,
10:00 AM, not a time range.
Repeat interval
Leave this field blank. Domino does

not support repeat intervals for
AutoDialer connections.
Days of week
Specify the days when the calling

server attempts to make this
connection.
6. Connect the destination server (the dialing server) to the Internet by

having it dial up the ISP.
7. From the server console of the destination server, enter the
command:
Replicate servername directoryfile
Where servername is the name of the source, or replication, server,

and directoryfile is the filename of the Domino Directory database.
For example, enter:
Replicate Jupiter NAMES.NSF
8. Add the AutoDialer task to the ServerTasks item in the NOTES.INI

file to start the AutoDialer task on Pluto.
Configuration
Tab
Coordinating Notes Direct Dialup connections between servers

To enable two servers to perform scheduled tasks when one or both of
them uses a dialup connection to access the network, you can create an
AutoDialer connection to automatically coordinate the dialup schedule
with the task time. In most cases you use an AutoDialer connection to
schedule tasks over Internet dialup connections, but an AutoDialer
connection can also enable a remote Domino server to dial directly into
another Domino server, or into a passthru server.
The process for creating an AutoDialer connection for use with a Notes
Direct Dialup connection is similar to the one used to create an
AutoDialer connection for a Network Dialup connection. For replication
tasks, set up the more powerful server to be the source server, and the
less powerful server, generally the server with the dialup connection, to
be the destination server.
If the dialing server connects into a passthru server rather than
connecting directly to the replication server, all communications between
the dialing server and the replication server occur through the passthru
server. The replication server cannot locate the dialing server on the
network except with the help of the passthru server and so requires a
Passthru connection document to provide this information. In addition,
you must also configure the dialing server, as well as the replication
server, as passthru destinations.
To set up an AutoDialer connection for use with Notes Direct Dialup
connections
1. Create a Notes Direct Dialup connection document that defines how
the dialing, or destination, server connects to the Domino server
initiating replication (the source server).
For information on creating a Notes Direct Dialup connection, see the
topic Creating a Notes Direct Dialup connection earlier in this
chapter.
If the dialing server dials into a passthru server, rather than directly
into the source server, in addition to this Notes Direct Dialup
connection document, you must also create a Passthru connection
document if one doesnt already exist. You must also set up the
source server as a passthru destination.
Note The AutoDialer section on this Passthru connection document
is not used.
For information on creating a Passthru connection document, see the
topic Creating a passthru connection earlier in this chapter.
2. On the Replication/Routing tab of the Connection document you

created in Step 1, complete the following fields in the AutoDialer
section:
Field
Description
AutoDialer Task Select Enabled
Connect remote
server to
network
Specifies how many minutes before a scheduled action

that this server will dial up to connect to the Internet. To
ensure availability, specify a time value that enables the
server to be online several minutes before the start of the
scheduled action.

4. Create a Passthru connection document describing how the
replication server connects to the destination server.
5. Enter the following information in the Passthru connection document
you created in Step 4:
Tab
Field
Replication/
Routing
Use AutoDialer Select Enabled.

to connect
remote server to
network
Description
AutoDialer
The AutoDialer connection name
connection name specified in the Notes Direct Dialup
Connection document in Step 2, for
example, AutoDialReplication.
Schedule
Schedule
Select Enabled
Connect at times Specify the time to replicate with or

route mail to the answering server. Enter
a specific time only, for example, 10:00
AM, not a time range.
Repeat interval
Leave this field blank. Domino does not

support repeat intervals for AutoDialer
connections.
Days of week
Specify the days when the calling server

attempts to make this connection.

Configuration
Specifies a name for this AutoDialer connection. Enter

AutoDialer
connection name any unique name, for example, AutoDialReplication. Its
best to use a name thats short and descriptive.
The name you enter in this field must also appear in the
AutoDialer connection name field in the Connection document that provides the schedule for this task (see Step 5).
Encrypting Network Dialup Connection documents

Domino can hide and encrypt the parameter part of the Network Dialup
Connection document by using the public keys of specific user or server
IDs. When completed, only users and servers with those IDs can make
connections using the document and can view the parameters in the
document.
Use these steps to encrypt a Connection document created prior to
Release 5 so that only the users and servers you specify can use the
document to make a connection and view the settings in the document.
Directory on field.
4. Open the Network Dialup Connection document.
5. Choose File - Document Properties.
6. Click the Security tab (the key icon), and deselect All readers and
above.
7. In the Public Encryption keys field, enter the names of users and
servers who need access to the document, and then save the
document.
Configuring a communication port

If you specified a communication port when you configured the server,
you do not need to specify the port again. You configure an additional
communication port only when you add an additional modem or other
device to a server or when you need to adjust the settings for a port
currently in use.
1. Install the modem on the server communication port and ensure that
the operating system recognizes the port.
2. From the Domino Administrator, select the Server - Status tab.
3. From the Servers pane, select the server on which to set up the port.
On platforms, such as UNIX, for which there is no Domino
Administrator client, you can set up ports remotely.
4. From the Tools pane, click Server - Setup Ports.
5. Select the name of the port on which you installed the modem, for
example, COM1.
If the communication port name does not exist, select New, type the
name of the communication port on which you installed the modem,
select XPC for the driver, and then click OK.
6. Select Port Enabled.

7. If you want to enable Domino network data encryption, select
Encrypt network data.
8. Select Compress network data to enable Domino network data

compression. Network compression occurs only if it is enabled on
both sides of the connection. If compression is not enabled on the
server being connected to, data will not be compressed.
9. Click portname Options, where portname is the name of the port
whose settings you want to change.
10. Modify default port settings, as needed and then click OK.
Note These settings apply to digital-analog modems only, not cable
or DSL modems.
The default port settings work in most situations. However, if you
are performing troubleshooting, you may wish to adjust some of the
settings. The following settings are available:
Field
Description
Modem
type
Associates a modem with a modem command file. If none of

the listed modems is an exact match for the installed modem,
select the closest match by brand and speed. If the modem is
100% Hayes-compatible, select Auto Configure
(AUTO.MDM) for Domino to determine the modem type
automatically and select the appropriate Hayes command
file. Because the Auto Configure modem file does not
provide optimal performance, use it only as a temporary
measure while obtaining an appropriate modem
If theres no match and your modem is not 100% Hayescompatible, you may need to edit an existing modem
command file or create a new one. For information about
your modem, see your modem documentation.
For information about editing modem command files, see the
topic Modifying a modem command file later in this
chapter.
continued
Configuration
Note Enabling network encryption can slow performance,

especially for connections that use data-compressing modems. Never
apply Domino network data encryption to ports that use
data-compressing modems. Rather than reducing the size of the
transmitted data, the modems hardware compression techniques
can increase it, negating the benefits of the modem compression. For
more information about setting up network data encryption for a
port, see the topic Encrypting network data on a server port.
Field
Description
Maximum
port speed
Specifies the maximum speed at which the communication

port on the computer sends data to the modem and receives
data from the modem. Domino selects a maximum data
transmission speed based on the modem type you select. The
maximum speed is limited by the maximum speed specified
in the modems command file and may also be limited by the
servers operating system. Default value is 19200. Specify the
highest value supported by your modem hardware. Select a
lower port speed if you are having trouble with a noisy
phone line or cannot establish the carrier.
When using a null modem, the maximum port speed on both
computers must match.
Speaker
volume
Specifies how loudly to amplify modem tones during

connection attempts. Choose the volume that best allows you
to monitor call progress: Low Medium, or High; or choose
Off to mute the modem.
Dial mode
Choose one:
Tone - For touch-tone phone lines.
Pulse - For rotary phone lines or modems that do not
support touch-tone dialing.
Log modem Select this option to help troubleshoot modem connection

I/O
problems by recording modem control strings and responses
in the Miscellaneous Events view of the servers Notes Log
(LOG.NSF).
To conserve disk space, after the problem is fixed, deselect
this option to prevent the extra information from being
recorded.
Log script
I/O
Select this option to help troubleshoot communication

problems between servers that occur after the modem
establishes a connection. The server records script file
responses and replies in the Miscellaneous Events view of
the servers Notes Log (LOG.NSF).
To conserve disk space, after the problem is fixed, deselect
this option to prevent the extra information from being
recorded.
Specifies how data is sent between the computer and the

Hardware
flow control modem. Select this option (the default on operating systems
other than UNIX) to enable data flow control. Deselect this
option only if youre using a modem or external serial port
that doesnt support flow control. When deselected,
messages about errors and retransmissions can appear in the
Phone Calls view of the log file (LOG.NSF).
continued
Field
Description
Wait for
dialtone
before
dialing
Select this option (the default) to require the modem to detect

a dialtone before dialing. Deselect this option on phone
systems where dial tone detection is a problem.
Hangup if
idle
Specifies the time, in minutes, that the modem on the source

server waits before hanging up if there is no data passing
through the connection. The default value is 15. For ports
that workstation users dial into, specify a longer idle time so
users have time to read or compose long documents.
Port number Specifies the port number for the current port type. Domino
automatically sets the port number to the number specified
in the port name for example, if COM7 is the port name,
the port number is 7. On UNIX systems, specify a port
number N that matches the /dev/cuaN device file that you
linked to the asynchronous port.
11. To specify an acquire script for this port, click Acquire Script, select
the script in the Acquire Script dialog box, and then click OK.
For more information on acquire scripts, see the topic Writing and
editing acquire and login scripts later in this chapter.
12. If necessary, you can edit acquire scripts and modem command files.
For information about editing modem command files and acquire
scripts, see the topic Modifying modem command files and acquire
scripts later in this chapter.
Modifying modem command files and acquire scripts

When you modify a modem command file or acquire script, you can only
modify the file on the local server. To apply a modified modem file to a
remote server, edit the file locally and copy it to the Domino
Data/Modems subdirectory on the remote server. Then restart the server
so that the modifications take effect.
1. Use the documentation that came with the modem to determine
which additional commands you must add to the modem command
file.
2. From the Domino Administrator, select the Server - Status tab.
3. From the Tools pane, click Server - Setup Ports.
Configuration
Dial timeout Specifies the time, in seconds, that the source server
continues attempting to connect to the destination server
before it cancels the attempt. Increase the dial time-out
period when using pulse dialing or when calling overseas.
The default value is 60.
4. From the Communication Ports box, select the modem

communications port; for example, COM1.
5. Click portname Options, where portname is the name of the
communications port you selected in step 4.
6. To edit a modem file, in the Modem type field, select the modem
command file that you want to modify typically, Generic
All-Speed Modem File and click Modem File.
To edit an acquire script, click Acquire Script.
7. Edit the content of the file as necessary. Refer to the comments at the
top of the file for instructions.
8. Click Save to save the file using the current name.
Or, to save the file under a new name, click Save As, enter a new
name for the modified file in the File name field, and the click Save.
9. Click Done to close the Edit dialog box, and then click OK to close
each of the remaining open dialog boxes.
increase it, negating the benefits of the modem compression. For more
information about setting up network data encryption for a port, see the
Using acquire and login scripts

How you specify a script when making a call depends on the type of
script.
Type of script
Steps
Acquire script
Specify the script when you set up the communication port.

When the server makes a call using the specified port, Domino
uses that acquire script to obtain a modem from a modem pool.
Domino runs the commands in the acquire script before
running the commands in the modem script.
Login script
Specify a login script in the Notes Direct Dialup Connection

document for connecting to a specified server. When making a
call to that server, Domino uses the specified login script.
Writing and editing acquire and login scripts
Login scripts provide information required to access a destination server

and are required by some Direct dialup connections. The server runs the
commands in the login script after running the modem command file.
You can edit an existing acquire or login script or create new ones from
scratch using any text editor. When editing or writing scripts, use the
appropriate script commands, keywords, and comments. The keywords
identify and classify the script file. The script commands execute
sequentially. The keywords you use depend on the device that the script
sets up.
Any time you change a script, make sure you save the file with an SCR
extension and copy it to the Notes Data/Modems subdirectory of every
workstation and the Domino Data/Modems subdirectory of every server
that uses the script.
General rules for writing script files
1. Start lines with a colon to indicate a branch label. Do not exceed the
maximum branch label length of eight characters. If you specify more
than eight characters, the script uses only the first eight.
2. Start lines with a semicolon to indicate a comment line.
3. Do not exceed the maximum line length of 80 characters.
4. Embed control characters 0 - 20H in strings. For example, use ^M for
CTRL+M. Use double carets for a literal caret. For example, use ^^M
for CARET+M.
5. Specify up to four optional arguments for login scripts: ^1, ^2, ^3,
^4. Then, when you make a call on the workstation or server, you
enter values for these arguments, or you enter them permanently in
the Connection document in the Domino Directory or Personal
Address Book. The values you enter replace the ^1, ^2, ^3, or ^4 in
the script when you make each call.
6. Raise the data terminal ready (DTR) signal at the start of script file
processing. If the modem does not automatically raise this signal,
you must use the DTR_HIGH command.
Configuration
Domino uses acquire and login scripts to make certain connections. A

Domino server that doesnt have its own modem can use an acquire
script to obtain a modem from a modem pool on a communications
server. The server runs the commands in the acquire script prior to
running the commands in the modem file used to make the connection.
You specify the acquire script to use when configuring the modem port.
Check the documentation that came with the communications server to
see if the server includes an acquire script.
Editing script files

Script files are ASCII text files with the extension SCR that Domino stores
in the Modems subdirectory of the Domino data directory. You can open
and edit login scripts and acquire scripts using any text editor. In
addition, you can also open an acquire script for editing from the Port
Setup dialog box during the process of setting up a servers
communications port.
For information about how to edit an script from the Port Setup dialog
box, see the topic Configuring a communication port earlier in this
chapter.
Script keywords
Use these keywords when you write a script file.
DESC
A one line description of the script files purpose. Dialog boxes for
selecting the script display the text associated with this keyword. Always
include a DESC line in a script file to provide users with information
about the script. For example, if you open the Acquire Script dialog box
while setting up a communication port, the following text appears for the
default acquire script (COMSERV.SCR):
Acquire a modem via a communications server
Similarly, mobile users who use login scripts when configuring dialup
communications from a Notes client, see the value of the DESC keyword
in the login script.
TYPE
Tells whether the script is an acquire or connect script. For example:
TYPE CONNECT
ARG...ARG4
For connect scripts only, these optional keywords precede a description
of each of the four script arguments. You may write scripts using from 0
through 4 arguments. For example, you might use the following script
arguments and descriptors in a connect script file:
ARG1 1. REMOTE DTE ADDRESS:
ARG2 2. None entered:
ARG1 is a keyword and 1. REMOTE DTE ADDRESS: is the description

that appears in the Call Setup dialog box. ARG2, ARG3, and ARG4 are
keywords. X. None entered: lets users enter arguments when making

the call. Users can enter arguments when they choose File - Mobile - Call
Server, select More Options, and then select Call Setup; or they can enter
arguments in the Notes Direct Dialup Connection document in the
Domino Directory or Personal Address Book.
Configuration
Commands for acquire and connect scripts

The available script commands are described in this table.
Command
Description
Syntax
BREAK
Sends a communications break.

Time is specified in 100ms
intervals. Default is 500ms.
Maximum is 2000ms. Timing of
breaks is not exact.
BREAK [time]
DTR_HIGH
Raises the DTR signal on the

DTR_HIGH
selected port.
If the modem or other
communication device does not
automatically raise data terminal
ready (DTR) at the start of script
file processing, use the
DTR_HIGH script command or
configure DTR on your modem
or communication device.
DTR_LOW
Lowers the DTR signal on the

selected port.
ERROR
Tells the script file to branch to

ERROR label
the specified label if an error
previously occurred. If no label is
specified, the ERROR condition
is cleared, but no branch occurs.
FAIL
Terminates execution of the

current script. The optional text
string is logged in the log file
(LOG.NSF).
GOTO
Branches unconditionally to the GOTO label

specified label. If the label does
not exist, the script file
terminates, and the error is
logged in the log file (LOG.NSF).
DTR_LOW
FAIL [text string]
continued
Command
Description
Syntax
LOG OFF
Turns off informational logging

if you have Log modem I/O
selected (for execution of this
script only). Uses the log file
(LOG.NSF).
LOG OFF
LOG ON
Turns on informational logging

if you have Log modem I/O
deselected. This command logs
execution of only this script.
LOG ON
PROMPTUSER Displays an interactive dialog

box to prompt a user from a
script.
The user needs to run a script
with this command from a
Notes client.
PROMPTUSERDialog box
title
[Title1[initializer]
Title2[initializer]
Title3[initializer]
Title4[initializer]]
REPLY
Sends a string to the serial port. REPLY string [;]

Carriage return/line feed is sent
at the end of the string unless
you include a semicolon (;).
WAIT
Waits a given amount of time

for the case-sensitive specified
string, which must be enclosed
in quotes. Any data other than a
matched string is passed along.
If a time is not specified, waits a
maximum of 60 seconds.
WATCH
Same as WAIT, but with multiple WATCH [time] [FOR]

responses and actions. The
string1 statement
WATCH command terminates
string2 statement ENDW
(continues to the next
instruction) when one of the
strings is matched or when
time-out occurs.
WAIT [time] [FOR string]
Connecting Notes clients to servers
Requirements for connecting Notes clients to remote servers over

various access media
Type of client and connection Required documents in the
to Domino network
Personal Address Book
Additional files and

information required
Notes client connecting

directly to Domino
network over LAN, cable
data network, or digital
subscriber line (DSL)
Office Location document.

For connections through a
passthru server the
Location document must
specify the name of the
passthru server
Connections through a
passthru server require a
Passthru Connection
document
Notes user ID
Name of a server
containing a Domino
Directory
Name and port number
of proxy server, if any
Notes client connecting

directly to Domino
network over dialup line
Home (Notes Direct

Dialup) Location
document. For connections
through a passthru server
the Location document
must specify the name of
the passthru server
Notes Direct Dialup
Connection document
Connections through a
passthru server require a
Passthru Connection
document
Notes user ID
Name of a server
containing a Domino
Directory
Dialup phone number
Modem and COM port
information
continued
Configuration
After you set up a server to accept inbound connections, it can accept

them from both servers and clients. The methods used to establish
connections from clients to servers on remote networks are similar to
those used when connecting one server to another. To connect to a
remote Domino server, clients may require Connection documents, and
depending on the type of connection, might also require a modem, COM
port information, and other data, documents, and files. You can also
connect clients to non-Domino Internet servers. The following table
provides information on other types of information required to create
client-to-server connections.
Type of client and connection Required documents in the

to Domino network
Additional files and

information required
Notes IMAP or POP3 mail Internet Location document

client connecting directly Account documents
to an Internet mail server
over LAN, cable, or DSL
connection
E-mail address
Incoming and outgoing
mail server addresses
Proxy server
information
Notes IMAP or POP3 mail

client connecting to an
Internet mail server over a
dialup connection
Internet mail address

ISP account and
password
Incoming and outgoing
mail server addresses
Dialup telephone
number
Home (Network Dialup)

Location document
Account document
Network Dialup Server
document
To connect to Domino through a passthru server, users must specify the

name of the passthru server in the current Location document and set up
Passthru Connection documents.
Chapter 5
Setting Up and Managing Notes Users
Setting up Notes users

Lotus Notes 6 users are people who use the Notes client to access
Domino servers and databases and have a Notes ID, a Person document,
and, if they use Notes Mail, a mail file.
Before you register new Lotus Notes 6 users, you may want to specify
default settings that apply to all users you register. Default settings make
user registration easy and fast and ensure that user settings are
consistent.
You can define many default settings, such as what mail server users
have or what certifier ID to use for user registration. You can also specify
a default workstation execution control list (ECL) to protect data from
unauthorized workstation access.
To define default settings, use any of these tasks:
1. Create a Registration Settings document to define default user
registration settings.
2. Create a user Setup Settings document to populate the users
Location document and bookmarks. Setup settings include Internet
browser and proxy settings, applet security settings, and desktop
and user preferences.
3. Create a Desktop Settings document to make dynamic changes on
user workstations.
4. Create a default workstation execution control list (ECL) to set up
workstation security.
5. Specify default user registration settings in Administration
Preferences.
6. Specify default user settings in the Register Person dialog box.
For more information on policies and settings documents, see the chapter
Using Policies.
5-1
Configuration
After setting up and configuring the first Lotus Domino 6 server, you can
set up Lotus Notes 6 users.
To set up Notes users, you can register them in Notes or migrate them
from an external mail system or directory. Before you begin to add users,
it is best to specify default settings that Notes applies during registration.
To add users, you register them and use the Lotus Domino 6
server-based certification authority which issues the appropriate
certificate or use the appropriate certifier ID and password, which
generates a user ID and certificates that allow users appropriate system
access. After registering Notes users, you need to prepare the installation
files so users can install Notes on their workstations.
User registration
You need to register users before they can install Notes on their
workstations. For each user, the registration process creates:
A Person document in the Domino Directory.
A user ID that is stamped with appropriate certificates (does not

apply to non-Notes users).
A mail file (Optional).
Notes offers different options for registering users. For example, using
Basic user registration is fast and easy because it automatically assigns
many default settings to users. If you use Advanced user registration,
you can assign more advanced settings, such as adding a user to a
Windows NT or an Active Directory group. You can also register users
by importing them from a text file or migrating them from a foreign
directory.
If you use the Register Person dialog box to register users, you can sort,
view, and modify user settings in the view of the User Registration
Queue (USERREG.NSF) that appears in the dialog box. This database
contains information on users pending registration. When you exit the
Register Person dialog box, you can save all users pending registration
and register them later. When you access the dialog box again, the User
Registration Queue automatically opens to display all users pending
registration.
Before you register users, review your organizations hierarchical name
scheme and decide where each user fits into that scheme. Based on the
name scheme, you know which certifier ID to use to register users, which
server to use as the registration server, and on which server to store the
users mail files. When you register users, you must have the appropriate
access to each server that you use, and you must know the password for
each certifier ID that you use. If you intend to implement policies in your
organization, create policies and settings documents before you register
users so that you can assign policies during registration.
For more information on creating non-Notes users, see the topic

Creating non-Notes, Internet Users in this chapter.
For more information on the Domino server-based certification authority,

see the chapter Setting Up a Domino Server-Based Certification
Authority.
Example of registering two Notes users
Here is an example of how administrators at the Acme Corporation
registered two users based on each users place in the organizations
hierarchy. The users work in different locations and departments.
Acme
West
HR
Accounting
East
IS
Robin Rutherford
Registered with HR/West/Acme certifier ID
Hierarchical name:
Robin Rutherford/HR/West/Acme
Sales
Marketing
Development
Alan Jones
Registered with Sales/East/Acme certifier ID
Hierarchical name:
Alan Jones/Sales/East/Acme
Alan Jones works in the Sales department in Acmes East Coast division.
To give Alan appropriate access within the system and to place him
appropriately in the hierarchy, the administrator uses the
Sales/East/Acme certifier ID to register him. Alan Jones full hierarchical
name then becomes Alan Jones/Sales/East/Acme.
Setting Up and Managing Notes Users 5-3
Configuration
User registration and the server-based certification authority

When registering users, you have the option of using the traditional
certifier ID and password combination or using the Domino server-based
certification authority (CA). Prior to registering users, you need to
understand the Domino server-based CA, be familiar with the benefits of
using the CA, and know how to use the Domino server-based CA. An
administrator can be designated as a Registration Authority (RA) for the
server-based certification authority (CA). You can now assign to the
administrator responsible for user registration, the role of RA. This
allows one administrator to register users with certificates issued by the
server-based certification authority.
The administrator specifies Mail-E, which is located on the East Coast

Acme LAN, as Alans mail server. Then Alans mail server is on the same
LAN as his workstation, so that when he receives and sends mail, he can
connect directly to the server that stores his mail file.
Robin Rutherford works in the Accounting department in Acmes West
Coast division. The administrator uses the Accounting/West/Acme
certifier ID to register Robin. Mail-W is Robins mail server, and her full
hierarchical name is Robin Rutherford/Accounting/West/Acme.
Customizing user registration

You can define specific options to customize how Domino registers users.
If you choose to use a certifier ID and password instead of the Lotus
Domino 6 server-based certification authority (CA), Domino uses the
certifier ID specified in Administration Preferences; or if there is none, it
uses the ID specified in the CertifierIDFile setting in the NOTES.INI file.
1. Make sure to have the following before you begin customizing user
registration:
Access to the certifier ID and its password, if you are not using a
certifier enabled for the CA process.
Editor access or Author access with Create Document role and the
UserCreator privilege in the Domino Directory. UserCreator role
is required regardless of your access level.
Access to the Domino Directory from the machine you work on.
Local or remote access to USERREG.NSF.
Create new databases access on the mail server to create user mail
files during registration.
Create document access to CERTLOG.NSF on the registration
server.
GroupModifier role or at least Editor access to add users to
groups.
Note Do note modify the ACL for USERREG.NSF using the File Database - Access Control menu commands. Use the User
Registration Database Access button on the Advanced Person
Registration Options dialog box.
3. From the Servers pane, choose the server to work from.
4. Select Domino Directories, and then click People.
5. From the Tools pane, click People - Register. Enter the password for
the certifier that you are currently using.
Note While registering a user, you can specify whether you want to
register the user with the server-based CA, or with a certifier ID and
password. This selection is made on the ID Info panel in advanced
user registration.
6. Click the Options button, and then choose any of these options:
Option
Purpose
Keep successfully
registered users in
the queue
Keeps successfully registered users in the queue. The

default is to remove successfully registered users
from the queue.
Try to register
Tries to register queued users, even if their
queued people with registration status contains errors. For example, if you
error status
choose this option, a user whose password is
insufficiently complex will be registered. The default
is not to register queued users who have error status.
Allow registration
of previously
registered people
Allows registration of users who were previously

registered in Notes. The default is not to register
previously registered Notes users.
Search all
directories for
duplicate names
Checks every directory to see if the users name

already exists.
Enforce short name Forces all short names to be different from one
uniqueness
another.
Dont prompt for a
duplicate person
If you choose this option, these additional options

appear. Choose one:
Skip the person registration Skips the user
registration for both short name and full name
single matches.
Update the existing address book entry
Overwrites the existing user if the single match
found is on the full name. Short name uniqueness
is then required.
The default is to prompt for duplicate users.
continued
Configuration
Do not continue on Stops registration if you have multiple users selected

registration errors and the registration encounters an error. The default
is to continue on registration errors.
Option
Purpose
Dont prompt for a

duplicate mail file

appear. Choose one:
Skips the person registration.
Generates a unique mail file name by appending a
number beginning with 1, then 2, etc., to a
non-unique mail file name until a unique name is
found.
Replaces the existing mail file - option does not
apply when the mail file is being created in the
background via the Administration Process, or if
the current ID does not have delete access to the
mail file that is being replaced.
The default is to prompt for a duplicate mail file.
Dont prompt for a

duplicate roaming
directory

appear. Choose one:
Generate random
user passwords
Click this check box to automatically set random

passwords for the users you are registering. If you
select this option, you do not need to specify
passwords for the users you are registering.
User Registration
Database Access
Displays the Registration Database Access Control

Settings dialog box, where you can add or remove
members from the access control list as well as
change access control settings.
Skips the person registration.

Generates a unique roaming directory name by
appending a number beginning with 1, then 2, etc.,
to a non-unique roaming file name until a unique
name is found.
The default is to prompt for a duplicate roaming
directory.
7. Click OK.
Registering users
You can use any of these methods to register Notes users:
Basic user registration
Advanced user registration
Text file registration
Registration settings
Migration tools (for people using an external mail system or

directory) registration
Basic user registration from the Web Administrator
Advanced user registration from the Web Administrator
The method you use to register people depends on a number of issues,

including whether you have defined default settings, whether you want
to assign users more advanced options (such as alternate names),
whether you need to import users from a foreign mail system or
directory, and whether your user settings are in a text file.
Basic registration
For fast and easy registration, use the Basic user registration options.
Basic registration requires you to define user-specific settings, such as
user name and password, but also offers you the convenience of
applying some default settings to users. You can define default settings
in the Registration preferences (found in the Administration Preferences
dialog); you can define settings in the Register Person dialog; or you can
use Notes default settings. Some of the non-default settings you define in
Basic registration include the user name and password. You can also
assign users to specific groups.
All settings available in Basic registration are also available in Advanced
registration. You can choose to view and perform Advanced registration
at any time by clicking the Advanced check box in the Register Person
dialog.
Advanced registration
Advanced registration offers all the settings included in Basic registration
and also allows you to change default settings and define advanced or
specific settings for example, assign an alternate name to a user or add
the user to a Windows NT or Active Directory group.
Text file registration
To register users from a text file that is, a file that contains information
on one or more users import them into the registration queue from the
Register Person dialog box. This action creates an entry for each user in
the User Registration Queue and allows you to modify user settings
individually.
Configuration
Note When registering users with non-ASCII characters in their user

names, Notes attempts to convert non-ASCII characters to ASCII. If one
or more characters cannot be converted to ASCII, the Internet address is
not generated. You need to be aware of this when registering users
whose names cannot be converted to ASCII characters because you will
need to create those Internet addresses manually.
Web registration
User registration can now be done using the Domino Web Administrator.
You register users via the Web in a manner that is very similar to user
registration done with the Domino Administrator.
For more information on registering users with the Web Administrator,
see the topic Using the Domino Web Administrator to register users in
this chapter.
If you are a service provider, for more information on registering users
from the hosted organization site, see the chapter Managing a Hosted
Environment.
Registration Settings
To simplify the process of registering users, you can create policies and
Registration Settings documents to preset registration settings for
different types of users. For example, users who work in Human
Resources may have different registration settings than users who work
in Sales. You can create Registration settings for both groups of users,
and use them to register everyone with the proper settings. In addition,
when you add new users to either group later, the same registration
settings apply.
Note Registration settings do not apply to user registration done with
the Web Administrator.
Migration from external mail system or directory
You can migrate users who use an external mail system or directory into
Notes. You register them using migration tools accessed through the
Migrate People button in the Register Person dialog box. After migrating
them, you can modify their settings.
The following list details the types of users you can migrate into Notes:
Lotus cc:Mail
Microsoft Exchange
LDIF (from an LDAP directory)
LDAP
Microsoft Mail
Windows NT/Windows 2000
Active Directory
Roaming users
Using default user settings when registering users

When you use default settings, the user registration process is fast and
easy. The default settings can originate from a variety of sources:
Notes includes a set of default settings.
You can define default settings in the registration preferences in the

Administration Preferences dialog box. Define these settings before
registering users. The registration preferences do not offer all the
default settings, only some of the more basic ones, such as
designating the Registration server.
For more information on registration preferences, see the chapter
Setting Up and Using Domino Administration Tools.
You can define default settings through the user registration

interface using either of two methods: one method uses settings for a
user previously added to the user registration queue, and the other
method uses settings defined on the Register Person - New Entry
dialog box.
For example, if you have already added users to the user registration
queue, the non-user-specific settings that were applied to the last
user, now serve as defaults for the next user. Similarly, you can
define settings on the Register Person - New Entry dialog box. If you
import or migrate users while in this mode, users inherit settings you
defined.
Only settings you define as registration preferences remain from session

to session. All other default settings return to Notes defaults each time
you begin a new registration session.
Configuration
Users who access Notes from more than one Notes client can access their
customized settings and personal information automatically from any
Notes client in the domain. Data for these users, known as roaming users,
replicates between the users machine and a roaming user server, where
these files are stored. When a roaming user logs on from a different
Notes client, it automatically retrieves the users ID file, Personal
Address Book, bookmarks, and journal from the roaming user server.
Any changes the user makes in these files replicate to the roaming user
server. This enables the roaming user to have a consistent experience
from any Notes client.
Default Notes user registration settings

This table lists all the default user registration settings that Notes
provides. The values in this table appear only under these conditions:
Previous values have not been set in Registration preferences
Previous values have not been set in the Register Person dialog box
User registration fields that do not appear in this table do not have
default values.
Field
Default
Registration Server
Local server if it contains a Domino Directory.

Otherwise, server specified in NewUserServer setting of
the NOTES.INI file, or the Administration server.
Password Quality
Scale
Set Internet password Off

Internet address
FirstnameLastname@Internet domain for example,

RobinRutherford@Acme.com.
Internet Domain
Current TCP/IP host domain
Address name format Firstname Lastname

Mail server
Local server if it contains a Domino Directory or

Administration server
Mail file template
Mail(R6)
Create file now
On
Mail system
Lotus Notes
Mail file name
mail\<firstinitial><first7charactersoflastname>.nsf
Mail file owner access Editor with Delete documents rights

Create full text index
Off
Set database quota
Off
Set warning threshold Off

Create a Notes ID for On
this person
Let this person roam
Off
continued
Default
Certifier ID
If you are not using the server-based certification

authority (CA), Notes uses the certifier ID specified in
Administration Preferences; or if there is none, it uses
the ID specified in the CertifierIDFile setting of the
NOTES.INI file.
If you are working in a hosted environment and
registering users to a hosted organization, be sure that
you are working with a certifier that was created for
that hosted organization.
Security type
Either North American or International
Certificate expiration Two years from current date

date
Location for storing
user ID
In Domino Directory
Local administrator
None
Put roaming user files On

on mail server
Personal roaming
folder
roaming\
Sub folder format
FirstName LastName
Create roaming files

now
Selected
Clean-up action
Do not clean up
Using Basic Notes user registration with the Domino Administrator

Perform Basic user registration to assign users basic settings, such as a
name and password, and to add users to existing groups. To make
registration fast and easy, Basic registration uses default values for all
other user settings. If you have selected the Advanced option, you are
using Advanced user registration, not Basic user registration.
For more information on Advanced user registration, see the topic
Using Advanced user registration in this chapter.
If you want to assign advanced and/or specific settings to a user such
as giving users alternate names or adding users to Windows NT groups
use Advanced user registration.
Note To modify user settings after you add the user to the User
Registration Queue, select the user from the queue and then make your
changes. To modify certain settings for multiple users at once, select the
names in the queue and then make changes.
Configuration
Field
Naming conventions
When adding users, user names can consist of multiple-byte characters,
uppercase and lowercase alpha characters (A - Z), numbers (0 - 9), and
the ampersand (&), dash (-), dot (.), space ( ) , and underscore (_).
Hosted Environments
If you are working in a hosted environment, when registering users,
ensure that you are using a certifier that was created for the hosted
organization into which you are registering the users. This applies
regardless of whether you are using a certifier and password or the
server-based CA.
To use Basic registration with the Domino Administrator

1. Make sure you have the following before you begin registration
using the Domino Administrator:
Access to the certifier ID and its password, if you are not using the
Lotus Domino 6 server-based certification authority (CA) and are
using the Domino Administrator.
Editor access or Author access with Create Documents and the
UserCreator role in the Domino Directory on the registration
server.
Create new databases access on the mail server if you plan to
create user mail files during registration.
Access to the certification log (CERTLOG.NSF) on the registration
server.
2. From the Domino Administrator click the People & Groups tab.
5. From the Tools pane, click People - Register. Enter the password for
the certifier that you are currently using.
Note While registering a user, you can specify whether you want to
register the user with the server-based CA, or with a certifier ID and
password. This selection is made on the ID Info panel in advanced
user registration.
6. Click the Registration Server and then select the server that registers
all new users, or accept the default, and then click OK. If you have
not defined a registration server in Administration Preferences, the
server is one of these by default:
The local server if it contains a Domino Directory
The server specified in NewRegServer setting of the NOTES.INI file

The administration server
7. Enter a first name, middle name (if necessary), and last name. The
users Short name and Internet address are automatically generated.
To change the Short name or Internet address, click the appropriate
space and enter the new text.
For more information on password quality scale, see the chapter

Protecting and Managing Notes IDs.
9. (Optional) To assign a policy to this user, select one from the Explicit
policy list.
10. (Optional) Click the Policy Synopsis button to see an overview of this
users effective policies.
11. (Optional) To enable roaming capability for this user, click the Let
this person roam check box.
12. Click the green check mark. The user name appears in the
Registration status view (the user registration queue). Or click the
red X to clear all fields and start over.
13. Click Register, and then click OK.
To add the user to a group during user registration

You can add a user to a group during user registration.
1. Click Advanced, and then click Groups.
2. Choose the group to which you are adding the user, and click Add.
3. Continue the registration process as usual.
Using Advanced Notes user registration with the Domino

Administrator
Advanced registration offers all the settings included in Basic registration
and also allows you to change default settings and apply advanced
settings to users.
Note You can modify user settings at any time once you add the user to
the User Registration Queue by selecting the user from the queue and
then making changes. You can also modify certain settings for multiple
Configuration
8. Enter the password for the user ID. Criteria for this password is
based on the level set in the Password Quality Scale in the Password
Options dialog box. The default level is 8. The password you specify
must correspond with the password quality that you select in
Password Options.
users at once by selecting the users in the queue and making changes.
You can cancel user registration and clear all fields at any time by
clicking the red X.
Hosted Environments
If you are working in a hosted environment, when registering users,
ensure that you are using a certifier that was created for the hosted
organization into which you are registering the users. This applies
regardless of whether you are using a certifier and password or the
server-based CA.
To use Advanced registration with the Domino Administrator
1. Make sure you have the following access before you begin
registration:
Access to the certifier ID and its password, if you are not using the
Lotus Domino 6 server-based certification authority (CA).
Editor access or Author access with Create Documents role and
the UserCreator privilege in the Domino Directory on the
registration server.
Create new databases access on the mail server if you plan to
create user mail files during registration.
Create explicit policies and settings documents if you plan to use
policy-based system administration.
Access to the certification log (CERTLOG.NSF) on the registration
server.
4. Select Domino Directories, and then select People.
5. From the Tools pane, click People - Register.
6. Enter the certifier password and click OK.
Note The Certifier Information Recovery Warning dialog box appears.
Review the information in the dialog box, select the check box and click OK.
7. Click Advanced.
8. From the Basic tab, complete these fields:

Enter
Registration Server
Click Registration Server to change the registration

server (which is the server that initially stores the
Person document until the Domino Directory
replicates), select the server that registers all new
users, and then click OK. If you have not defined a
registration server in Administration Preferences,
this server is by default one of these:
The local server if it contains a Domino
Directory
The server specified in NewUserServer setting
of the NOTES.INI file
First name, Middle

name, Last name
The users first and last names and (if necessary)

middle name. The users Short name and Internet
address are automatically generated. To change
the Short name or Internet address, click the
appropriate space and enter the new text.
Short name
A short name in the format FirstInitialLastName is

automatically created as you enter the users name.
For example, JSmith is the short name for John
Smith. You can modify this field.
Password
A password for the user ID.
Password options
Click Password options to set a level for the

password in the Password Quality Scale. The
default level is 8. For more information, see
Understanding the password quality scale.
Click the check box Set Internet password to
give Internet users name and password access to a
Domino server and to set an Internet password in
the Person document. This field is automatically
selected if you select the Other Internet, POP,
iNotes, or IMAP mail types.
Click Synch Internet password with Notes ID
password to make the Internet password in the
Person document the same as the Notes password.
This is a requirement for users who want to use
iNotes Web Access to read encrypted mail or work
offline.
Mail system
Click to change the users mail system from the

default of Lotus Notes to an Internet-based system
or iNotes Web Access.
continued
Configuration
Field
Field
Enter
Explicit policy
Select the explicit policy to apply to this user. For

more information on policies, see Policies.
Policy synopsis
Click to see a summary of this users effective

policies.
Let this person roam
Click to enable roaming capabilities for this user.

Doing so enables the Roaming tab.
Create a Notes ID for

this person
Click to create a Notes ID for this person during

the registration process.
9. Click the Mail tab and complete any of these fields. Domino uses
default values (if available) for any fields you do not modify.
Field
Enter
Mail system
Choose one of the available mail types and

complete the necessary associated fields:
Lotus Notes (default)
Other Internet
POP
IMAP
iNotes
Other
None
If you select Lotus Notes, POP, or IMAP, the
Internet address is automatically generated.
If you select Other Internet, POP, or IMAP, the
Internet password is set by default.
If you select iNotes (iNotes Web Access), you can
change other user registration selections to iNotes
Web Access defaults by clicking Yes when
prompted.
If you select Other or Other Internet, enter a
forwarding address. This address is the users
current address, where the user wants mail to be
sent. For example, if a user temporarily works at a
different location and/or uses a different mail
system, the user can have her mail forwarded to
that new address. Or, a user may resign from the
company but leave a forwarding address so that
mail addressed to the old address is forwarded to
the new location.
continued
Enter
Mail server
The users mail server. If you have not defined a

mail server in Administration Preferences, this
server is (by default) the local server if it contains a
Domino Directory; otherwise, it is the
Administration server.
Mail file name
The file name of the mail file. By default, the path

and file name are
mail\<firstinitial><first7charactersoflastname>.nsf.
Create file
now/Create file in
background
Choose one:
Mail file template
A mail template from the list of available mail

templates. For a description of the template, select
the template and click About. The default is
Mail(R6) (MAIL6.NTF).
Create full text index
Click to generate a full-text index of the mail

database.
Mail file replicas
Click to open the Mail Replica Creation Options

dialog box on which you can select the servers to
which the mail file will replicate. This option only
applies to clustered servers.
Create file now (default).

Create file in background - Creating mail files in
the background forces the Administration
Process to create the files and saves time during
the user registration process.
When you migrate users who have mail to convert,
this field is automatically set to Create file now.
Mail file owner access Select the level of access in the access control list to
assign to the user of the mail database from the
Mail file owner access list. By default, mail users
have Editor with Delete documents access to their
own mail files; all other users have no access. This
option can be used to prevent mail users and/or
owners from deleting their own mail file. If the
mail owner access is Designer or Editor, the
administrator ID currently being used is added to
the mail file ACL as Manager.
Set database quota
Click to enable, and then specify a size limit

(maximum of 10GB) for a users mail database.
Set warning threshold Click to generate a warning when the users mail
database reaches a certain size, and then enter the
warning size (maximum of 10GB).
Configuration
Field
10. Click the Address tab, and enter values in any of these fields.
Domino uses default values (if available) for any fields you do not
modify.
Field
Enter
Internet address
The Internet e-mail address assigned to this user.
Internet Domain
The domain to be used in the Internet address for

example, Acme.com.
Address name
format
The format of the Internet address. The default format

is FirstNameLastName@Internet domain without a
separator for example,
Separator
The character inserted between names and initials in

the Internet address. The default is None.
11. Click the ID Info tab, and enter values in any of these fields. Domino
uses default values (if available) for any fields you do not modify.
Field
Enter
Create a Notes ID Click to create a Notes ID for this user.

for this person
Certifier Name
list
Choose a certifier ID to use when creating the user

name during user registration when a Notes user ID is
not being created for the user.
This field appears if the check box Create a Notes ID
for this person is not selected.
If you are working in a hosted environment and are
registering a user to a hosted organization, be sure to
register that user with a certifier created for that hosted
organization.
Use CA process
Click to use the Lotus Domino 6 server-based

certification authority (CA) to register this user. The
certifier ID and password will not be needed to
complete the user registration process if you use the
Lotus Domino 6 CA.
organization.
for this person is selected.
continued
Enter
Certifier ID
Click if you want to use a certifier ID and password

instead of the server-based CA. To change to a different
certifier ID, click Certifier ID, select the new ID, enter
the password, and then click OK.
organization.
Security type
Choose either North American or International. The

security type determines the type of ID file created and
affects encryption when sending and receiving mail
and encrypting data. North American is the stronger of
the two types.
Certification
expiration date
The expiration date of the user ID in mm-dd-yy format.

The default is two years from the current date.
Location for
storing user ID
Choose one:
In Domino Directory (default). The ID file is stored
as an attachment to the users Person document.
In file (default location:
<datadirectory>\ids\people\user.id). Click Set ID file
to change path.
In mail file. This option is only available with iNotes
Web Access and allows Notes users to read their
encrypted mail while using iNotes Web Access.
12. (Optional) To add the user to an existing group:

Click the Groups tab with the user highlighted (you can highlight
multiple users also).
Select the group or groups to assign and click Add.
For more information on adding users to groups, see the chapter Setting
Up and Managing Groups.
Configuration
Field
13. (Optional) If you have enabled roaming capabilities for the user, click
the Roaming tab, and complete any of these fields. The fields do not
appear if you did not click Let this person roam on the Basic tab
and Create a Notes ID for this person. Domino uses default values
(if available) for fields you do not modify.
Field
Enter
Put roaming user files Click to store the users roaming information on
on mail server
the same server used for mail.
Roaming Server
Click Roaming Server to open the Choose Roaming

User Files Server dialog box on which you specify
the server that stores the users roaming
information. If you select Put roaming user files on
mail server, the Roaming Server defaults to the
users mail server.
Personal roaming
folder
The subdirectory that contains the users roaming

information. By default, this is based on the
sub-folder format you specify, but you can
customize it.
Sub-folder format
The method used to name roaming subdirectories

on the roaming server. This determines the default
Personal roaming folder for each user.
Create roaming files

now/Create roaming
files in background
Choose one of these:

Create file now - Default.
Create roaming files in background - Click to
create the users roaming files the next time the
Administration Process runs. Creating roaming
files in the background forces the
Administration Process to create the files and
saves time during the user registration process.
continued
Field
Enter
Clean-up option
Choose one of the following roaming user client

clean-up options. Clean-up will only occur on
clients that have been installed and configured for
multiple users.
Clean-up periodically. Enables the Clean up

every N days field on which you specify the
number of days that should pass before roaming
user data is deleted from the Notes client
workstation.
Clean-up at Notes shutdown. Roaming user
data will be deleted from the Notes client
workstation immediately upon Notes
shutdown.
Prompt user The user is prompted on exiting
the client as to whether they want to clean up
their personal files. If the user chooses Yes, the
data directory on that client workstation is
deleted. If the user chooses No, the user is
prompted as to whether they want to be asked
again on that client. If the user chooses No, the
user is not prompted again. If the user chooses
Yes, the user is prompted again the next time
the user exits the client on that workstation.
Roaming Replicas
Click this button to open the Roaming Files

Replica Creations Options dialog box on which
you can designate to which servers a users
roaming files should replicate. This option only
applies to clustered servers.
14. Click the Other tab, and complete any of these fields. Domino uses
default values (if available) for fields you do not modify.
Field
Enter
Setup profile
Name of an R5 User Setup profile to assign.

Note If you are using policies, you cannot use a
user setup profile.
Unique org unit
A word that distinguishes two users who have the

same name and are certified by the same certifier
ID.
Location
Departmental or geographical location of the user.

continued
Configuration
Do not clean-up (default). Roaming user data

will never be deleted from the Notes client
workstation to which the user roamed.
Field
Enter
Local administrator
The name of a user who has Author access to the

Domino Directory but who does not have the
UserModifier role. This setting allows the local
administrator to edit Person documents.
Comment
A comment about the user, regarding the users

registration.
Alternate name
language
Choice of alternate name language. The certifier ID

used to register this user must contain the alternate
name language for it to appear here.
Alternate name
The alternate name of the user. The certifier ID

used to register this user must contain the alternate
name language for it to appear here.
Alternate org unit

same name and are certified by the same certifier
ID. The certifier ID used to register this user must
contain the alternate name language.
Preferred language
Choose a preferred language for the user, that is,

the language that the user prefers to use.
Windows User
Options
Click to set user options for Windows NT or

Windows 2000. Opens the Add Person to
Windows NT/2000 dialog box on which you can
specify whether to add the user to Windows NT
and/or the Windows 2000 Active Directory. Enter
the Windows account name for the user, and select
the name of the Windows NT or Windows 2000
group to which you are adding the user.
Registration status view (the user registration queue).
16. Click Register and then click Done.
Registering users from a text file

When registering users from a text file, you can import them through the
Import Text File button on the Register Person dialog box, which places
users as entries in the User Registration Queue and allows you to modify
user settings individually.
If you want to add the text file to the NOTES.INI file so that Notes does
not prompt you to browse for the text file, enter BatchRegFile= filename to
the NOTES.INI file.
You can also define a separator for the text file by adding
BatchRegSeparator = character to the NOTES.INI file. The separator
character cannot be a character used in any of the user parameter settings
in the text file. If you do not specify a BatchRegSeparator, a semicolon (;)
separator is used.
For more information on this NOTES.INI variable, see the appendix
NOTES.INI File.
Registration Server
Password Quality Scale
Set Internet password
Internet address
Internet Domain
Format
Mail server
Mail file template
Mail system
Mail file name
Mail file owner access
Set database quota
Set warning threshold
Certifier ID
Security type
Certificate expiration date
Store user ID in Domino Directory or File
Add users to selected groups
Local administrator
Add NT User Accounts
Setting up the text file

To set up a text file, create a line in the text file for each user. Enter the
parameters for each user in exactly the order shown in the table below.
Use one semicolon to separate parameters, and use one semicolon to take
the place of each contiguous parameter that you decide not to specify.
Configuration
Settings applied to a group of users

These user settings are available for you to modify before using the menu
(choose People - People - Register) to import and register users. Notes
applies these settings to all users in the group.
For example, this line in a text file specifies only a last name and
password:
Alexis;;;;password1
This line in a text file specifies a complete name, home server, and User
Setup policies:
Alexis;Catherine;R.;;password1;;;Marketing /
Acme;;;;;;Marketing Profile
Note that only the last name and password parameters are required.
Order Parameter
Enter
Last name
The last name of the user. This parameter is required.
First name
The first name of the user.
Middle initial
The middle initial of the user.
Organizational A name for another level to add to the hierarchical

unit
name. This name distinguishes between two users who
have the same name and are certified by the same
certifier.
Password
ID file directory The directory in which you want to store the users ID.
You can store the ID in this directory in addition to or
instead of as an attachment in the Domino Directory.
You must create the directory before registration. For
this parameter to take effect, select the In File option on
the ID Info panel for storing the user ID. This
parameter overrides the default ID directory shown in
the Register Person - New Entry dialog box.
ID file name
The name you want to assign to the ID file. This file

name applies only if you store an ID in an ID file
directory. If you do not specify a user ID file name, the
name on the ID is based on the persons name.
Mail server
name
The name of the users mail server. This parameter

overrides the one you select during registration.
Mail file
directory
The mail file directory for the user.
10
Mail file name
The name for the users mail file. If you do not use this
parameter, the name is based on the persons name if
the person uses Notes mail.
A password for the user. This parameter is required.
continued
Enter
11
Location
Descriptive location information that is added to the

users Person document. If someone addresses mail to
this user and there is another user with the same name,
Notes displays the location to help the sender
distinguish the two users.
12
Comment
An identifying comment that is added to the users

Person document.
13
Forwarding
address
The full route to the user for example,

JSmith@acme.com. If you dont enter this information
in the text file, you can edit the Forwarding address
field in the users Person document. This parameter is
required for Other and Other Internet mail users.
14
Profile
The name of the user setup profile.
15
Local
administrator
The name of a user who has Author access to the

Domino Directory. This person can modify the users
Person document.
16
Internet
address
The Internet address of the user. This parameter is

required for Lotus Notes, POP3, iNotes, and IMAP
mail.
17
Short name
This name is entered by default. A short name is used

to create a return Internet address if the Internet
address is not entered.
18
Alternate name The alternate name of the user. Note that the certifier
ID used to register this user must contain the alternate
name language.
19
Alternate org
unit

same name and are certified by the same certifier ID.
Note that the certifier ID used to register this user must
contain the alternate name language.
20
Mail template
file
The file name of the mail template you want to use.
Configuration
Order Parameter
To register users from a text file

Notes uses the certifier ID specified in Administration Preferences; or if
there is none, it uses the ID specified in the CertifierIDFile setting of the
NOTES.INI file.
1. Make sure that you have the following before you begin registration:
Access to the certifier ID and its password if you are not using the
Lotus Domino 6 server-based certification authority (CA)
Editor access or the UserCreator role in the Domino Directory on
the registration server
Create new databases access on the mail server if you plan on
creating mail files
2. Use a text editor to create a text file that contains ID information for
each user.
5. Select Domino Directories and then click People.
6. Complete Step 7 or Step 8, depending on how you want to import
and register users.
7. To register users and apply individual settings:
a. From the Tools pane, click People - Register. Enter the certifier
password and click OK. The Certifier Information Warning
dialog box may appear. Click OK.
b. Click Import Text File, select the text file, and click Open.
c. To modify user registration settings, select a user from the User
Registration Queue and make your changes on the Register
Person user interface.
d. Click Register to register the highlighted user or select multiple
users in the registration queue and click Register All. Click OK.
For more information on specifying registration settings, see the topic
Using Advanced Notes user registration earlier in this chapter.
8. To register users and apply settings to them as a group:
a. Set the registration Administration Preferences and create the
policies that you want to apply to a group of users.
b. From the Tools pane, click People - Register.
c. Enter the certifier ID password and click OK.

d. Choose the Explicit Policy that you want to apply to the users
you are registering.
e. Click Import Text File, select the text file, and click Open.
f. Click Register or Register All.
For more information on the settings you can modify, see the topic
Using Advanced Notes user registration earlier in this chapter.
Registering users with the Web Administrator

Registering users with the Domino Web Administrator is almost identical
to registering users with the Domino Administrator. Before reviewing
this information and before attempting to register users via the Web
Administrator, you need to be familiar with using the Web
Administrator and with Notes user registration in general.
Note The Registration Preferences (from File - Preferences Administration Preferences) that can be set for user registration with the
Domino Administrator do not apply to user registration with the Web
Administrator. During user registration on the Web, only registration
settings set through policies or through the server-based CA apply. Other
settings are entered manually or are defaults.
For more information on using the Web Administrator, see the chapter
Setting Up and Using Domino Administration Tools.
Web registration and the server-based certification authority
Web registration for Notes users requires the use of the Domino
server-based certification authority (CA). You need to understand what
the Domino CA is, as well as how to set it up and use it.
To register users with the Web Administrator, the Web administrator
must be listed as an RA for that certifier. The server that is running the
Web Administrator should also be listed as an RA but that role is not
required for the server. It is required for the administrator. If the server is
not listed as an RA, the administrator that is an RA will need to open the
Administration Requests database and approve the administration
request to register the user. You must assign the RA role in the Domino
Administrator client, not in the Web Administrator. To assign the RA
role, use the Modify Certifier tool on the Configuration panel.
For more information on the server-based certification authority, see the
chapter Setting Up a Domino Server-Based Certification Authority.
Configuration
For more information on setting Administrator Preferences and

Registration Preferences, see the chapter Setting Up and Using Domino
Administration Tools.
Web registration and policies

Web user registration, like user registration done from the Domino
Administrator, can be simplified by assigning policies during the
registration process. Create the policies and related policy settings
documents, prior to initiating Web user registration. Before registering
users, familiarize yourself with polices in Lotus Domino 6 as well as with
using policies with the Web Administrator.
The use of policies for user registration with the Domino Web
Administrator is optional.
For more information on using policies with the Web Administrator, see
the chapter Setting Up and Using Domino Administration Tools.
To register users with the Web Administrator

Follow the instructions to register a user, with basic or advanced
registration, in these procedures:
Using Basic user registration with the Web Administrator
Using Advanced user registration with the Web Administrator
Using Basic user registration with the Web Administrator

Perform Basic user registration from the Web Administrator to assign
users basic settings, such as a name and password, and to add users to
existing groups from a Web browser instead of from the Domino
Administrator.
When using the Web Administrator client, you need to have set up a
server-based certification authority (CA) to register Notes users. The
Web administrator, as well as the server on which the Web
Administrator database resides, must be listed as a registration authority
(RA) for that certifier. You must assign the RA role in the Domino
For more information on the server-based CA and the RA, see the
chapter Setting Up a Domino Server-Based Certification Authority.
Note The Registration Preferences (from File - Preferences Administration Preferences) that can be set in user registration with the
To use Basic user registration with the Web Administrator

1. Make sure you have the following before you begin registration:
The [UserCreator] role in the Domino Directory.
The registration authority (RA) designation for whatever CA
(Certificate Authority) that is selected for user registration. The
Domino Web Administrator requires the user of the server-based
CA.
3. From the Servers pane, select Domino Directories, and then click
People.
5. Choose a CA Certifier.
6. (Optional) Choose an Explicit policy.
7. (Optional) If you would like the selections for CA Certifier and
Explicit policy to be set as the default, click the check box Save as
default.
8. Click OK.
Field
Action
First name, Middle name, Enter a first name, middle name (if necessary),
Last name
and last name.
Short name
The users Short name is automatically

generated. To change the Short name, enter the
new text.
Password
Enter the password for the user ID. Criteria for

this password is based on the level set in the
Password Quality Scale in the Password
Options dialog box.
Password quality
Choose a password quality. The default level is

8. The password you specify must correspond
with the password quality that you select in
Password Options.
continued
Configuration
2. From the Web Administrator click the People & Groups tab.
Field
Action
Mail System
Choose one of the available mail types and

complete the necessary associated fields:
Lotus Notes (default).
Other Internet choosing this option
automatically selects the Set Internet
password check box.
POP choosing this option automatically
selects the Set Internet password check
box.
IMAP choosing this option automatically
selects the Set Internet password check
box.
iNotes You are prompted to make other
registration selections for iNotes.
Other
If you select Lotus Notes, POP, or IMAP, the
Internet address is automatically generated.
If you select iNotes (iNotes Web Access), you
can change other user registration selections to
iNotes Web Access defaults by clicking Yes
when prompted.
forwarding address. This address is the users
current address, where the user wants mail to
be sent. For example, if a user temporarily
works at a different location and/or uses a
different mail system, the user can have her
mail forwarded to that new address. Or, a user
may resign from the company but leave a
forwarding address so that mail addressed to
the old address is forwarded to the new
location.
Click to set an Internet password.
Synch Internet password

with Notes ID
Click to synchronize the Internet password

with the Notes ID password.
Create a Notes ID for this

person
Click to create a Notes ID.
Explicit policy
(Optional) To assign a policy to this user, select

one from the Explicit policy list.

Registration status view (the user registration queue). Or, click the
red X to clear all fields and start over.
10. Click Register, and then click OK.
Using Advanced user registration with the Web Administrator
When using the Web Administrator client, you need to have set up a
server-based certification authority (CA) to register Notes users. The
Web administrator, as well as the server on which the Web
Administrator database resides, must be listed as a registration authority
(RA) for that certifier. You must assign the RA role in the Domino
Note The Registration Preferences (from File - Preferences Administration Preferences) that can be set in user registration with the
To use Advanced user registration with the Web Administrator
1. Make sure you have the following before you begin registration:
The [UserCreator] role in the Domino Directory.
The registration authority (RA) designation for whatever CA
(Certificate Authority) that is selected for user registration.
The Domino Web Administrator requires the user of the
server-based CA.
2. From the Web Administrator, click the People & Groups tab.
3. From the Servers pane, select Domino Directories, and then click
People.
5. Choose a CA-configured certifier.
6. (Optional) Choose an Explicit policy.
7. (Optional) If you would like the selections for CA Certifier and
Explicit policy to be set as the default, click the check box Save
as default.
Configuration
Advanced user registration from the Web Administrator offers all of the
registration settings that are included in Basic user registration from the
Web Administrator, and also allows you to change default settings and
apply advanced settings to users.
8. Click OK.
Field
Action
First name, Middle Enter a first name, middle name (if necessary), and
name, Last name
last name.
Short name
The users Short name is automatically generated. To

change the Short name, enter the new text.
Password
Enter the password for the user ID. Criteria for this
password is based on the level set in the Password
Quality Scale in the Password Options dialog box.
Password quality
Choose a password quality. The default level is 8. The

password you specify must correspond to the
password quality that you select in Password
Options.
Mail System
Choose one of the available mail types and complete

the necessary associated fields:
Lotus Notes (default).
Other Internet choosing this option
automatically selects the Set Internet password
check box.
POP choosing this option automatically selects
the Set Internet password check box.
IMAP choosing this option automatically selects
the Set Internet password check box.
iNotes You are prompted to make other
registration selections for iNotes.
Other.
If you select Lotus Notes, POP, or IMAP, the Internet
address is automatically generated.
change other user registration selections to iNotes Web
Access defaults by clicking Yes when prompted.
forwarding address. This address is the users current
address, the address to which the user wants mail to
be sent. For example, if a user temporarily works at a
different location and/or uses a different mail system,
the user can have her mail forwarded to that new
address. Or, a user may resign from the company but
leave a forwarding address so that mail addressed to
the old address is forwarded to the new location.
continued
Action
Set Internet
password
Click to set an Internet password.
Synch Internet
password with
Notes ID
Click to synchronize the Internet password with the

Notes ID password.
Create a Notes ID
for this person
Click to create a Notes ID.
Explicit policy
(Optional) To assign a policy to this user, select one

from the Explicit policy list.

9. Click the Advanced check box to enable advanced settings.
10. Click the Mail tab and complete any of these fields.
Fields
Action
Mail System
Choose one of the available mail types and complete

the necessary associated fields:
Lotus Notes (default)
POP
IMAP
iNotes
Other Internet
Other
None
If you select Lotus Notes, POP, or IMAP the Internet
address is automatically generated.
If you select Other Internet, POP, or IMAP, the Internet
password is set by default.
change other user registration selections to iNotes Web
Access defaults by clicking Yes when prompted.
forwarding address. This address is the users current
address, the address to which the user wants mail to
be sent. For example, if a user temporarily works at a
different location and/or uses a different mail system,
the user can have her mail forwarded to that new
address. Or, a user may resign from the company but
leave a forwarding address so that mail addressed to
the old address is forwarded to the new location.
continued
Configuration
Field
Fields
Action
Mail Server
Choose a server to be assigned as the users mail

server.
Mail file name
The file name of the mail file. By default, the path and
the file name are
mail\<firstinitial><first7charactersoflastname>.nsf.
Mail template
Choose a mail template from the list of available mail

templates. For a description of the template, select the
template and click About. The default is Mail(R6)
(MAIL6.NTF).
Create full text

index
Click to generate a full-text index of the mail database.
Mail file owner

access
Select the level of access in the access control list to

assign to the user of the mail database from the Mail
file owner access list. By default, mail users have
Editor with Delete documents access to their own mail
files; all other users have no access. This option can be
used to prevent mail users and/or owners from
deleting their own mail file. If the mail owner access is
Designer or Editor, the administrator ID currently
being used is added to the mail file ACL as Manager.
Set database quota Click to enable, and then specify a size limit
(maximum 10GB) for a users mail database.
Set warning
threshold
Click to generate a warning when the users mail

database reaches a certain size, and then enter the
warning size (maximum of 10GB).
11. Click the Address tab, and enter values in any of these fields.
Field
Action
Internet address
The Internet e-mail address assigned to this user.
Internet Domain
The domain to be used in the Internet address for

example, Acme.com.
Address name
format
The format of the Internet address. The default

format is FirstNameLastName@Internet domain
without a separator for example,
Separator
The character inserted between names and initials in

the Internet address. The default is None.
12. Click the ID Info tab, and enter values in any of these fields.
Action
Create a Notes ID for

this person
Click to create a Notes ID for this user.
Certifier name list
Choose a certifier from the list if you are not

creating a Notes ID for this user.
This field is visible only if you do not select the
check box Create a Notes ID for this person.
CA-configured certifier
Choose a CA-configured certifier to use to

register the user.
This field is only visible if you select the check
box Create a Notes ID for this person.
Certificate expiration
Choose one:
Months Enter the number of months
during which the certifier is valid.
Date Specify the date on which the
certificate expires. The default is two years
from the current date.
Security type
Choose either North American or International.

The security type determines the type of ID file
created and affects encryption when sending and
receiving mail and encrypting data. North
American is the stronger of the two types.
Location for storing user Non-modifiable field that displays the location in
which the users ID will be stored.
ID
13. (Optional) Click the Groups tab, and complete these options as
desired:
Enter a group name, or click Search to locate the group name, to
which you want to add this user as a member.
Select the group or groups to which you want to add the user and
click Add.
For more information on adding users to groups, see the chapter
Setting Up and Managing Groups.
Configuration
Field
14. Click the Replica tab and enter values in any of these fields.
Field
Actions
Create replica(s) of
mail database.
Click this check box to create replicas of the mail

files on additional servers that you specify.
Select options for

creation of mail
database replicas
Use these options as necessary:

Add Click to open the Server for Mail File
Replica Creation dialog box. Use this dialog box
to choose the server(s) on which to create mail
file replicas.
Remove Choose one or more servers to
remove from the list of servers on which to
create mail file replicas, and then click Remove.
Remove All Click to remove all servers from
this list.
These options are available only if the check box
Create replicas of mail database is selected.
15. Click the Roaming tab and enter values in any of these fields.
Field
Action
Roaming user
Click to activate the roaming user registration

options to register this user as a roaming user.
Put on mail server/

Choose a server
Choose one of these:

Put on mail server Click to place the users
roaming files on the users mail server.
Server name Click to store the users roaming
file on the Current Server or select another
server of your choice.
Personal roaming
folder
The subdirectory that contains the users roaming

information. By default, this is based on the
sub-folder format you specify, but you can
customize it.
Sub-folder format
The method used to name roaming subdirectories

on the roaming server. This determines the default
Personal roaming folder for each user.
continued
Action
Clean-up options
Choose one of the following roaming user client

clean-up options. Clean-up will only occur on
clients that have been installed and configured for
multiple users.
Do not clean-up (default) Roaming user data
is not deleted from the Notes client workstation
to which the user roamed.
Clean-up every Enables the Clean up every
N days field on which you specify the number
of days that should pass before roaming user
data is deleted from the Notes client workstation.
Clean-up at Notes shutdown Roaming user
data is deleted from the Notes client workstation
immediately upon Notes shutdown.
Prompt user The user is prompted on exiting
the client as to whether they want to clean up
their personal files. If the user chooses Yes, the
data directory on that client workstation is
deleted. If the user chooses No, the user is
prompted as to whether they want to be asked
again on that client. If the user chooses No, the
user is not prompted again. If the user chooses
Yes, the user is prompted again the next time
the user exits the client on that workstation.
16. Click Register and Done.
Registering non-Notes, Internet users

Use the Domino Administrator to create non-Notes, Internet-only users.
Internet-only users do not have Notes IDs or certified public keys.
The procedure for creating a non-Notes, Internet-only user requires the
use of the User Registration interface as well as many of the security
features such as the Certificate Requests database and the Domino
server-based CA.
During this procedure, the user must open the Certificate Requests
database to accept the certificate authority in their browser and request a
client certificate. The user must be logged on to the workstation and
browser that needs to establish the trust with the CA. After the request
has been approved and processed, the user picks up the certificate, using
the same browser on the same workstation used to make the request. The
user then needs to export the certificate. The final step is importing the
Internet certificate into the users Person document.
Before completing this procedure, read the chapter SSL and S/MIME
for Clients.
Configuration
Field
To set up an Internet user

4. Complete the fields in the User Registration user interface, following
the instructions in the topic Using Advanced Notes user registration
with the Domino Administrator with these exceptions:
On the Basics tab, in the Mail System field, do not select Lotus
Notes as the mail system. Choose an Internet-based mail system
instead.
On the Basics tab, do not select the check box Create a Notes ID
for this person.
(Optional) On the Address panel, for users with a mail system of
Other Internet enter a forwarding address. The forwarding
address is the Internet address to which this user would like their
e-mail forwarded in the event they leave the company.
On the ID Info panel, ensure that you do not select the check box
Create a Notes ID for this person.
The Roaming panel does not apply to Web-only users because
roaming users are required to have Notes IDs. Internet-only users
do not have Notes IDs.
5. When registration is complete, add an Internet Certificate to the
users Person document by completing the procedures in the topic
To obtain an Internet certificate for an Internet client.
Adding an alternate language and name to a user ID

The alternate naming feature allows you to assign two names to a user: a
primary name and alternate name. The primary name is internationally
recognizable; the alternate name is recognizable in the users own native
language. Before you can add an alternate name to a user, add an
alternate language and name to the certifier ID by recertifying the
certifier ID. You cannot add alternate names to servers.
Alternate names are helpful because they let users use their native
language and character set for display and name lookup purposes. For
example, a user can type in a name in a native language and character set
when sending mail or choose to display all documents in a database in a
native language and character set.
Each alternate name is associated with a language specifier that identifies

the native language of the name. Typically, the alternate name is
specified in a character set consistent with the specified language;
whereas the primary name is specified in an internationally recognizable
character set. Both types of names provide the same security within the
Domino system. For example, you can use alternate or primary names in
an ACL or a group.
A user ID may contain only one alternate name. The language specifier
associated with the alternate name must correspond to a language
specifier in the parent certifier ID. When you assign an alternate name to
a user, the alternate name and language specifiers are added to the user
ID, to the Notes certificates issued to the user, and to the users Person
document.
To add an alternate name to a certifier ID

In this procedure, you assign an alternate name and its associated
language to the organization certifier ID and its organizational unit
(child) certifiers through the certification process. You first recertify the
organization certifier, and then use the certifier to recertify its
organizational unit certifiers.
1. Have the certifier ID to which you want to add the alternate name
accessible, if you are not using the Lotus Domino 6 server-based
certification authority (CA).
3. Choose Certification, and then click Certify.
4. If the server name that is shown is not the registration server, click
Server, choose the server you want to use and click OK.
5. Do one of these:
To use the server-based CA, click Use the CA process and select a
CA-configured certifier from the list.
To use a certifier and password, click Supply certifier ID and
password, click Certifier ID, select the certifier ID, and then click
OK. Enter the password and click OK.
Configuration
You can add multiple alternate names to an organization certifier (as

many alternate names as there are language specifiers recognized by
Notes). An organizational unit certifier may also contain multiple
alternate names, but each name must correspond to one of the language
specifiers assigned to its parent certifier. The organizational unit certifier
does not need to contain all the language specifiers that its parent
contains. For example, /Acme may contain five language specifiers,
while its child certifier Sales/Acme contains a subset of those.
6. Select the ID you want to recertify and then enter the password and
click OK. To add an alternate language and name to the organization
(root) certifier, select the same ID that you chose in the previous step.
7. Click Add.
8. Choose the alternate language in the Language field. If you are
recertifying an organizational unit certifier, the available languages
include all languages associated with the organization (root)
certifier ID.
9. (Optional) Enter a country code for the organization. This option is
available only for organization certifier IDs.
10. Enter a name for the organization/organization unit in the
Organization/OrgUnit field.
11. Click OK.
12. (Optional) To add another alternate language, click the Add button
and repeat Steps 7 through 11.
13. Click Certify.
To add an alternate name to an existing user ID

Use the Lotus Domino 6 server-enabled certification authority (CA) or
the certifier ID to recertify the user.
1. Make sure that the certifier contains an alternate name with the
language specifier you want to use.
5. Choose Tools - Certification - Certify.
6. If you are not using the Lotus Domino 6 server-based certification
authority (CA), select the certifier ID that certified the user ID to
which you are assigning an alternate name and enter the password.
Click OK.
7. Select the user ID to which you are assigning an alternate name and
enter the password. Click OK.
8. Click Add. Select a language from the list and enter a new Common
Name for that language, and click OK.
9. (Optional) Specify a new certifier expiration date and a new
password quality.
10. Click Certify.
11. You are prompted as to whether you want certify another, click Yes
or No, accordingly.
To add an alternate name while registering a new user

Before you add an alternate name to a new person, make sure you have a
certifier that contains the alternate name and language specifier you
want to use. You assign the name and language in the Other pane of the
Register Person dialog box during advanced user registration.
Setting up client installation for users

Depending on the size of your enterprise, you may need to provide an
installation method for only a few users or for thousands of users. In
addition, you may need to customize the installation process so that
users install only the features they need. After you register users, decide
how to deploy client installations for users. Users can install all three
clients the Notes client, Domino Administrator client, and Domino
Designer or they may install only one or two clients.
As an administrator, you can customize the installation process for your
users so that they install the features that they need. The installation
information in this section ranges from installing the Domino clients
using the installation CD to creating transform files to customize the
installation process.
Before you install Lotus Notes clients

Before you begin installing Lotus Notes clients, make sure that you or
your users do the following:
If the computer on which you are upgrading runs anti-virus

software, close the application.
If you are upgrading Lotus Notes on an Apple computer running OS

X, turn off all options in the Application Sharing tab of the Shared
System Preferences panel to avoid any errors.
To successfully install, upgrade, and use Lotus Notes 6, users must

be allowed both Write and Modify permissions to the Program
directory, Data directory, and all associated subdirectories.
If you are upgrading Lotus Notes on a Windows NT, 2000, or XP

computer, you must have administrator rights to the system. On a
Windows NT 4.0 computer, log in as an administrator or set
administrator-level privileges for All Users. This can be done from
the command line.
Configuration
For more information on advanced user registration, see the topic Using
Advanced Notes user registration earlier in this chapter.
Windows NT, 2000, and XP users should log onto their computers
with administrative rights to install Lotus Notes 6. For cases in which
administrative rights are not available, enable the setting Always
install with elevated privileges. Refer to the Release Notes for the
most current information on permissions required when installing as
a non-administrator.
Options for installing the Lotus Notes client on Restricted or

Standard/Power User computers are described in the Microsoft
Windows 2000, Windows XP, and Windows Installer documentation.
Review options for customizing the Notes client installing and set up.
Installation methods
Domino offers several methods or types of installation that you can make
available to the Domino Notes users in your enterprise.
Single-user client installation This installation is usually done

from the CD or from files placed on the network.
For more information on installing the Domino administration client,
see the chapter Setting Up and Using Domino Administration Tools.
Multi-user installation This option is available only for Notes

client installation. Multi-user installation is not available for
installing the Domino Administrator client or Domino Designer.
For more information on multi-user installation, see the topic
Multi-user installation in this chapter.
Shared installation This option installs all program files to a file

server while the users data files reside on their local workstations.
For more information on shared installation, see the topic Installing
the Domino clients in a shared network directory in this chapter.
Automated client installations (silent installation) This option can

be used with or without a transform file depending on whether you
want to customize the silent installation.
Customized installations This option uses the transform file to

customize the installation process.
Batch file installation This option enables users to install the

clients by running a batch file that you create for them.
Installation with command line utilities This option allows users

to install the clients using a command line utility that you provide for
them.
Scriptable setup This option uses a setting in the NOTES.INI file to

provide information to the client setup wizard.
For information on multi-user installations, see Sharing a Computer with

other users[[ if you have installed Lotus Notes 6 Help. Or, go to
http://www.lotus.com/LDD/doc to download or view Lotus Notes 6
Help.
Single-user client installation
1. Before you install the client program files on a Win32 system, do the
following:
Read the Release Notes for disk-space requirements and for any
last-minute changes or additions to the documentation.
may corrupt shared files, and the Install program may not run
properly.
If you are upgrading to Domino from a previous release, see the
Upgrade Guide.
2. Run the client install program (SETUP.EXE), which is on the
installation CD.
Installing the Domino clients in a shared network directory

As an administrator, you can offer a shared network installation to your
users. In a shared network installation, all program files are installed on a
file server, and the users data files reside on their local workstations.
Multi-user installation is neither supported in a shared file configuration
nor available for use on Macintosh computers.
During the installation of the network image, all program files for Lotus
Notes, Domino Administrator, and Domino Designer are installed. To
run Lotus Notes, Domino Administrator and Domino Designer client
installs from one set of program files on a file server, you create multiple
transform files.
Note To perform a shared installation and run the transform file,
end-users must have the Windows Installer service on their workstations.
After you install the program files to a directory on a server, users can
run a shared version of the software, thereby saving on disk space usage.
Configuration
To perform a basic single-user installation, you use the Lotus Domino 6

CD to install the Notes client, the Domino Administrator client or the
Domino Designer client directly onto the users workstation.
However, if the server is unavailable, users cannot run Notes. When

users install Notes from this directory, only the data files
(DESKTOP.DSK, BOOKMARK.NTF, and all local databases) are copied
to their workstations. The program files remain on the server, where they
are shared among all users. As users run Notes, the program files are
read into memory on their workstations.
Assign to those users who install Notes client software from the file
server Read access to the directory containing the files.
Upgrading shared installations
Do not attempt to upgrade over existing network image files. To upgrade
an existing network image, delete all files in the existing network image
and install the new network image files to the same location.
To set up the shared network installation

1. Before you begin this installation process, do the following:
may corrupt shared files, and the Install program may not run
properly.
2. Log on as administrator on the drive on which you are installing the
program files.
3. From the command line, use this syntax to run setup and create the
administrator image on the network:
E:\path to install kit\setup /A
In this example, drive E represents the drive on which the client

installation files are located, which is usually the drive letter of the
CDROM drive containing the Domino CD. The /A creates the
administrator image on the network.
4. Enter the name of the directory that will store the installed files. By
default, this directory is the first network drive accessible from your
workstation. To specify a network drive and directory other than the
default, click Change.
5. Click Install. Every client option is installed. A directory structure
that is useable and understandable by the operating system is
created. Users can run the install program directly from this
directory structure that you provide using the Lotus Notes 6.msi file
created in the root of the directory structure.
6. Create a transform file for the installation of the end users local data
files.
For more information on creating a transform file, see the topic Creating
a transform file in this chapter.
After successfully installing all client files to a shared directory on the

network, you can instruct users to use the transform file to install the
client on their own workstations.
Automating client installation

Automated client installation supports all three Domino clients and
simplifies installation for end users because it presents very few or none
of the installation windows; thus, it is called a silent installation.
Before you begin this installation process, do the following:
Make sure that the required hardware and software components are
in place and working.

Make sure that all other applications are closed. Otherwise, you may
corrupt shared files, and the Install program may not run properly.
To use silent installation

Use this format to run the install in silent mode:
Setup.exe /s/v"/qn"
When the installation is complete, the shortcut icons appear on the

desktop.
To display a prompt when the installation is complete or when it fails,
use the + parameter as follows:
Setup.exe /s/v"qn+"
Running a silent install provides users with the default installation

options. To customize the type of installation or to specify options to
install on the users system, use a transform file with the silent install.
Configuration
Providing an installation tool (method) for the users
Multi-user installations
Multi-user installation applies to Microsoft Windows (Win 32) users
only. The multi-user installation is only supported for the Notes client
installations; it is not supported for installing the Domino Administrator
client or the Domino Designer. Therefore, the multi-user option is only
available in the Notes installation kit.
Use the multi-user installation if your enterprise has multiple users who
share a single workstation. Then when users log onto the system, they
run the Lotus Notes 6 client setup and their own personal data files
that is, BOOKMARK.NSF, NAMES.NSF, and other files are created.
The multi-user installation differs from a shared installation in that
Program files are located on the local system in a multi-user install,
which can be an advantage. This allows for access to the Notes client
regardless of which network drives are available. In a shared installation,
users are dependent on the availability of shared network drives.
In a multi-user installation, install the Domino Program files to a central
location on the local system. Each user has their own data directory
located in the systems application data directory for the current user.
The actual location varies as follows according to operating system:
Example 1 c:\Documents and Settings\user\Local

Settings\Application Data\Lotus\Notes Data
Example 2 c:\winNT\Profiles\user\Local Settings\Application

Data\Lotus\Notes Data
Example 3 c:\Bin\Win95\Profiles\user\Local
Settings\Application Data\Lotus\Notes Data
Each users individual data files are created when the user logs on to the
workstation, launches the Lotus Notes 6 client, and completes the client
setup. The multi-user option is only visible to those users with
administrative privileges on the local system. This installation option is
not enabled for other users.
Note Individual Location documents are no longer needed for each user
that utilizes the Notes client on the same workstation, as compared to
previous releases where individual Location documents had to be
created for each user when multiple users attempted to use the same
Notes client installation on a workstation.
Providing a Batch file for installing the Domino Notes clients

Create a batch file that installs the Domino clients to a user workstation.
Users can then install the client by running the batch file.
Sample batch file

msiexec /i "Lotus Notes 6.msi"
TRANSFORMS="custom.mst"
Providing command line utilities for installation

Provide command line utilities so that users can install one or more
clients on their workstations. This table presents sample command line
utilities that you can modify to suit your needs.
Sample command line utility
Transform install
msiexec /i Lotus Notes 6.msi

TRANSFORMS=custom.mst
Transform silent install
msiexec /i Lotus Notes 6.msi /qn

TRANSFORMS=custom.mst
Silent install with

fail/success prompt
msiexec /i Lotus Notes 6.msi /qn+
Silent install
setup.exe /s /v/qn
Verbose logging
setup.exe /v/L*v c:\temp\install.log
Customizing client installations

Client installs can be customized to allow you, the administrator, to
control the options that are installed and/or available to users. Use
transform files to deselect options for example, modem files that
you dont want to install by default. You also use transform files to hide
the options that you do not want users to change regardless of
whether you choose to install a particular option. Modify the Visible and
Initial State settings for each installation option that you want to
designate as hidden or not hidden.
For more information on what you can customize, see the topic
Installation options available using the transform file in this chapter.
If you prefer, you can allow the user to see and complete most of the
fields on numerous windows that can be displayed during the
installation process.
For more information on transform files, see the topics Creating a
transform file and Using transform files for end-user installations in
this chapter.
Creating a transform file

Creating a transform file requires a third-party tool such as InstallShield
Tuner OEM Edition. Lotus Domino 6 contains a version called
InstallShield Tuner for Lotus Notes, that you can use with Domino to
create a transform file to customize the installation process.
Configuration
Type of install
Note The version of InstallShield Tuner for Lotus Notes that is included
with Domino works only with Lotus Domino 6, not with other products.
You can use transform files to set up shared and customized installations.
Access their Web site at http://www.installshield.com for further
information.
How to install the InstallShield Tuner for Lotus Notes

From the Lotus Domino 6 installation CD, in the Apps/InstallShield
Tuner for Lotus Notes directory, run the setup file, SETUP.EXE.
How to create a transform file

Use this procedure to create a transform file with InstallShield Tuner for
Lotus Notes. Users can then apply the transform file when installing
clients.
For more information on shared installations, see the topic Installing the
Domino clients in a shared network directory in this chapter.
1. Invoke the InstallShield Tuner program and browse to locate the
configuration file that has a .itw file name extension. The .itw
configuration file is located in the same directory with the Notes
installation that you want to configure.
2. Click Create a new transform file.
3. In the Select an MSI file field for the Windows Installer Package
option, select the msi file (Lotus Notes 6.msi).
4. In the New project name and location field for the Windows Installer
Transform option, enter the custom transform name. Save the file to
the same path on which the install kit resides.
5. Click Create.
6. Make any other desired modifications to the default settings
provided.
7. Click Save.
For more information on transform files, see the topics Installation
options available using the transform file and Using transform files for
end-user installations in this chapter.
After creating the transform file, you apply the transform file to the
installation process. The installation process then uses the values that you
set in the transform file in place of default values.
Installation options available using the transform file

Using a transform file, you can customize installation for the users in
your enterprise.
Customizing the location of the Install directories
1. From Application Configuration, select Setup Properties.

2. Click Add/Remove Program Settings.
3. Change the PROGDIR property to the location in which you are
storing the program files.
4. Change the DATADIR property to the location in which you are
storing the data files. This is the new default data directory.
Setting the installation to Multi-User by default

In a multi-user installation, the administrator installs the Domino
Program files to a central location on the local system. Each user has their
own data directory located in the systems application data directory for
the current user.
Note End-users must have Administrator rights to choose a multi-user
installation and must only install the Notes Client. End-users must also
have Administrator rights to upgrade an existing multi-user installation.
1. From Application Configuration, select Setup Properties.
2. Change the value in the ApplicationUsers property to AllUsers. By
default the installation is now a multi-user installation.
For more information on multi-user installation, see the topic Multi-user
installations in this chapter.
Adding custom files to a client installation

To add custom files to a client installation, create a transform file.
Note This customization option replaces the COPYFILE.TXT feature
that was available in previous releases of Lotus Domino.
1. Copy the custom files to the install directory or place them in a
directory within the install directory for example,
PathToInstallKit\AllClient\CopyFiles\custom.mdm.
2. Click Target System Configuration - Files.
Configuration
Use this procedure to specify a location other than the default location in
which to store the installation directories. When specifying directory
names, use names that contain eight or fewer characters.
3. In the top pane, click Browse and locate the source directory, which
is the directory from which you are copying the custom files.
4. In the bottom pane, select the destination directory, for example,
ProgramFiles\Lotus\notes\Data\modems.
5. Drag and drop the custom file from the source directory to the
destination directory.
Using transform files for end-user installations

After creating a transform file, you can use that file for end-user client
installations.
To apply a transform
This section contains two sets of instructions. The first set explains how
to apply a transform file for a user interface (UI) installation that is, an
installation that presents a user interface. The second set explains how to
apply a transform file for a silent install that is, an installation that
does not present a user interface and therefore does not require any user
interaction. There is also a section on using a batch file to launch the
command.
For installations using the transform file (and for silent installations)
using the msiexec commands, the network installation should not be the
first installation of Notes that you perform unless you are certain that all
of the client workstations contain the Windows Installer Service.
Note The command line path is the default installation path or the path
for the transform file.
User interface (UI) installation
In this example, the installdir parameter and the datadir parameter
are used to overwrite the default settings designated by the transform
file.
1. Change to the install directory that contains both the Lotus Notes
6.msi and the transform, *.mst, files.
2. Do one of these:
To install to the default Program and Data directories, enter this
command from the command line:
msiexec /i "Lotus Notes 6.msi" INSTALLDIR=C:\Test

DATADIR=C:\Test\Data TRANSFORMS="custom.mst"
Silent install
1. Change directory to the install directory that contains both the Lotus
Notes 6.msi and the transform, *.mst, files.
2. Do one of these:
If you want to install to the default Program and Data directories,
enter this command from the command line:
msiexec /i "Lotus Notes 6.msi" /qn
If you want to overwrite the default Program and Data directories

with the ones you specify, enter this command from the command
line:
msiexec /i "Lotus Notes 6.msi" /qn INSTALLDIR=C:\Test
DATADIR=C:\Test\Data TRANSFORMS="custom.mst"
For more information on silent installations, see the topic Automating

client installation in this chapter.
Using a batch file to enter the command
You can also create a batch file that the user launches to start the
command. A sample batch file is shown below:
Sample batch file
Using the SETUP.INI file setting to apply one transform file to all
client installs
Use a setting in the SETUP.INI file in the install directory to apply one
transform file to all installs. Using this method prevents the end user
from having to enter a command line parameter or from using a batch
file.
Configuration
To overwrite the default Program and Data directories with the

ones you specify, enter this command from the command line:
Modify the command line in the SETUP.INI to read as follows:

CmdLine+/l*v %TEMP%\notes6.log TRANSFORMS=custom.mst
The transform file is applied when SETUP.EXE is launched.
Setting up Notes with a scriptable setup

The scriptable setup option uses a setting in the NOTES.INI file to
provide information to the client setup wizard. During installation, the
wizard displays only the panels that users need to set up the Notes client.
The NOTES.INI setting ConfigFile= points to a text (.TXT) file that
contains the parameters that the wizard needs. The wizard reads the text
file and completes the setup. The user is able to bypass the wizard
screens for which parameters have been provided by the text file.
The settings and parameters that you can use in the text file are listed in
this table:
Setting
Description
Username
Users hierarchical name for example,

John Smith/Acme
KeyfileName
Directory path to the users ID file name

for example, c:\program
files\lotus\notes\data\jsmith.id
Domino.Name
Domino server in the same domain as the

user name. You do not need to enter a
hierarchical name.
Domino.Address
An address for the Domino server, such as

the IP address of the server, if needed, to
connect to the server. For example,
server.acme.com or 123.124.xxx.xxx
Domino.Port
Port type, such as TCPIP
Domino.Server
1 to connect to the Domino server, 0 for no

connection
AdditionalServices
1 forces display of the Additional Services

panel even if sufficient information is
provided for these services; the Additional
Services panel lists Internet, proxy, and
replication settings.
AdditionalServices.NetworkDial To configure a network dialup connection to

Internet accounts created via Additional
Services dialog box
Mail.Incoming.Name
Incoming mail (POP or IMAP) server name

continued
Description
Mail.Incoming.Server
1 for POP; 2 for IMAP
Mail.Incoming.Protocol
Mail account user name or login name
Mail.Incoming.Username
Mail account password
Mail.Incoming.Password
An address such as the IP address of

the home server, if needed to connect to server
Mail.Incoming.SSL
1 to use SSL; 0 not to use SSL
Mail.Outgoing.Name
Outgoing mail account name, a friendly

name used to refer to these settings
Mail.Outgoing.Server
Outgoing mail (SMTP) server name
Mail.Outgoing.Address
Users Internet mail address, such as

user@isp.com
Mail.InternetDomain
Internet Mail domain name such as isp.com
Directory.Name
Directory account name, a friendly name

used to refer to these settings
Directory.Server
Directory (LDAP) server name
News.Name
News account name, a friendly name used to

refer to these settings
News.Server
News (NNTP) server name
NetworkDial.EntryName
Name of remote network dialup phone book

entry
NetworkDial.Phonenumber
Dial-in number
NetworkDial.Username
Remote network user name
NetworkDial.Password
Remote network password
NetworkDial.Domain
Remote network domain
DirectDial.Phonenumber
Phone number of Domino server
DirectDial.Prefix
Dialup prefix, if required. For example, 9 to

access an outside line.
DirectDial.Port
COM port to which the modem is connected
DirectDial.Modem
File specification of modem file
Proxy.HTTP
HTTP proxy server and port for example,

proxy.isp.com:8080
Proxy.FTP
FTP proxy server and port for example,

proxy.isp.com:8080
Proxy.Gopher
Gopher proxy server and port for

example, proxy.isp.com:8080
continued
Configuration
Setting
Setting
Description
Proxy.SSL
SSL proxy server and port for example,

proxy.isp.com:8080
Proxy.HTTPTunnel
HTTP tunnel proxy server and port for

example, proxy.isp.com:8080
Proxy.SOCKS
Socks proxy server and port for example,

proxy.isp.com:8080
Proxy.None
No proxy for these hosts or domains
Proxy.UseHTTP
Use the HTTP proxy server for FTP, Gopher,

and SSL security proxies
Proxy.Username
User name if logon is required
Proxy.Password
User password
Replication.Threshold
Transfer outgoing mail if this number of

messages held in local mailbox
Replication.Schedule
Enable replication schedule
Managing users
The Administration Process helps you manage users by automating
many of the associated administrative tasks. For example, if you rename
a user, the Administration Process automates changing the name
throughout databases in the Notes domain by generating and carrying
out a series of requests, which are posted in the Administration Requests
database (ADMIN4.NSF). Changes are made, for example, in the Person
document, in databases, in ACLs and extended ACLs. However, the
Administration Process can be used only if the database is assigned an
Rename a user
There are several ways in which you rename a user. Usually they
involve changing a users common or alternate name. However, in
Domino Notes, the name hierarchy becomes part of the users name. So if
a user is moved and certified by a new hierarchy, then that too is
considered renaming. The rename tasks are:
Change a Notes users common name
Notify a user of a change to private design elements during a name

change
Rename a Web user
Move a user name in the name hierarchy
Upgrade a user name from flat to hierarchical
Change user roaming status

You can change a users roaming status via the following tasks:
Change a roaming user to nonroaming
Change a nonroaming user to roaming
Move a user's files
Moving a users mail file and roaming files from the Domino
Administrator or the Web Administrator
Delete a user name

When you delete a user name, you have the option of maintaining some
of the files, while denying the user access to them. The Administration
Process helps you automate the following tasks:
Delete a user name
Deleting a user name with the Web Administrator
User maintenance
In addition to the tasks listed above, there may be times when you need
to locate a user, recertify a users ID, or another user-related task. Use the
following procedures:
Changing a users Internet address
Finding a user name in the domain with the Domino Administrator

or Web Administrator
Recertifying user IDs
Monitoring user licenses
While managing users, you may also need to recertify a certifier ID.
Recertifying a user ID
Recertifying a certifier ID
Synchronizing Windows NT or Windows 2000 Active Directory and

Notes users
You can synchronize Notes users with users in Windows NT and in
Windows 2000 Active Directory. You can also manage Notes users from
the Windows NT User Manager, and from the Windows 2000 Microsoft
Management Console.
Configuration
In contrast to moving a user from one hierarchy to another, which is a

simple renaming action, you may also need to move a users actual files.
To do so, you use the following task:
For more information on synchronizing Notes users with Windows NT

users, see the chapter Using Domino With Windows Synchronization
Tools.
Changing Notes user names with the Administration Process

When you change the name of a user, the Administration Process
implements the name change by initiating requests to the affected
documents, databases, database ACLs, and Extended ACLs. In the
Domino Administrator, when you change the common name, alternate
name, or hierarchical name of a user, you rename them. Using rename,
you can change the name of one or more users in the following ways:
Change a users common or alternate name
Add an alternate name to a user if one is not yet assigned
Move a user to a new hierarchy
Upgrade a user name from flat to hierarchical
Administration Process requirements

In order for the Administration Process to facilitate the name changes,
the databases must have an assigned administration server.
In addition, the certifier ID you use and any ancestor of the certifier must
have a Certifier document in the Certificates view of the Domino
Directory. For example, if you use the certifier ID for
/Sales/NYC/ACME, the Domino Directory must contain Certifier
documents for /ACME, /NYC/ACME, and /Sales/NYC/ACME.
For more information on assigning an administration server, see the
chapter Setting Up the Administration Process.
For more information on certifiers, see the chapter Deploying Domino.
Viewing user name change requests
To review the administration requests that are generated when renaming
a user name, open the Administration Request (ADMIN4.NSF) database
in your Domino Directory.
For more information on processing renaming requests in the
Administration Requests database, see the topic Changing Notes user
names with the Administration Process in this chapter.
Notifying users of changes to private design elements during a

name change
Note The AdminP Mail Notification agent runs only on Domino Release
5.05 or more recent servers and sends e-mail to Notes Release 5.05 or
more recent clients.
1. From the Domino Administrator, click Server - Analyses.
2. Click Administration Requests (6).
3. Locate the administration request to rename the user and then open
the request.
4. Choose Actions - Enable/Disable User Notification. The agent is
enabled and automatically sends to the user an e-mail message
containing links to databases in which the user created or modified
design elements such as a folder or view.
5. Click OK.
Troubleshooting name changes
The public key in the Person document must match the one on the user
ID. If a public key has been changed or corrupted in some way, you see
this message in the Administration Requests database: The name to act
on was not found in the Address Book.
For more information on correcting this problem, see the chapter Setting
Up the Administration Process.
Renaming a Notes users common or alternate name

Use this procedure to make any of the following changes to a user or to
more than one user name:
Change the common name
Change or add an alternate name
Delete the alternate name
Synchronize the name change between Notes and Windows NT, or

Notes and Active Directory
Configuration
You can enable an agent that sends to the user an e-mail message
notifying the user of a name change and containing links to databases in
which the user created or modified design elements such as a folder or
view. To update the private design elements with the users new name,
the user must then open the database via the database links in the e-mail
notification. This update to the user name allows the user to maintain
access to their own private design elements. Enable the Mail Notification
agent from within the administration requests database (ADMIN4.NSF).
When a user is renamed, the users Internet address often needs to be

changed accordingly. You can change a users Internet address as part of
a change to the users common or alternate name, but you cannot use this
rename procedure to change only the Internet address. If you attempt to
use this procedure to change only a users Internet address, you will
generate an error.
For more information on changing only a users Internet address, see the
topic Changing a users Internet address in this chapter.
For information on using an agent to notify a user of changes to private
design elements during a name change, see the topic Changing Notes
user names with the Administration Process in this chapter.
Note To use the Domino alternate name functionality, Domino R5.0.2 or
later must be running on all servers involved with the name change, the
users workstation, and the administrators workstation.
To rename a user's common name
1. To rename a user, you must have:
Editor with Create documents access, or UserModifier role to the
Domino Directory
At least Author with Create documents access to the Certification
Log
3. Click People and select a user name.
4. From the tools pane, click People - Rename.
5. In the Rename Selected Notes People dialog box, verify the number
of days you want to honor the old name. The default is 21 days. You
can change that value if desired.
6. Click Change Common Name.
7. In the Choose a Certifier dialog box, do the following:

Field
Action
Server
Do one of these:
If you are using the Lotus Domino 6 server-based
CA, choose the server that is used to access the
Domino Directory to look up the list of certifiers.
Use the CA process
Choose this option if you have configured the Lotus

Domino 6 server-based CA.
Select a CA configured certifier from the list and
click OK.
Supply certifier ID
and password
Choose this option if you are using a certifier ID and

password.
Choose the certifier ID that certified the users ID
and click Open. For example, to rename Joe
Smith/Sales/NYC/ACME, use the certifier ID
named SALES.ID.
Click Certifier ID to select an ID other than the
one displayed.
Enter the password for the certifier ID and click
OK.
8. In the Certificate Expiration Date dialog box, enter a new

certification expiration date if desired. The default certificate
expiration date is two years from the current date. The Edit or
inspect each entry before submitting request check box is selected
and cannot be modified.
9. In the Rename Person dialog box, complete the following fields as
appropriate. In this dialog box you have the option of synchronizing
Windows NT user names or Active Directory user names, and
changing primary and alternate name information where
appropriate.
Field
Action
New Primary Name Information

First , Middle, and This is the name with which the user was registered.
Last Name
Make changes to the users name as appropriate.
continued
Configuration
If you are supplying a certifier ID, select the

server that is used to locate the list of certifiers so
that the Certifier ID file can be updated with the
latest set of certificates for itself and all of its
ancestors. This is also the server on which
CERTLOG.NSF is updated.
Field
Action
Qualifying Org.
Unit
(Optional) A name to differentiate this user from

another user with the same user name, certified by the
same certifier. This adds a differentiating component
that appears between the common name and the
certifier name.
Short Name
(Optional) Created at registration, the default is first

initial, last name. You can change this name. It does
not change automatically based on changes to the
primary name fields. You must make this change
manually.
Internet Address
(Optional) Created at registration, the default is first

initial, last name. You can change this name. It does
not change automatically based on changes to the
primary name fields. You must make this change
manually.
Rename Windows Available to Windows NT User Manager only. Check

NT User Account this box if you want to synchronize the name change in
both the Domino Notes and Windows NT or Active
Directory account.
10. Complete this step only if the user has an alternate name or if you
are assigning alternate names. If you are not working with alternate
names, skip this step and go to Step 11.
Available only if you are renaming a user whose
New Alternate
Name Information certifying organization has alternate names assigned.
Common Name
Enter the common name in the alternate language.

To delete an alternate name, simply delete the name
and do not enter a new one.
Qualifying Org.
Unit
(Optional) A name to differentiate this user from

another user with the same user name, certified by
the same certifier. This adds a differentiating
component that appears between the common name
and the certifier name.
Original Language
The alternate language currently assigned to the user.

(Non modifiable)
New Language
Select from the list to assign a new alternate language.
11. Select one of the following:

OK - to submit the name change.
Skip - if you are renaming more than one users common name
and you want to continue to the next name without submitting a
name change for the current name.
Cancel Remaining Entries - to cancel this name change and name

changes for any other names you selected and have not yet
submitted.
12. When the Processing Statistics dialog box appears, review the
information to verify that all name changes have succeeded. If any
fail, check the Certifier Log (CERTLOG.NSF) to determine the reason
for the failure.
Moving a user name in the name hierarchy

When you move a user to a different Organizational Unit, the certifier
changes, thus the users name hierarchy changes. Since the name
hierarchy in Domino Notes is part of the users name, when you move a
user to a different certifier you have essentially changed the users name.
You can use the Administration Process to move a user name to a
different location (Organizational Unit) in the organizations hierarchical
name scheme or to move a name to a different Organization altogether.
For example, if Alice Brown/Marketing/Acme leaves a job in the
Marketing department for a job in Sales, you can certify her user ID with
the /Sales/Acme certifier, which, in effect, moves her to that
Organizational Unit. Her full hierarchical name then becomes Alice
Brown/Sales/Acme.
You can also move a user to another Organization, however to do so,
your Domino Directory must contain cross-certificates between the
Organizations involved. So, for example, if Alice
Brown/Marketing/Acme leaves a job at Acme to work for the Acme
subsidiary AcmeSub that has its own Organization Certifier, you can
certify her ID with the /AcmeSub certifier so that her name becomes
Alice Brown/AcmeSub. Using this example, the Domino Directory must
have cross-certificates between /Acme and /AcmeSub.
There are two parts to moving a user name:
1. Request the move using the originating certifier.
2. Complete the move by using the target (new) certifier to approve the
request and issue the new certificate.
For more information on the Administration Process, see the chapter
Setting Up the Administration Process. For more information on
cross-certificates, see the chapter Protecting and Managing Notes IDs.
For information on using an agent to notify a user of changes to private
design elements during a name change, see the topic Changing Notes
user names with the Administration Process in this chapter.
Configuration
13. Click OK.
Changing primary and alternate name information during the move

If an alternate name has been assigned, the administrator who performs
the approval phase of the move automatically has the option to change
primary name information. If an alternate name has not been assigned,
you can designate whether the administrator who completes the move
can modify primary name fields. To use the Domino alternate name
functionality, Domino 5.0.2 or later must be running on all servers
involved with the name change, the users workstation, and the
administrators workstation.
Synchronizing the name change between Notes and Windows NT or
Notes and Active Directory
While completing the move, you also have the option of synchronizing
the name change between Notes and Windows NT or Notes and Active
Directory. To do so, select Rename NT user account on the Rename
Person dialog box.
To move a user name in the name hierarchy
1. To move a user name in the name hierarchy, you must have:
Access to the certifier you are using
At least Editor access to the Administration Requests database
5. The Honor old names for up to <x> days field is set to 21 days by
default. You can change that value if desired.
6. Click Request Move to New Certifier.
7. In the Choose a Certifier dialog box, complete these fields:
Field
Action
Server
Do one of these:
If you are supplying a certifier ID, select the server
that is used to locate the list of certifiers so that the
Certifier ID file can be updated with the latest set of
certificates for itself and all of its ancestors. This is
also the server on which CERTLOG.NSF is updated.
continued
Field
Action

Supply certifier
ID and password password.
Choose the certifier ID that certified the users ID and
click Open. For example, to rename Joe
named SALES.ID.
Enter the password for the certifier ID and click OK.

Use the CA
process

Select a CA-configured certifier from the list and
click OK.
8. In the Request Move For Selected People dialog box, do the

following:
Field
Action
Old Certifier
Verify the information. If it is incorrect, cancel the

procedure and begin again.
New Certifier
Enter or select the new certifier. This is the name

hierarchy that issues a certificate for the user in the
new hierarchy.
For example, to certify Joe Smith from
/Sales/NYC/ACME into /Service/NYC/ACME, enter
/Service/NYC/ACME or select from the list.
Selected by default. Do one:

Edit or inspect
each entry before Keep selected. The Rename Person dialog box
submitting request
appears with non-modifiable fields of Primary and
Alternate Name information. Review the
information for accuracy. Go to Step 9.
If you do not want to verify each entry, clear the
check box. Review the processing information that
displays to verify that all name changes were
successful. If any fail, check the Certifier Log to
determine the reason for the failure. Go to Step 10,
then complete the procedure To approve the name
change.
9. (Optional) Click the Allow the primary name to be changed when

the name is moved check box if you want the opportunity to change
the users name when you approve the move.
Configuration
Click Certifier ID to select an ID other than the one

displayed.
10. For each name selected, choose one of the following:

Skip - if you are renaming more than one user name and you want
to continue to the next name without submitting a name change
for the current name.
changes for any other names you selected and have not yet submitted.
To complete the name change
1. From the Domino Administrator, click Server - Analysis Administration Requests (6).
2. Choose the Name Move Requests view. This view categorizes
submissions by certifier. Each name awaiting approval is listed
under its new certifier. Select the name(s) to move.
3. Click Complete move for selected entries.
4. To complete the move, in the Choose a Certifier dialog box, make the
following selections:
Field
Action
Server
Do one of these:
Use the CA process

click OK.
Supply certifier ID
and password
Choose this option if you are using a certifier ID

and password.
named SALES.ID.
one displayed.
OK.
5. If you are moving a user name from one hierarchy to another

hierarchy, a cross certificate is required. If your local Domino
Directory does not contain a cross certificate for the certifier, you are
prompted to create one. Click Yes.
6. In the Certificate Expiration Date dialog box, do the following and
then click OK:
Action
Certifier
The name hierarchy of the certifier that will

issue the new certificate (non-modifiable).
New certificate expiration

date
(Optional) Specify a certifier ID expiration

date other than the default two years from
the current date.
Edit or inspect each entry

before submitting request
Selected by default. You can remove the

check mark if you do not want to verify the
entries.
7. In the Rename Person dialog box, make changes to the primary name
as needed.
Field
Action
New Primary Name Information

First, Middle, and Last
Name
This is the name with which the user was

registered. Make changes to the users name as
appropriate.
Qualifying Org. Unit
(Optional) A name to differentiate this user

from another user with the same user name,
certified by the same certifier. This adds a
differentiating component that appears between
the common name and the certifier name.
Short Name
(Optional) Created at registration, the default is

first initial, last name. You can change this
name optionally. It does not change automatically based on changes to the primary name
fields. You must make this change manually.
Internet Address
(Optional) Created at registration, the default is

first initial, last name. You can change this
name optionally. It does not change automatically based on changes to the primary name
fields. You must make this change manually.
Rename Windows NT
User Account
Available to Windows NT User Manage or

Active Directory users only. Check this box if
you want to synchronize the name change in
both the Domino Notes and Windows NT or
Domino Notes and Active Directory accounts.
Configuration
Field
8. Complete the following fields as desired. These modifiable fields

display only if the user ID has an alternate name assigned to it.
New Alternate Name Available only if you are renaming a user whose
certifying organization has alternate names
Information
assigned.
Common Name
The common name in the alternate language.
Qualifying Org. Unit (Optional) A name to differentiate this user from

another user with the same user name, certified by
the same certifier. This adds a differentiating
component that appears between the common name
and the certifier name.
Original Language
The alternate language currently assigned to the

user (non-modifiable).
New Language
Select from the list to assign a new alternate

language. This option is available only if the user is
moving into an Organizational Unit or Organization
that has an alternate language assigned.
9. Choose one of the following:

OK to submit the name change approval.
Skip if you are renaming more than one user and you want to
continue to the next name without submitting a name change for
the current name.
Cancel Remaining Entries to cancel this name change and name
submitted.
for the failure. Click OK.
Renaming a Web user

Use the Domino Administrator to rename a Web user. The Administration
Process generates an administration request to rename the user.
2. Click People and then select the Web user you are renaming.
3. From the Tools pane, click People - Rename. The Rename Selected
HTTP, POP3, and IMAP People wizard is activated.
4. In the Honor old names for up to <21> days field, either accept the
default or enter a value between 14 and 60 days.
5. Click Next.
6. Select each name whose common name components you want to
change, and then change the name as desired. Repeat for each name
you are changing.
8. Click Finish.
For information on creating a non-Notes, Internet user, see the topic
Registering non-Notes, Internet users in this chapter.
Upgrading a user name from flat to hierarchical

In order to use the Administration Process to expedite name changes,
your organization must use hierarchical names. Use this procedure to
upgrade a user name from a flat format to a hierarchical format.
Upgrading a user name from flat to hierarchical affects both the primary
and alternate name information. To use the Domino alternate name
functionality, Domino 5.0.2 or later must be running on all servers
involved with the name change, the users workstation, and the
administrators workstation.
Note This procedure does not apply to roaming users.
To upgrade a user name from flat to hierarchical
1. To rename a user you must have:
Editor with Create documents access, or the UserModifier role to
the Domino Directory
Log
5. Click Upgrade to Hierarchical.
Configuration
7. Click Next. A message displays indicating the number of Web user

names that will be changed.
6. In the Choose a Certifier dialog box, make the following selections:

Field
Action
Server
Do one of these:
Use the CA process

click OK.
Supply certifier ID
and password

password.
named SALES.ID.
one displayed.
OK.
7. In the Certificate Expiration Date dialog box, accept or change the

new certification expiration date. The default certificate expiration
date is two years from the current date.
Tip The Edit or inspect each entry before submitting request
check box is selected and cannot be modified.
8. In the Rename Person dialog box, you have the option of changing
the primary or alternate name information. Then choose one of the
following:
OK - to submit the name change approval.
Skip - if you are upgrading more than one user name and you
want to continue to the next name without submitting a name
change for the current name.
submitted.

for the failure. Click OK.
Changing a roaming user to nonroaming
2. Choose People and select one or more roaming user name(s) you are
changing to nonroaming.
3. From the tools pane, click People - Roaming.
Note If you selected a mixed group of roaming and nonroaming
users, the Mixed Roaming Profile dialog box appears and prompts
you to select either roaming or non-roaming. Click the check box
Remove roaming profiles from <n> selected users. In this case, <n>
is the number of roaming users selected.
4. Click the check box Perform updates in background to process
each user in the background.
Tip Run the process in the background so that you can use the
Administrator client while requests are processed.
To verify the change
The procedure changes the users status in their Person document from
roaming to nonroaming. To verify that the change has been made:
2. Click People and then select the user you changed to nonroaming.
3. Click Edit Person to open the users Person document.
4. Click the Roaming tab. The User Can Roam field should display No.
To approve the mail file deletion
If you chose to change a roaming user to nonroaming, you must approve
the deletion requests in the Administration Requests (ADMIN4.NSF)
database. Changing a roaming user to nonroaming, requires that the
users roaming files and replicas are deleted.
1. From the Domino Administrator, choose Server - Analysis Administration Requests (R6).
2. Select the Pending Administrator Approval view.
Configuration
When you change a user from roaming to nonroaming, the

Administration Process changes the users status in their Person
document from roaming to nonroaming and deletes the users roaming
files and replicas from the servers on which those files reside.
3. Depending on your choices when you changed the user from

roaming to nonroaming, do one of these:
If you are certain that you want to approve one or more deletion
requests without looking at detail information for those requests,
select the requests, and click Approve Selected Requests and then
click OK.
If you would like to see detail on one or more requests before
approving the deletion of roaming files, select and open the
request, click Edit Request, review the detail information, then
choose Approve Replica Deletion, or choose Reject Replica
Deletion.
Changing a nonroaming user to roaming

When you change a user from nonroaming to roaming, the
Administration Process changes the users status in their Person
document from nonroaming to roaming and creates a personal
subdirectory for each roaming user. This personal subdirectory contains
the roaming users files and, by default, is placed in the Domino/data
path, unless you specify another location. You can optionally choose a
separator character if you want to include one in the users directory
name.
Before changing a nonroaming user to roaming, read the roaming user
information in the topic Using Advanced user registration in this
chapter.
To change a nonroaming user to roaming
1. To change a nonroaming user, you must have the following:
Editor with UserModifier access or Author with Create documents
role and UserModifier privilege to the Domino Directory
3. Select one or more nonroaming user name(s).
4. From the Tools pane, click People - Roaming.
Note If you selected a mixed group of roaming and nonroaming
users, the Mixed Roaming Profile dialog box appears and prompts
you to select either roaming or non-roaming. Click the check box
Assign roaming profiles to <n> selected users. In this case, <n> is
the number of nonroaming users selected.

Field
Action
Where should the Choose one:

users roaming
Store on users mail server Places the users
files be stored?
roaming files on the users mail server. (The users
mail server was designated during user
registration.)
Store user ID in personal address book (Optional)

Places the users ID in their own local personal
address book.
Users personal
roaming folder
Choose one:
Base folder Name of the folder in which to store
the users roaming files. By default the users base
folder is located in the Domino\data directory. For
example, if you want the base folder to be called
Roaming for all your roaming users, enter Roaming
to create the Domino\data\Roaming directory.
Sub-folder format The format to use when
naming the roaming users personal subfolder. By
default this is the users short name format. You can
change this format if desired and you can optionally
choose a separator character. A personal folder
(subfolder) is created in the Base folder for each user
you upgrade to roaming user.
If folder exists
Choose one:
Skip person if a folder already exists.
Generate folder name to create a new folder.
continued
Configuration
Roaming Server Click the button to specify the

server on which you want to store the users
roaming files.
Field
Action
Roaming user
client clean up
options
Choose one:
Do not cleanup No cleanup is performed on
roaming user files.
Cleanup every <number> days Specify a number
between 0 and 365.
Cleanup at Notes shutdown Cleans up files when
Notes is shut down.
Prompt user The user is prompted on exiting the
client as to whether they want to clean up their
personal files. If the user chooses Yes, the data
directory on that client workstation is deleted. If the
user chooses No, the user is prompted as to whether
they want to be asked again on that client. If the user
chooses No, the user is not prompted again. If the
user chooses Yes, the user is prompted again the
next time the user exits the client on that
workstation.
Perform updates
in background
Processes requests in the background leaving the

administration client available for other administration
activities.
Note If you do not choose this option, the
Administration client is busy until the Administration
Process completes the upgrade.
6. Click OK.
A message displays indicating the number of users successfully
upgraded from nonroaming to roaming.
To verify the change
The procedure changes the users status in their Person document from
nonroaming to roaming. To verify that the change has been made:
2. Select the user you promoted to roaming.
3. Click Edit Person to open the users Person document.
4. Click the Roaming tab. The User Can Roam field should display
In Progress or Yes. The In Progress status displays until
replication has occurred and all replicas of the users files are
updated.
Changing a users Internet address

To modify only a users Internet address, modify the users Person
document.
1. From the Domino Administrator, click the Files tab and open the
Domino Directory (NAMES.NSF).
2. Select the user name and click Edit Person.

You can also modify a users Internet name when performing a user
rename, such as changing a users common name. To modify the users
Internet address using the Tools -> People -> Rename feature, you must
also modify another component of the users name, such as the short
name, at the same time that you are modifying the Internet address.
For more information on renaming a user with the options on the Tools
pane, see the topic Renaming a Notes users common or alternate
name in this chapter.
Deleting a user name with the Domino Administrator

You can delete a user name with the Administration Process by initiating
a delete person command from the Domino Administrator, by using the
Web Administrator, or by using the Windows NT User Manager or
Windows 2000 Active Directory. When you delete a user name, you may
want to add that user to a termination group to prevent the user from
accessing servers. When you create a termination group, assign the
group type Deny Access to the group.
You can also use this procedure to delete a roaming user name.
For more information on the administration requests that are generated
when you delete a roaming user, see the appendix Administration
Process Requests.
If the server is running Windows NT or Active Directory, you can delete
the users Windows NT or Active Directory account as well.
There may be times when you want to maintain a users mail file even
though you have deleted the user from the Domino Directory. That
option is available to you when you delete a user name. However, if you
choose to delete the users mail file, you must approve the mail file
deletion in the Administration Request database (ADMIN4.NSF). If you
delete a roaming user name, you must approve replica deletions.
Configuration
3. On the Mail tab, modify the name in the Internet Address field as
necessary.
For more information on Domino and Windows NT or Active Directory

directory synchronization, see the chapter Using Domino with
Windows Synchronization Tools.
For more information on the Web Administrator, see the chapter Setting
Up and Using Domino Administration Tools.
To delete a user
1. To delete a user, you must have:
Author with delete documents access and the UserModifier role,
or Editor access to the Domino Directory
Author with Create documents access to the Certification Log
3. Click People and select the user names you are deleting.
4. From the tools pane, click People - Delete.
Field
Enter
What should happen Choose the appropriate option(s):

with the users mail Do not delete the mail database to delete the
database(s)?
Person document but leave the users mail files
intact.
Delete the mail database on the users home
server to delete mail files on the users home
server only.
Delete mail replicas on all other servers this
option is active only if Delete the mail database on
the users home server was chosen. This option
deletes all mail database replicas on other servers.
Add deleted user to
Deny Access Group
(This option is active
only if one or more
groups of type Deny
Access exists.)
To deny a user access to servers immediately:

1. Click Groups.
2. Select a Deny Access Group from the list.
3. Click OK.
Delete users
Windows NT/2000
account, if existing
Select this option to delete the corresponding user

account in Windows NT or Windows 2000 Active
Directory account.
Delete user from this Select this option to remove the account from the
Domino Directory
Domino Directory immediately, while initiating
immediately
Administration Process requests to remove the
users name from ACLs, Names fields, etc.
Note If you choose to delete a users mail file, you must have at least
Editor with delete documents access to the Administration Requests
database and delete documents access to the Domino Directory.
6. Click OK.
For more information on shared mail databases, see the chapter Setting
Up Shared Mail.
1. From the Domino Administrator, choose Server - Analysis Administration Requests (R6).
3. Depending on your choices when you deleted the user name, do one
of the following:
If you are certain that you want to approve one or more requests
without looking at detail information for those requests, select the
request, and click Approve Selected Requests and then click OK.
If you would like to see detail on one or more requests before
approving the deletion, select and open the request, click Edit
Request, review the detail information, then choose Approve
Replica Deletion, or choose Reject Replica Deletion.

You can delete user names via the Web Administrator, as well as from
the Domino Administrator. Review the introductory information in the
procedure Deleting a user name with the Domino Administrator
before initiating this procedure.
1. Make sure you have the following before you begin deleting user
names:
At least Author access and Delete documents privileges in the
Domino Directory.
2. From the Domino Web Administrator, click the People & Groups tab.
3. Click People and select the user names you are deleting.
4. From the tools pane, click People - Delete.
Configuration

If you chose to delete any mail databases, including replicas, you must
approve the requests in the Administration Requests (ADMIN4.NSF)
database.

Field
Enter
What should happen Choose the appropriate option(s):

with the users mail Do not delete the mail database - to delete the Person
database(s)?
document but leave the users mail files intact.
Delete the mail database on the users home server
- to delete mail files on the users home server only.
Delete mail replicas on all other servers - this
option is active only if Delete the mail database
on the users home server was chosen. This option
deletes all mail database replicas on other servers.
Add user to Deny
Access Group (This
option is active only
if one or more groups
of type Deny Access
exists.)
To deny a user access to servers immediately:

1. Click Groups.
2. Select a Deny Access Group from the list.
3. Click OK.
Delete users
Windows domain
account
Select this option to delete the users corresponding

Windows domain account.
Delete user from this Select this option to remove the account from the
Domino Directory
Domino Directory immediately, while initiating
immediately
Administration Process requests to remove the
users name from ACLs, Names fields, etc.
6. Click OK and then click Close.

If you chose to delete any mail databases, including replicas, you must
approve the requests in the Administration Requests (ADMIN4.NSF)
database.
1. From the Web Administrator, choose Server - Analyses Administration Requests (R6).
3. Depending on your choices when you deleted the user name, do one
of the following:
If you are certain you want to approve one or more requests
without looking at details for those requests, select those requests,
and click Approve Selected Requests.
If you want to view detail on one or more requests before
approving the deletion, select and open the request, click Edit
Document, review the detail information, and then click Save and
Close, or click Cancel.
Moving a users mail file and roaming files from the Domino
Administrator or the Web Administrator
Moving a users mail file to a Lotus Domino Release 6 clustered server

allows you to choose additional servers on which to create replicas. The
user interface provides a list of all the servers (cluster mates) you can
choose from. You can also click the server name to specify paths for each
server.
Moving a mail database archive
You can move a mail database archive when you move a mail database
to another server if the archive is located on the same server as the mail
file. Mail archiving is usually done to save space on mail servers;
therefore, if a mail database archive is on a different server there is
typically no reason to move the archive. Mail databases are often moved
for resource balancing purposes.
To move only a mail file
1. To move a users mail files, you must have:
Editor access with Create documents role, or Author access with
the UserModifier role in the Domino Directory
People & Groups tab.
3. Click People and select the person whose mail file you are moving.
4. Click Move to Another server.
5. Choose a destination server to which you are moving the mail file. If
the destination server you choose is a clustered server, it appears
checked in the Additional mail server field on this dialog box.
6. (Optional) Enter a new directory to which the mail file should be
moved. You can accept the default of mail\.
7. (Optional) Click Link to Object Store if you are using shared mail and
want to link the mail file to the object store.
Configuration
You may need to move mail files when you need more space on a server
or when users change jobs. When a mail file is moved, the
Administration Process first moves it to a new server, then issues a
request to delete the old mail file from its original mail server. You must
approve this mail file deletion. The Administration Process also changes
the information in the Mail file name and Mail server fields in the
users Location document.
8. (Optional) Choose one of theses:

From the Domino Administrator, click Remove all mail replicas if
the server is in a cluster and you want all mail replicas to be
deleted.
From the Web Administrator, click Delete old replicas if the server
is in a cluster and you want to delete mail file replicas from a
cluster.
9. If you are working with clustered servers, you can selected
additional servers in the cluster to which the mail database can be
moved. To select additional servers, click the check box next to the
server name in the Additional mail server field.
10. Click OK.
11. Click Close.
When the mail file is on the new mail server, you must approve the mail
file deletion in the Administration Requests database (ADMIN4.NSF).
1. From the Domino Administrator or the Web Administrator, click
Server - Analysis - Administration Requests (6).
2. Choose the Pending Administrator Approval view.
3. Locate the Approve mail file deletion request and open that request.
4. Click Edit Document. Review the request.
5. Click Approve Mail File Deletion.
To move a user's mail file and/or roaming files
You can move a users roaming files and mail files at the same time to the
same destination server. However, if you want to move a users roaming
files to one server and the mail files to another server, you must complete
the procedure twice once for the roaming files and then once for the
mail files. The roaming files that are moved are JOURNAL.NSF,
BOOKMARK.NSF, and NAMES.NSF.
You can use this procedure to move any users mail files, whether they
are roaming users or not.
The files are moved by the Administration Process in the background so

that you can continue to perform administration activities while the files
are being moved.
1. To move a users mail and/or roaming files, you must have:
Editor with Create documents access, or Author access with the
UserModifier role to the Domino Directory
CreateReplica access to the destination server

2. From the Domino Administrator or the Web Administrator, click the
4. From the tools pane, click People - Move to Another Server.
Field
Action
Destination
Enter the name of the server to which you are moving the
users mail and/or roaming files. If the destination server
you choose is a clustered server, it appears checked in
the Additional mail server field on this dialog box.
Move roaming Select this check box if you are moving a users roaming
files into this
files. This check box is not active if you are moving a
folder
nonroaming user.
Accept the directory that is displayed or click the folder
icon to choose another directory.
Move mail files Select this check box if you are moving a users mail files.
into this folder Accept the directory that is displayed or click the folder
on <server>
icon to choose another directory.
Link to Object
Store
If shared mail is enabled on the destination server, select

this check box to link the mail file to the object store.
This is active only if you are moving mail files.
Remove all
mail replicas
when moving
off cluster
Select this check box to remove all replicas of mail as well.

There may be instances, during a move for example, when
a user might need access to a replica for a short time.
This is active only if you are moving mail files.
6. If you are working with clustered servers, you can select additional
servers in the cluster to which the mail database can be moved. To
select additional servers, click the check box next to the server name
in the Additional mail server field.
7. Click OK.
Configuration

Log (for roaming files move)
To approve the requests

When the mail file is on the new mail server, be sure to open the
Administration Requests database (ADMIN4.NSF). Locate the Approve
file deletion request and approve the request. When the roaming files
are on the new roaming server, locate the Approve file deletion
requests for the roaming files in ADMIN4.NSF and approve them.
Server - Analysis - Administration Requests (6).
2. Choose the Pending Administrator Approval view.
3. Locate the Approve mail file deletion request and open that request.
4. Click Edit Document. Review the request.
5. Click Approve Mail File Deletion.
6. Locate the roaming file approval requests, and repeat steps 4 and 5
to approve the deletion of the roaming files.
Recertifying a user ID
Before a user ID reaches its expiration date, recertify the user ID using the
original certifier ID. The user ID is recertified without renaming the user.
Use the Certificate expiration view to determine which certifiers need to
be recertified. Access this view from Files - Certlog.nsf - By Expiration
date. All certifiers are listed by expiration date.
For more information on certifiers and certification, see the chapter
Deploying Domino.
Note To recertify a user ID using a certifier other than the certifier used
to create the user ID, see Moving a user name in the name hierarchy in
this chapter.
To recertify a user ID
Follow these steps to use the Administration Process to recertify a
hierarchical ID that is about to expire.
1. To recertify a user ID, you must have:
Author with Create documents access and the UserModifier role,
or Editor access to the Domino Directory
Log (CERTLOG.NSF)
3. Select the user to be recertified with the same certifier.
4. From the tools pane, select People - Recertify.

Field
Action
Server
Do one of these:
If you are supplying a certifier ID, select

the server that is used to locate the list of
certifiers so that the Certifier ID file can be
updated with the latest set of certificates
for itself and all of its ancestors. This is also
the server on which CERTLOG.NSF is
updated.
Use the CA process
Choose this option if you have configured the

Lotus Domino 6 server-based CA.
Select a CA configured certifier from the
list and click OK.
Supply certifier ID and

password
Choose this option if you are using a certifier

ID and password.
Choose the certifier ID that certified the
users ID and click Open. For example, to
rename Joe Smith/Sales/NYC/ACME, use
the certifier ID named SALES.ID.
Click Certifier ID to select an ID other
than the one displayed.
Enter the password for the certifier ID and
click OK.
6. Verify the certifying ID information and complete the following fields:

Field
Action
New certificate expiration date (Optional) Specify a certifier ID expiration

date other than the default two years from
the current date.
Only renew certificates that
will expire before
(Optional) Enter a date to recertify only a

subset of selected user IDs, according to
their current expiration dates.
Edit or inspect each entry

before submitting request
(Optional) Select the option to edit or

inspect each entry before submitting the
request if you want to view each certificate
before it is renewed.
Configuration
If you are using the Lotus Domino 6

server-based CA, choose the server that is
used to access the Domino Directory to
look up the list of certifiers.
7. If you selected the option to view each entry prior to its being
submitted, the Recertify Person dialog box appears with
non-modifiable information in the primary and common name fields.
Review the information that displays, then select one of the
following:
Skip - if you are recertifying more than one user ID and you want
to continue to the next without submitting a recertification for the
current name.
Cancel Remaining Entries - to cancel this recertification, as well as
those for any other names you selected and have not yet
submitted.
information to verify that all name changes have succeeded. Click
OK. If any fail, check the Certifier Log (CERTLOG.NSF) to determine
the reason for the failure.
Recertifying a certifier ID or a user ID

Use this procedure to recertify a certifier ID or a user ID with the same
certifier ID that was used previously to certify the certifier ID or user ID.
Certifier IDs are used to certify other certifiers, servers, and users. A
certifier ID issues a certificate to another user, server or certifier that is on
the hierarchical level immediately below the certifier. For example, in the
Organizational Unit Sales/NYC/ACME, NYC is the certifier for Sales;
ACME is the certifier for NYC. The Organization certifier, in this case
ACME, can certify itself.
You can also recertify a user ID with a different certifier ID, that is, a
certifier ID other than the one used to previously certify the user ID.
Although recertifying a user ID with a different certifier is allowed, it is
not recommended that you do so using this procedure. In this case, you
are renaming the user, which is a very complex process involving
changes to ACLs for various databases, changes to lists of group
members, and other related entries. Recertifying a user ID with a
different certifier does not invoke the Administration Process, so all
changes need to be made manually. To recertify a user with a different
certifier ID, we recommend using the Rename tool, and requesting a
move to a new certifier see the topic Moving a user name in the name
hierarchy earlier in this chapter.
When you recertify an ID you can:
Provide a new expiration date for certificates about to expire
Add a new alternate name to the certifier ID
Change the minimum password quality
Types of IDs you can recertify

You can recertify any of the following types of IDs:
Organizational unit
Server
User
Organization certifier (when it is used to certify itself)
For more information on certifier IDs, see the chapter Deploying

Domino.
To recertify a certifier ID or a user ID
1. From the Domino Administrator, click Configuration.
2. From the tools pane, click Certification - Certify.
3. In the Choose a Certifier dialog box, make the following selections:
Field
Action
Server
Do one of these:
If you are using the Lotus Domino 6 server-based CA,
choose the server that is used to access the Domino
Directory to look up the list of certifiers.
If you are supplying a certifier ID, select the server that is
used to locate the list of certifiers so that the Certifier ID
file can be updated with the latest set of certificates for
itself and all of its ancestors. This is also the server on
which CERTLOG.NSF is updated.
Supply
certifier ID
and
password
Choose the certifier ID that issued the original certificate. For

example, to recertify the certifier ID for /Sales/NYC/ACME,
choose the /NYC/ACME certifier ID, which is NYC.ID.
Click Certifier ID to select an ID other than the one
displayed.
Enter the password for the certifier ID and click OK.
Note Although not recommended, you can choose a
different certifier ID to recertify a user ID, instead of using
the original certifying ID.
Use the CA Choose this option to use the server-based certification

process
authority (CA).
Select a CA-configured certifier from the list and click OK.
Configuration
4. In the Choose ID to Certify box, select the certifier ID or user ID

that you want to recertify. For example, to recertify
Sales/NYC/ACME, choose SALES.ID.
5. Enter the password and click OK.
6. In the Certify ID dialog box, complete the following fields as
necessary:
Field
Enter
Current Server
The registration server for the current certifier ID.

(nonmodifiable)
Current certifier
The name hierarchy of the certifier that issued the

certificate. (nonmodifiable)
Expiration date
(Optional) Specify a certifier ID expiration date other

than the default two years from the current date.
Primary key
Public half of the primary RSA key pair stored in the

Notes ID file. This RSA key pair is used for electronic
signatures on documents and certificates, and on mail
encryption when both the sender and the recipient
have a North American Notes license. This key pair is
also used for network authentication. (nonmodifiable)
International key
The public half of the international RSA key pair. This

key pair is used for mail encryption when either the
sender or recipient are running with an International
Notes license. (nonmodifiable)
Subject name list
Certifier ID(s) you are working with.
Add
Click to add and certify an alternate name. Select the

alternate language, country code (optional), and the
organization identifier for the language.
Rename
Rename the alternate name selected in the Subject

name list. This button is not available when
recertifying user Ids. This button is enabled only
when alternate languages have been assigned.
Remove
Removes the alternate name selected in the Subject

name list.
Password quality
Move the slider to change the level of complexity and

variety of characters entered for the password.
7. Click Certify.
For more information on alternate names, see the chapter Setting Up
and Managing Notes Users.
Finding a user name in the domain with the Domino Administrator

or the Web Administrator
You can search for a user name in the domain and obtain logs that
include document links and directory links to each occurrence of the user
name. This procedure can be performed from the Domino Administrator
or from the Web Administrator.
2. Select one or more user name(s) that you want to locate in the
domain.
3. From the tools pane, click People - Find Users.
4. Click Yes to initiate the Administration Request to locate all the
occurrences of the selected name(s) in the enterprise.
To find references to a user's name with the Web Administrator
2. Enter the name of the user whose name you are trying to find.
3. Click Send.
4. (Optional) Continue adding user names that you want to search for.
5. Click Done.
To view the results of the name search
To view the log of locations where the user name(s) are located:
Server - Analysis - Administration Request (6).
2. Select the All Requests by Action view and locate the Find Name in
Domain request.
3. Double-click the report to access the Administration Process - Log
document.
License Tracking
License Tracking allows you to monitor the number of active Notes users
within a Notes domain. You can use License Tracking to determine how
many client licenses you have, whether you need to purchase additional
licenses, and when you need to purchase them.
Note License Tracking cannot be used in a hosted environment.
Configuration
To find references to a user's name with the Domino Administrator

How license tracking works

Client usage is tracked on each server. When a user authenticates with a
server using the Notes client, HTTP, IMAP, POP3, SMTP, or the LDAP
protocol, the users full canonical name, protocol, and time and date of
access are collected. Once each day, an administration request sends to
the administration process, information regarding new users and
information regarding users who have not accessed the server within the
last 30 days. The administration process running on the administration
server processes the request.
The administration process creates a new User License document in the
UserLicenses database (USERLICENSES.NSF) for each new user
reported in the administration request. Documents are updated with the
new time and date for those users who already have a document in the
User Licenses database. If a user does not access any servers in the
Domino domain for one full year, the corresponding User License
document is deleted from the User Licenses database.
Note If a user is deleted from the Domino Directory, the corresponding
User Licenses document is deleted. If a user is renamed, the
corresponding document is also renamed accordingly. Existing
administration requests are used to maintain this user information.
After the administration process updates USERLICENSES.NSF, the
License Tracking document in the Domino Directory is updated with the
total number of users whose information was tracked that night. The
License Tracking document is updated once each day. These daily updates
enable you to review this information at any time to obtain an up-to-date
report on the number of client licenses that you have available for use.
By default, administrators have Manager access to the User Licenses
database and users have no access.
Note The Server/Licenses view that displayed in Domino R5 is not part
of the License Tracking feature.
Enabling or disabling license tracking

Use this procedure to either enable or disable License Tracking.
1. From the Domino administrator, click the Configuration tab.
2. Choose Server - Configurations.
3. Select the server and click Edit Configuration.
4. On the Basics tab, in the License Tracking field, click Disabled or
Enabled according to what you want to do.
Calculating the number of licenses in use

Use this procedure to recalculate the number of Notes and/or iNotes
Web Access users in your domain. A document is created for each server
in your domain, listing the number of Notes and iNotes Web Access
users on each server.
1. From the Domino administrator, click the Files tab.
3. Choose Licenses or Licenses - By Server and click Recalculate Licenses.
Custom welcome page deployment

For a consistent, custom appearance across a company or organization,
you can create custom welcome pages, and then deploy them to users
through policies and desktop settings documents. They can be as simple
as a background with a company logo, or sophisticated pages with
multiple frames and many different types of content.
You can create as many welcome pages as you want. However, there is a
limit to the number of welcome pages that will display in the Default
Welcome Page menu in the desktop settings. This limit is approximately
ten pages, depending on the character length of the welcome page titles.
The limit only affects how many welcome pages appear in the desktop
settings menu. All welcome pages will be deployed to the users
bookmarks, no matter how many there are.
Create and work on your corporate welcome page database locally, and
then copy it to the server when you are finished. This keeps users from
seeing your changes in progress, ensuring that they only see finished pages.
Designate a default welcome page for individual users by deploying it in an
explicit policy, or for entire organizations by using organizational policies.
Tip To ensure that a custom welcome page is available to set as the
default for users, create that page first to make sure it will be available
for selection on the desktop settings menu.
Creating the welcome page database

1. From the Domino Administrator, choose File - Database - New.
2. In the Server field, select Local.
3. In the Title field, enter the name of the new database. The file name
is entered by default, but you can modify it. The file name can be
anything except BOOKMARK.NSF.
4. In the Template Server field select Local.
Configuration
2. Open the License Tracking database.
5. Click Show advanced templates.

6. Click the Bookmarks (R6) template.
7. Click OK.
Creating welcome pages

You create corporate welcome pages the same way you create them in
the Notes client. For even more options and control over your welcome
pages, open your welcome page database in the Domino Designer and
run the Toggle advanced configuration editor agent.
When you finish working on welcome pages locally, copy the welcome
page database to a server to make it available to users.
Deploying welcome pages using desktop settings

1. Open the welcome page database on the server.
2. From the Domino Administrator click the People & Groups tab.
3. From the menu, choose Create - Policy Settings - Desktop Settings.
4. From the Domino Administrator task bar, click the welcome page
database and drag it to the Corporate Welcome Pages database field.
This creates a database link.
5. (optional) From the Default Welcome Page menu, select a welcome
page to appear automatically when users log in.
6. (optional) Click Do not allow users to change their home page to
prevent users from creating or selecting a home page other than the
default.
Implement these desktop settings in one or more policies, and then
assign them to users to finish deploying your custom welcome pages.
The changes will deploy to users the next time they log in.
Modifying and redeploying welcome pages

Keep your local copy of the welcome page database, and use it to work on
any changes you might want to make later. Once the changes to the local
database are complete, save the database and copy it to the server again.
You will then need to go back into each of the desktop settings
documents that point to the welcome page database and create new
database links to the new version. Once this is complete, the changes will
deploy to users the next time they log in.
Chapter 6
Setting Up and Managing Groups
Using groups
Groups are lists of users, groups, and servers that have common traits.
They are useful for mailing lists and access control lists. Using groups
can simplify administration tasks. For example, if you create a group
called Terminations that lists all former employees, you can enter the
Terminations group name in the Not access field in the Server Access
section of the Security tab on each Server document. When an employee
leaves the company, you add the employees name to the Terminations
group and then force replication of the Domino Directory to prevent the
employee from having access to all servers in the domain. Using a
Terminations group saves you the time and effort of manually adding
individual employee names to each Server document when employees
leave the company.
To create a group, you create a Group document in the Domino
Directory. You can add registered users to the group as you create the
Group document and you can add new users to a group as you register
them. There is no limit to the number of names that you can add to a
group. However, the total number of characters used for names in the
group cannot exceed 15KB. To keep groups manageable, split a large list
of users into two or more groups.
By default, the Domino Directory contains two groups:
LocalDomainServers and OtherDomainServers. LocalDomainServers
includes all servers in the current domain. Domino automatically adds
servers that you register in the current domain to the
LocalDomainServers group. OtherDomainServers includes all servers
that are not in the current domain. For example, OtherDomainServers
might include the names of servers in other companies with which your
company communicates. If you set up a connection to a server in another
company or domain, add the server name to the OtherDomainServers
group.
6-1
Configuration
This chapter describes how to create and manage groups.
A third group, LocalDomainAdmins, may reside in the Domino

Directory if the Add LocalDomainAdmins group to all databases and
templates check box was selected during first server setup for a domain.
The LocalDomainAdmins group contains names of the domain
administrators.
Each group must have an owner usually an administrator or database
manager.
Creating and modifying groups

Create and modify groups from the Domino Administrator. You can nest
one or more groups within an existing group, that is, create a group and
then add one or more existing groups as members of the new group. For
mail-routing, you can nest up to five levels of groups. For all other
purposes, you can nest up to six levels of groups. You can also use the
Web Administrator to create and modify groups.
Creating a group with the Domino Administrator

1. Make sure that you have Editor access or Author access with the
GroupCreator role in the Domino Directory.
3. From the Servers pane, select the server to work from.
4. Select Domino Directories, and then select Groups - Add Group.
5. Complete these fields on the Basics tab:
Field
Action
Group name
Enter a name for the group, using any of these

characters: A - Z, 0 - 9, & - . _ (ampersand, dash,
period, space, underscore, and apostrophe) for the
name. A group name can be a maximum of 62
characters in length. For easier administration, use a
name without spaces. Do not use a name that is in use
as the name of an organizational unit in the
hierarchical name scheme.
Note Do not create group names containing a /
(slash) unless you are working in a hosted
environment. Using the / in group names in a
non-hosted environment causes confusion with
hierarchical naming schemes. Hierarchical names are
required in a hosted environment.
continued
Action
Group type
Select a group type. The group type specifies the

purpose of the group and determines the views in the
Domino Directory where the group name appears. For
example, mailing list groups appear in the Mail Users
view, and access control groups appear in the Access
Control view. Using specific group types improves
performance by reducing the size of view indexes in
Multi-purpose Use for a group that has multiple
purposes for example, mail, ACLs, and so on.
This is the default.
Access Control List only Use for server and
database access authentication only.
Mail only Use for mailing list groups.
Servers only Use in Connection documents and
in the Domino Administration clients domain
bookmarks for grouping.
Deny List only Use to control access to servers.
Typically used to prevent terminated employees
from accessing servers, but this type of group can be
used to prevent any user from accessing particular
servers. The Administration Process cannot delete
any member of the group.
Category
(Optional) Choose a Category if you have created any.

Use the category field to categorize groups in any way
that you need to.
Description
(Optional) Enter a description of the group in the

Description field.
Mail Domain
Enter the Domino domain in which this groups mail

address will reside in the Mail Domain field.
Internet address
Enter the Internet e-mail address for this group in the

Internet Address field.
Members
Click Members, select users, servers, or groups to add,

click Add, and then click OK.
Setting Up and Managing Groups 6-3
Configuration
Field
6. Click the Administration tab and make changes to these fields as

necessary:
Field
Action
Owners
Add an owner name or modify the list of group

owners.
Administrators
Add an administrator name or modify the list of group

administrators.
Allow foreign
directory
synchronization
Choose one:
Yes To allow synchronization between a post
office directory, such as the cc:Mail post office
directory or a Microsoft Exchange Address Book,
and the Domino Directory
No To prevent synchronization between a post
Last modified
Non-modifiable field. Provides the hierarchical name

of the last administrator that made changes to the
Group document.
Creating a group with the Web Administrator

Create groups from the Web Administrator, just as you would from the
Domino Administrator.
1. Make sure that you have Editor access or Author access with the
GroupCreator role in the Domino Directory.
3. Select Domino Directories, and then select Groups.
4. Click Add Group.

Action
Group name
Enter a name for the group, using any of these

characters: A - Z, 0 - 9, & - . _ (ampersand, dash,
period, space, underscore, and apostrophe) for the
name. A group name can be a maximum of 62
characters in length. For easier administration, use a
name without spaces. Do not use a name that is in use
as the name of an organizational unit in the
hierarchical name scheme.
Note Do not create group names containing a /
(slash) unless you are working in a hosted
environment. Using the / in group names in a
non-hosted environment causes confusion with
hierarchical naming schemes. Hierarchical names are
required in a hosted environment.
Group type
Select a group type. The group type specifies the

purpose of the group and determines the views in the
Domino Directory where the group name appears. For
example, mailing list groups appear in the Mail Users
view, and access control groups appear in the Access
Control view. Using specific group types improves
performance by reducing the size of view indexes in
Servers only Use in Connection documents and
from accessing servers, but this type of group can be
used to prevent any user from accessing particular
servers. The Administration Process cannot delete
Category
(Optional) Choose a Category if you have created any.

Use the category field to categorize groups in any way
that you need to.
Description
(Optional) Enter a description of the group in the

Description field.
continued
Configuration
Field
Field
Action
Mail Domain
Enter the Domino domain in which this groups mail

address will reside in the Mail Domain field.
Internet address
Enter the Internet e-mail address for this group in the

Internet Address field.
Members
Click the arrow to the right of the Members field,

select users, servers, or groups to add, click Add, and
then click OK.
6. (Optional) Click the Comments tab and enter comments as desired.

7. Click the Administrator tab and complete these fields as necessary.
Field
Action
Owners
Add an owner name or modify the list of group

owners.
Administrators

administrators.
Allow foreign
directory
synchronization
Choose one:
Yes To allow synchronization between a post
Last modified
Non-modifiable field. Provides the hierarchical name

of the last administrator that made changes to the
Group document.
Modifying groups with the Domino Administrator or Web

Administrator
Use the Domino Administrator or the Web Administrator to modify
groups.
Adding members to a group with the Domino Administrator or Web

Administrator
1. Make sure that you have Editor access or Author access with Create
Documents role and GroupModifier privilege in the Domino
Directory.
3. From the Domino Administrator, from the Servers pane, choose the
server to work from. Omit this step if you are using the Web
Administrator.
5. Select the group to which you are adding members, and click Edit
Group.
6. Do one of these:
From the Domino Administrator, click Members and then select
users, servers, or groups to add.
From the Web Administrator, select the users, servers, or groups
to add.
7. Click Add, and then click OK.
Deleting members from a group with the Domino Administrator or

Web Administrator
1. Make sure that you have Editor access or Author access with
GroupModifier privilege in the Domino Directory.
3. From the Domino Administrator, from the Servers pane, choose the
server to work from. Omit this step if you are working with the Web
Administrator.
5. Select the group from which you are deleting one or more members,
and click Edit Group.
6. Do one of these:
From the Domino Administrator, click Members and then select
users, servers, or groups to delete.
From the Web Administrator, select the users, servers, or groups
to delete.
Configuration

7. Click Remove and click OK.

Note From the Domino Administrator, to remove all members from
the group, do not select any members; just click Remove All, and
then click OK.
Creating a Terminations group with the Domino Administrator or

Web Administrator
You may want to create a group for employees who no longer have
access to specific servers in your organization. When you are deleting a
person from the Domino Directory, you can then add that persons name
to a Terminations group that is assigned a group type of Deny List Only.
This is particularly useful for preventing terminated employees from
accessing servers.
1. Create a group named Terminations and assign it a group type of
Deny List Only. For more information on creating groups, see
Creating a group with the Domino Administrator or Creating a
group with the Web Administrator. Setting Up and Managing
Groups
Note Groups of the type Deny List Only do not have to be named
Terminations; assign any name that you choose. We only suggest the
name Terminations for clarity.
2. From the Domino Administrator or Web Administrator, follow
instructions for deleting a user name, but on the Delete Person dialog
box, locate the Add deleted user to Deny Access Group field and
then click Groups.
For more information on deleting a user name, see the chapter
Setting Up and Managing Notes Users.
3. Continue the delete process as usual, and then click OK.
Managing groups
To manage groups, you can do the following tasks:
Assign a policy to a group
Edit a group
Deleting a group with the Domino Administrator or the Web

Administrator
Finding a group member
Finding a group name in the domain with the Domino Administrator

Use the Manage Groups tool to add and remove group members
While managing groups, you may also need to recertify a certifier ID. To
do so, see Recertifying a certifier ID or a user ID.
To apply policy settings to an entire group, you can assign a policy to the
group. Assign an Explicit policy or assign both an Explicit policy and an
Organizational policy. An Explicit policy combined with an
Organizational policy creates an effective policy for the group. You can
use the Policy Synopsis tool to view how an effective policy affects the
members of a group.
Prior to assigning policies to groups, familiarize yourself with all aspects
of policies and how they are applied.
For more information on policies, see the topic Policies.
For more information on applying policy settings, see the topic Planning
and assigning policies.
For more information on policies and policy settings, see the chapter
Using Policies.
To assign a policy to a group
1. From the Domino Administrator, click People & Groups tab.
2. Choose Groups and select the group to which you are assigning a
policy.
3. Choose Tools - Groups - Assign Policy.
Field
Action
Selected
Non-modifiable field. Displays the name of the selected

directory and the server on which the directory resides.
For:
Non-modifiable field. Displays the number of groups

you have selected. This field is blank prior to finalizing
the assignment of a policy.
continued
Configuration
Assiging a policy to a group
Field
Action
Users with an
existing policy
Non-modifiable field. Displays the number of users in

the selected groups who already have policies applied
to them. Prior to finalizing the assignment of the
policy, this field displays Unknown. After the policy
is applied, this field displays a value.
Policy
Choose an explicit policy from the list. If this field

displays None Available, you have not created any
explicit policies that can be applied to a group.
Allow
replacement of
policies
Click this check box to allow policies that have already

been applied to users in the selected groups to be
replaced by the policy you are now assigning.
View Policy
Synopsis
Click this check box only if you also assigning an

organizational policy to the selected groups. A policy
synopsis is composed of an explicit policy and an
organizational policy. The synopsis shows the net
effect of the two policies.
When you click this check box, the Choose
Organizational Policy dialog box opens. Choose the
Organizational policy that applies and click OK. The
Policy Synopsis document appears.
Perform updates
in background
Click this check box to update in the background, the

group settings according to what is specified in the
policies. Performing all updates in the background
allows you continue using the Domino Administrator
client while updates are being performed. Updates are
done directly to the Domino Directory without using
the Administration Process.
5. Click OK.
Editing a group
Use this procedure to edit any of the group attributes that are listed on
the Group document in the Domino Directory. You can modify the group
name, group type, description, group membership, group owner,
administrator, and specify whether foreign directory synchronization is
allowed. Foreign directory synchronization allows synchronization
between a post office directory, such as the cc:Mail post office directory
or a Microsoft Exchange Address Book, and the Domino Directory.
With group renaming, there isnt any tolerance for simultaneous
occurrences of the new and old names while the name change makes its
way across databases in the domain. For example, if a group name
changes in the Domino Directory before it has a chance to change in a
database ACL, the old group name in the database ACL is invalid. (This
limitation doesnt occur with user and server renaming.) As a

workaround, you can initiate the group rename action during non-peak
work hours for example, during the weekend or you can
immediately process the requests, rather than waiting for the changes to
occur according to Administration Process schedules.
To edit a group
1. To edit a group, you must have:

Log
4. Select the group that you want to edit, and click Edit Group.
5. Make changes to any of the following fields on the Basics tab:
Field
Action
Group name Enter a name for the group, using any of these characters: A
- Z, 0 - 9, & - . _ (ampersand, dash, period, space,
underscore, and apostrophe) for the name. A group name
can be a maximum of 62 characters in length. For easier
administration, use a name without spaces. Do not use a
name that is in use as the name of an organizational unit in
the hierarchical name scheme.
Note Do not create group names containing a / (slash).
Using the / in group name causes confusion with
hierarchical naming.
Group type
Select one of these:

purposes for example, mail, ACLs, and so on. This is the
default.
Access Control List only Use for server and database
access authentication only.
Servers Only Use in Connection documents and in the
Domino Administration clients domain bookmarks for
grouping
Deny List only Use to control access to servers. Typically
used to prevent terminated employees from accessing
servers, but can be used to prevent any user from accessing
particular servers. The Administration Process cannot delete
continued
Configuration
Editor with Create documents access, or the UserModifier role to

Field
Action
Category
(Optional) Select a category to which you are adding the

group and click OK. The Category field can be used to
categorize your groups in any manner that you want. If the
category that you want to use is not listed in the dialog box,
add the category name in the New Keyword field and click
OK.
Description
Enter a description of the group.
Mail Domain Enter the name of the mail domain for the group. This is
especially useful for enterprises that have more than one
mail domain.
Internet
Address
Enter the Internet address that applies to the group.
Members
Add or remove group members. Type a member name in

the field or double-click this field to open the Select Names
dialog box, and then do any of the following:
Open another address book by selecting
Find names that begin with a specified string if you are
unsure of the spelling or the complete name
Add a person or group to the group by selecting the
person or group and clicking Add
Remove a group member by selecting the member in the
right pane and clicking Remove
Remove all members of a group by clicking Remove All
Add a member to a group by clicking New, typing the
member name, and clicking OK
View detailed information by selecting a person or group
and clicking Details
Copy an entry from the open address book to the Local
address book by selecting the name and clicking the
Address Book icon
Open another Group document by selecting the group
name and clicking Open
6. Click the Administration tab and make changes to any of these fields:
Field
Action
Owners
Add an owner name or modify the list of group owners.
Administrators

administrators.

directory or a Microsoft Exchange Address Book, and
Last modified
Non-modifiable field. Provides the hierarchical name of

the last administrator that made changes to the Group
document.
7. (Optional) To sort the list of group members before saving the Group
document, click Sort Member List.
To immediately change the name of a group throughout the domain
1. To process the Rename Group in Address Book request
immediately, choose the group rename action from the
administration server for the Domino Directory and then enter this
server command:
tell adminp process new
2. To immediately process the Rename in Person Documents request,

from the administration server for the Domino Directory, enter the
command:
tell adminp process daily
3. Replicate the modified Domino Directory and Administration

Requests database from the administration server for the Domino
Directory to all other servers in the domain.
4. To force processing of the Rename Group in Access Control List
and Rename Group in Reader/Author fields requests on each
server, on each server in the domain, enter the command:
tell adminp process all
For more information on server commands, see the appendix Server

Commands.
Configuration
Choose one:
Foreign
directory
Yes To allow synchronization between a post office
synchronization
directory, such as the cc:Mail post office directory or a
allowed
Microsoft Exchange Address Book, and the Domino
Directory

Administrator
Follow these steps to use the Administration Process to delete a group
from the Domino Directory and from database ACLs and Extended ACLs.
If the server is running Windows NT or Active Directory and contains a
group account for this group, you can delete that group account, too.
For more information about synchronizing Domino and Windows NT or
Domino and Active Directory, see the chapter Using Domino with
Windows Synchronization Tools.
To delete a group with the Domino Administrator

1. To delete a group, you must have at least Author with delete
documents access and the GroupModifier role, or Editor access to the
Domino Directory.
3. Select the name of the group you are deleting.
4. Click Delete Group and click Yes to continue.
5. If the server is running Windows NT or Active Directory, Domino
prompts you to delete the corresponding group account from the
Windows domain. Click Yes to delete the group account.
6. Select one of the following:
Yes - to immediately delete all references to the group in this
replica of the Domino Directory.
No - to post a Delete in Address Book request in the
Administration Requests database and have the Administration
Process delete references to the group in the Domino Directory,
and database ACLs and Extended ACLs.
Cancel - to cancel the request entirely.
7. Click OK.
Tip You can also delete a group from the Tools panel using Groups Delete.
To delete a group with the Web Administrator

1. To delete a group, you must have at least Author with delete
documents access and the GroupModifier role, or Editor access to the
Domino Directory.
3. Select the name of the group you are deleting.
5. Choose any of these options on the Delete Groups dialog box.
Field
Action
Delete group from this

Directory immediately.
Click this check box to immediately delete

all references to this group in this replica
of the Domino Directory.
If you do not choose this option, a Delete
in Address Book request is posted in the
Administrator Requests database and the
Administration Process deletes references
to the group in the Domino Directory,
database ACLs, and Extended ACLs.
Delete the groups Windows

domain account.
Click this check box to delete the groups

corresponding Windows domain account
if one exists.
6. Click OK.
7. Click Close.
Finding a group name in the domain with the Domino Administrator

Use this procedure to locate every occurrence of one or more specific
group names within a domain. This is especially useful when moving
groups to other servers or domains or when verifying that you have
completely deleted a group name from your domain.
To find a group name with the Domino Administrator
2. Select one or more group name(s) that you want to locate in the
domain.
3. From the Tools pane, click Groups - Find Group(s).
4. Click Yes to initiate the Administration Request to locate all the
occurrences of the selected group(s) in the enterprise.
Configuration
4. Click Tools - Groups - Delete.
To find a group name with the Web Administrator

2. From the Tools pane, click Groups - Find Group(s).
3. Enter a group name in the Find Groups dialog box and click Send.
4. (Optional)Continue adding group names that you want to search for.
5. Click Done.
To view the log of locations
To view the log of locations where the group name(s) are located:
1. From the Domino Administrator, click Server - Analyses Administration Requests (6).
2. Select the view All Requests by Action and access the Find Name in
Domain request.
3. Double-click the request to access the Administration Process - Log
document. Locate the Links to items found within Domino
Directory documents: field. This field contains the links to the
Group documents located using the Find Groups action.
Using the Manage Groups tool to manage groups

The Manage Groups option on the tools pane provides a quick and easy
method for managing existing Domino groups. You can open any
Domino Directory to which you have access, and you can then add or
remove people and groups from groups as necessary. You can also view
details on groups.
To use the Manage Groups tool
2. From the tools pane, click Groups - Manage.
3. Complete these fields as necessary:
Field
Enter
People and Groups

Look In
The directory that you want to open. A list of all

users and groups in the directory is displayed.
Group Hierarchies
Look in
The directory containing the group you are

managing.
continued
Field
Enter
Show me
Choose one:
All group hierarchies - To display all of the
group hierarchies in the selected directory.
Only member hierarchies - To display all of the
groups in which the selected user is a member.
Lists alphabetically, all people and groups in the
selected directory.
List by organization
Lists by organization, all people and groups in the

selected directory.
Show group type

Servers Only Use in Connection documents and
from accessing servers, but can be used to prevent
any user from accessing particular servers. The
Administration Process cannot delete any member
of the group.
4. Do any of the following:

To add a member to a group, select the group in the Group
hierarchies pane, then select the user or group from the People &
Groups list, and click Add.
To remove a member from a group, select the member from the
Group hierarchies pane, and click Remove. To remove all
members from a group, click the Member field, do not select any
members, and click Remove All, and then click OK.
To view a group document, select the group from the Group
hierarchies pane and click Details.
5. When you finish managing groups, click Done.
Configuration
List alphabetically
Finding a group member

You can quickly locate a group member by completing the following
procedure.
1. From the Domino Administrator, click the People & Groups tab, and
then click Groups.
2. On the Action bar, click Find Group Member.
Note You may have to scroll to the right to reveal the button.
3. Enter the common name (for example, Jane Doe) and click OK. If the
group member is found, a check mark appears next to the group or
groups in which the member name is located.
Tip You can also find a group member from the Domino Directory,
Groups view.
Chapter 7
Creating Replicas and Scheduling Replication
Replicas
To make a database available to users in different locations, on different
networks, or in different time zones, you create replicas. All replicas share
a replica ID which is assigned when the database is first created. The file
names of two replicas can be different, and each replica can contain
different documents or have a different database design; however, if their
replica IDs are identical, replication can occur between them.
As users add, edit, and delete documents in different replicas of a
database, the content in the replicas is no longer identical. To ensure that
the content in all replicas remains synchronized, you use Connection
documents to schedule replication between the servers that store the
replicas. Then multiple sites, teams, and users can make changes to a
database and share those changes with everyone else who has access to
that database. In addition, using replicas and scheduling replication
reduces network traffic. Users never need to connect to a single central
server that stores the only replica of a particular database. Instead, they
can access a replica of that database on one or more local servers.
These distributed replicas can also be Web sites that are hosted on
different Lotus Domino 6 servers. Then users arent dependent on one
server when they attempt to access critical applications over the Internet.
If one server is unavailable, users can access another replica of the
database on another server. You can also use replicas to help manage
ongoing Web site design. On one server, you can set up a Web staging
area where you design and test new pages. When the design changes are
tested and ready to be released, you can replicate this server with the
server storing the replica of the Web site that is available to users. By
using replicas and replication this way, you prevent Web users from
seeing your work-in-progress.
7-1
Configuration
This chapter explains how to set up replicas and schedule replication.
A replica of a database isnt the same as a copy of a database that you

make by choosing File - Database - Copy. Although a copy of a database
may look the same as the original database, a copy doesnt share a replica
ID with the original database and so it cant replicate with it.
Deciding when to create a replica

Plan your replica strategy carefully, and create replicas on servers only
when necessary. The more replicas, the greater the demand on server
and network resources and the greater the need for additional
maintenance. To prevent unnecessary proliferation of replicas, assign
Create Replica server access to only a few administrators. Then tell users
and application developers to send their requests for new replicas to
these administrators.
Create a replica of a database to:
Improve performance of a heavily used database.
Distribute network traffic.
Keep a database that youre redesigning separate from a production

version of the database.
Keep a database available even if one server goes down.
Make a database available to users in remote locations.
Provide a replica containing only a subset of information that is

relevant to a particular workgroup.
Set up Domino system administration for example, you must

create replicas of the Domino Directory, the Administration Requests
database, and other critical system databases.
Place a replica of a master template on each server that stores a

database that inherits from the master template.
Create a backup database from which you can restore information if

data becomes corrupted; since corrupted data often replicates, use
this only as a secondary backup method.
Keep in mind that two replicas will contain slightly different content
between replications. If users need access to the most up-to-date
information in a database, you can create replicas on clustered servers
and then set up replication in clusters. In a cluster, all replicas are always
identical because each change immediately replicates to other servers in
the cluster.
For more information on setting up individual databases for replication,
see the topic Creating replicas using the Administration Process in this
chapter.
How server-to-server replication works

For server-to-server replication, the Replicator on one server calls
another Domino server at scheduled times. By default, the Replicator is
loaded at server startup.
During scheduled replication, by default, the initiating server first pulls

changes from the destination server and then pushes changes to the
destination server. As an alternative, you can schedule replication so that
the initiating server and destination server each pull changes or so that
the initiating server pulls changes only or pushes changes only.
You can also use the server commands Pull, Push, and Replicate to
initiate replication between servers.
For more information on server connections and Connection documents,
see the chapter Setting up Server-to-Server Connections.
Replication, step-by-step
To fully-understand replication, you need to be familiar with the
information in the topics Guidelines for setting server access to
databases and with Setting up a database ACL for server-to-server
replication in this chapter. You also need to fully familiarize yourself
with the information on replication in the appendix Server Commands.
1. Replication is initiated by a server or a workstation in one of the
following ways:
Replication schedule settings in a Connection document take
effect.
A replication command to replicate immediately is issued at the
server console. The server console commands include replicate,
pull, push, and load replica.
Settings in a Program document. The Program document starts a
new task on the server rather than sending work to an existing
task.
Creating Replicas and Scheduling Replication 7-3
Configuration
To schedule replication between servers, the servers must be able to

connect to each other in order to update replicas. You may need to create
Connection documents to enable server connections, depending on your
server topology. As users add, edit, and delete documents in a database,
the replicas contain slightly different information until the next time the
servers replicate. Because replication transfers only changes to a
database, the network traffic, server time, and connection costs are kept
to a minimum.
A replication command to replicate immediately is issued by an

end-user working in the Notes client user interface. This is done
from a workstation only, not from a server.
Scheduled replication from a Notes client. This is done from a
workstation only.
The servers authenticate each other by finding a certificate in
common and testing to be sure that certificates are authentic.
For more information on server console replication commands, see the
appendix Server Commands.
For more information on the Program document, see the appendix
Server Tasks.
2. The Replicator constructs a list of local files to replicate and asks the
remote server to find those that have a match with the list of local
files.
Note If the server initiating the replication cannot connect to the
remote server, or if it cannot search the remote server (Server B),
replication fails.
3. When the Replicator finds a match, it looks at the replication history
to find the last time the replicas replicated. The Replicator uses the
history in the local database which is the destination database when
pulling and is the source database when pushing. Typically
there are two such entries, one for each direction (push/pull).
If there is no entry in the replication history, if access rights have
changed, or if the selective replication settings have changed, the
Replicator has to search all documents in the source database, not
just those that have changed since the last replication.
4. The Replicator searches the source replica for changes that have
occurred since the last replication.
The Replicator constructs a list of documents in the source
database that have changed since the last successful replication.
(For a pull, the source is the database on the remote server; for a
push, the source is the database on the local server.) The list is
restricted by the Selective Replication Settings. The time that the
search begins is recorded in the replication history so that
succeeding replications do not process changes that have been
replicated.
If the data in the source database has not changed since last
successful replication to the destination database, no replications
take place and the replication history is not updated.
5. Replication between the source database and the destination

database occurs. Replication history is updated fro replication from
source database to destination database. If access is sufficient,
replication history for both the source and destination databases is
updated.
Guidelines for setting server access to databases

For replication to occur properly, you must assign servers the
appropriate access in the database ACL. Follow these guidelines when
you set server access to databases.
Assign an access level that is at least as high as the highest user

access level
For example, design changes made to the replica on Server A replicate to
Server B only if the replica on Server B gives Server A at least Designer
access.
Include servers in read access lists for database design elements

If a database design element has a read access list associated with it that
allows access only to certain users with Reader access, include the names
of replicating servers in the read access list in addition to the server
names with Reader access in the database ACL. For example, if a replica
on Server A includes a form access list that limits who can read
documents created with the form, include Server B in the read access list
and give Server B at least Reader access in the ACL to allow Server B to
pull new documents and changes to documents created with the form.
Assign appropriate access to intermediate servers

If replication occurs through an intermediate server, the intermediate
server acts first as a destination server, then as a source server and must
have the access level necessary to pass along the changes. For example, if
you want ACL changes on Server As replica to replicate to Server C by
way of Server B, Server Bs replica must give Manager access to Server A,
and Server Cs replica must give Manager access to Server B.
Configuration
If replication is not successful, the replication history is not

updated and the next replication will search the same databases
again.
Assign Reader access for one-way replication

Give a server Reader access to a replica when you want to allow the
server to receive information from the replica but not to send changes
back. For example, to allow Server B to receive changes from a replica on
Server A but not to send changes to Server A, give Server B Reader
access to the replica on Server A.
Assign Editor access to allow author changes to replicate

If a replica includes an Authors field that allows authors to modify their
own documents, a server must have at least Editor access, not Author
access, to replicate these modifications. For example, changes made to
Server As replica by someone with Author access only replicate to
Server B if Server Bs replica gives Server A at least Editor access.
Setting up a database ACL for server-to-server replication

You add the names of servers to a database ACL in the same way that
you add the names of people. The access level given to a server in an
ACL determines what, if any, changes that server can replicate to the
replica.
For more information on setting up a database ACL, see the chapter
Controlling User Access to Domino Databases.
Default server groups in an ACL

By default, every database ACL includes the server groups
LocalDomainServers and OtherDomainServers.
LocalDomainServers
This group represents servers that are in the same Domino domain as the
server that stores the replica. Typically you assign this group a higher
access level in the database ACL than the OtherDomainServers group.
OtherDomainServers
This group represents servers that are not included in the Domino
domain of the server that stores the replica. Typically you assign this
group a lower access level in the database ACL than
LocalDomainServers. For example, assigning this group Reader access in
the ACL ensures that the local Domino domain retains control over the
database.
Note Do not add the names of servers from outside companies to

LocalDomainServers or to OtherDomainServers. Both these groups are
included in all databases by default and may have a high access level in
some cases. Instead, create a group specifically for the external servers
with which your company communicates; for example, create a group
called External Servers. Then add this group to database ACLs as
needed.
Access level privileges

For each access level, you can select or deselect these privileges:
Create documents
Delete documents
Create personal agents
Create personal folders/views
Create shared folders/views
Create LotusScript/Java agents
Read public documents
Write public documents
In general, for servers, enable all the privileges that the selected access
level allows. This ensures that the server has access that is as high as
users might have and can replicate all user changes. However, to prevent
certain changes from replicating without deselecting privileges for each
user, you can deselect a particular privilege for a server entry in the ACL.
For example, to prevent all document deletions made in a database on a
particular server from replicating, deselect Delete documents in the
ACL entry for the server. Then when users who have Delete
documents access in the ACL delete documents, the deletions dont
replicate.
For more information on setting up database ACLs, see the chapter
Configuration
For more information on setting up groups, see the chapter Setting Up

and Managing Groups.
Server access levels

This table describes access levels in terms of server access, from the
highest access to the lowest.
Access level Allows a server to push these
changes
Assign to
Manager
ACL settings
Database encryption settings
Replication settings
All elements allowed by lower
access levels
Servers you want to use as a

source for ACL changes. For
tight database security, give
this access to as few servers as
possible. In a hub-and-spoke
server configuration, you
typically give the hub server
Manager access.
Designer
Design elements
All elements allowed by lower
access levels
Servers you want to use as the

source for design changes. Use
Manager access instead if you
want one server to control ACL
and design changes.
Editor
All new documents

All changes to documents
Servers that users use only to

add and modify documents. In
a hub-and-spoke configuration,
you typically give the spoke
servers Editor access.
Author
New documents
No servers. You dont typically

use this access for servers.
Reader
No changes; server can only pull

changes
Servers that should never make

changes. Servers in the
OtherDomainServers group are
often given Reader access.
Depositor
New documents. Also prevents

the server from pulling changes.
No servers. You dont typically

use this access for servers.
No Access No changes. Also prevents the

server from pulling changes.
Servers to which you want to

deny access. Servers in the
OtherDomainServers group are
sometimes given No Access.
Note A database that doesnt replicate should have at least one server in
its ACL to serve as the administration server for the database. This
allows the Administration Process on a server to update names in the
ACL when names in the organization change.
For more information on administration servers, see the chapter Setting
Up the Administration Process.
Creating replicas using the Administration Process
For more information on the administration requests that processed

while creating a replica see the appendix Administration Process
Requests.
1. If you are creating a replica on a destination server in another
domain, make sure that:
There is an outbound Cross Domain Configuration document in
the Administration Requests database (ADMIN4.NSF) on the
source server that allows the Administration Process to export
Create Replica requests to the destination server.
There is an inbound Cross Domain Configuration document in the
Administration Requests database on the destination server that
allows the Administration Process to import Create Replica
requests from the source servers domain.
Connection documents enabled for mail are in place that allow the
source server to send mail to at least one server in the destination
servers domain.
Youve set up cross-certification if servers in the two domains do
not share a common certifier.
Have Create Database access in the Server document of the
destination server(s).
Have at least Reader access in the ACL of the databases on the
source server.
3. Make sure that the source server:
Is running the Administration Process.
Has Create Replica access in the Server document of the
destination server(s).
Note Do not use the wild card character (*) in the Create Replica
field of the destination servers Server document because this
character causes the request to fail.
Configuration
Through the Domino Administrator you can use the Administration

Process to initiate the creation of one or more replicas. You can create
replicas on servers in the same domain or in another domain. You should
make sure that Connection documents are in place to schedule
replication between the source and destination servers, unless the servers
are members of the same cluster, in which case this is not strictly
necessary.
4. Make sure each destination server:

Is running the Administration Process.
Has at least Reader access in the ACL of the source replica.
5. From the Domino Administrator, select the source server in the
server pane on the left. To expand the server pane, click the servers
icon in the server pane.
6. Click the Files tab.
7. In the files window, select one or more databases for which you want
to create replicas.
8. From the Tools pane, choose Database - Create Replica. Or, drag the
selected database(s) to the Create Replica tool.
9. (Optional) If the current domain includes a cluster, click Show only
cluster members to display only destination servers that are
members of the cluster.
10. Select one or more destination servers. To select a server if it doesnt
appear in the list, select Other, specify the hierarchical server name,
then click OK.
11. (Optional) Select a destination server, click File Names to choose a
custom file path on the destination server for any database youre
replicating, and then click OK. You can repeat this procedure for
each destination server. If you dont choose this option, the database
is stored on the destination server in the same location as on the
source server.
To put the replica in a directory below the data directory, type the
directory name, backslash, and then the file name for example,
JOBS\POSTINGS. If the specified directory does not exist, Domino
creates it for you.
12. Click OK. A dialog box shows the number of databases processed
and indicates if any errors occurred.
Creating replicas by dragging databases to a destination server
You can drag and drop databases to a destination server icon to create
replicas on that server. When you use this method, store all replicas in
one, preexisting directory on the destination server. This method uses the
Administration Process to automate creation of the replica.
1. From the Domino Administrator, click the Files tab.
2. Select one or more databases you want to replicate in the files pane.
3. Drag the selected databases to a destination server in the server pane
on the left.
4. In the dialog box that appears, select Create replica, select a

directory on the destination server in which to store the replica(s),
then click OK.
Table of replication settings
You can specify replication settings on a new replica as you create it or

on an existing replica. You can specify some replication settings for
multiple replicas at once from a central source replica. You must have
Manager access to a replica to set replication settings for it.
Caution Replication settings are not intended to be used as a security
measure.
This table summarizes the available replication settings.
Setting
Controls
Panel option
Remove documents not

modified in the last x days
When Domino purges

document deletion stubs
and, optionally,
unmodified documents
Space Savers
Only replicate incoming

documents saved or modified
after: date
The cutoff date, so that a

replica only receives
documents created or
modified since the date.
Which documents are
scanned during the first
replication after clearing
the replication history
Other
Receive summary and 40KB of The size of documents

rich text only
that a replica receives
Space Savers
Replicate a subset of
documents
Which documents a
replica receives
Space Savers
Advanced
Replicate
Which non-document
elements this replica
receives
Advanced
continued
Configuration
By default, two replicas exchange all edits, additions, and deletions if the
servers the replicas are on have the necessary access. However, you can
customize replication. For example, to save disk space, you can prevent
the transfer of documents that are not pertinent to your site.
Setting
Controls
Do not send deletions made in Whether a replica can

this replica to other replicas
send document deletions
to other replicas
Panel option
Send
Do not send changes in

database title & catalog info to
other replicas
Whether a replica can

Send
send changes to the
database title and
Database Catalog
categories to other replicas
Do not send changes in local

security property to other
replicas

Send
send changes to the
Encryption database
property (in the Basics tab
of the Database Properties
box) to other replicas
Temporarily disable
replication

replicate
Scheduled replication priority
The replication priority of Other

a database used in
Connection documents for
scheduling replication
CD-ROM publishing date
The publishing date for a

database on a CD-ROM
Other
Other
You can manage these settings for multiple replicas from a central source
replica.
For more information, see the topic Specifying replications settings for
multiple replicas from one source replica in this chapter.
Limiting the contents of a replica

Use the following replication settings to limit the size of a replica or to
display a subset of information relevant to a particular group of users.
Remove documents not modified in the last x days
The number of days specified here, known as the purge interval, controls
when Domino purges deletion stubs from a database. Deletion stubs are
markers that remain from deleted documents so that Domino knows to
delete documents in other replicas of the database. Because deletion
stubs take up disk space, Domino regularly removes deletion stubs that
are at least as old as the value specified. It checks for deletion stubs that
require removal at 1/3 of the purge interval. For example, assuming the
default value, 90 days, when a user opens a database, Domino checks if it
has been at least 30 days since it removed deletion stubs, and if so it
removes any deletion stubs that are at least 90 days old. The Updall task,
which runs by default at 2:00 AM, also removes deletion stubs.
You can shorten the purge interval, if you want, but be sure to replicate
more frequently than the purge interval; otherwise, deleted documents
can be replicated back to the replica.
Caution If you select the check box on a non-replicated database,

documents are lost and you can only recover them from a system
backup.
Note Domino regularly removes deletion stubs according to the purge
interval even if you dont select the check box.
Only Replicate Incoming Documents Saved or Modified After: date
A replica can only receive documents created or modified since the date
specified. If you clear the database replication history, during the next
replication, Domino scans only documents created or modified since the
date specified here. If you clear the date before clearing the replication
history, Domino scans all documents in the database.
Use this option in conjunction with clearing the replication history to
solve replication problems. If you clear or change this date, when
Domino next purges deletion stubs, it resets the date to correspond to the
number of days specified in Remove documents not modified in the last
x days setting. For example, if Domino purges deletion stubs on 1/1/99
and the Remove documents not modified in the last x days setting is
90, on 1/1/99 Domino resets the date to 10/1/98. If the check box is
selected in the Remove documents not modified in the last x days
setting meaning documents that meet the purge interval criteria are
purged as well as deletion stubs this automatic date reset insures that
the purged documents arent replicated back into the replica.
Configuration
Optionally, you can select the check box to remove documents in the
replica that havent changed within the purge interval. If you select the
check box, when Domino removes deletion stubs it also removes
documents that havent changed within the specified number of days.
These documents are purged, meaning no deletion stubs remain for the
documents, so the documents arent deleted in other replicas. The Only
Replicate Incoming Documents Saved or Modified After: date setting
prevents the purged documents from reappearing through replication. If
the other replicas have this check box selected, similar document purging
occurs in them.
Receive summary and 40KB of rich text only

If you select this setting, Domino prevents large attachments from
replicating and shortens the documents that this replica receives. The
shortened documents contain only a document summary that includes
basic information, such as the author and subject, and the first 40K of
rich text.
When users open a shortened document, they see (TRUNCATED) in
the document title. To view the entire document, users open it and
choose Actions - Retrieve Entire Document.
Keep the following points in mind when using this setting:
Users cant categorize or edit shortened documents.
Agents dont work on shortened documents.
Shortened documents do not replicate unless the destination replica

also has this option selected.
Replicate a subset of documents

Use this setting to specify that a replica receives only the documents in a
specific directory or view or only documents that meet selection criteria
specified in a formula. Replication formulas are similar to view selection
formulas.
Keep in mind the following points when you use replication formulas:
You cannot use @DbLookup, @UserName, @Environment, or @Now

in a replication formula.
Using @IsResponseDoc in a replication formula causes all response

documents in a database to replicate, not just those that meet the
selection criteria. To avoid this, use @AllChildren or
@AllDescendants instead. If you use @AllChildren or
@AllDescendants, make sure the database performance property
Dont support specialized response hierarchy is not selected.
Replicate
Use this setting to control which non-document elements a replica
receives. This table describes the options:
Default
Description
Forms, views,
and so on
Selected
If selected, allows a replica to receive design

changes, such as changes to forms, views, and
folders from a source replica.
If deselected, prevents a replica from receiving
design changes. Alternatively, you can assign
source servers Editor access or lower in the ACL;
however, doing so prevents agents from
replicating.
Dont select this option when you first create the
replica because the new replica wont contain any
design elements for displaying information.
Agents
Selected
If selected, allows a replica to receive agents. If

deselected, prevents the replica from receiving
agents, although the replica still receives changes
made by the agents.
Replication
formula
Not selected If selected, ensures that replication settings

specified for multiple destination replicas from
one source replica can replicate. This option is
required if youre using a central source replica to
manage replication settings for multiple replicas.
Access control Selected

list
If selected, allows the replica to receive ACL

changes from any server that has Manager access
in the replicas ACL.
Deletions
Selected
If selected, allows the replica to receive document

deletions. If deselected, the replica wont receive
deletions through replication, but users assigned
Delete documents access in the replica ACL can
still delete documents from the replica.
Note If Do not send deletions made in this
replica to other replicas (on the Send panel of
the Replication Settings dialog box) is selected for
the source replica, this replica wont receive
deletions from the source replica, regardless of
this setting.
Fields
Not selected If deselected, the replica receives all fields in each

document received. If selected, you select a subset
of fields to receive, but you should only do this if
you have a thorough knowledge of application
design.
Configuration
Replicate
Limiting what a replica sends

Use these settings to limit what one replica sends to other replicas.
Do not send deletions made in this replica to other replicas
This setting prevents deletions made in this replica from replicating. As
an alternative, you can deselect the ACL option Delete documents for
the server storing this replica.
Do not send changes in database title & catalog info to other
replicas
This setting prevents changes made to this replicas database title or
Database Catalog categories from replicating.
Do not send changes in local security property to other replicas
This setting prevents changes to the database Encryption property (set by
choosing Encryption on the Basics tab of the Database Properties box).
Use this primarily to prevent changes made to this property on a local
replica from replicating to a server. For example, if this setting is selected
and you disable the Encryption property on a local replica, the property
remains selected on a server replica.
Assigning miscellaneous replication settings

The Other panel of the Replication Settings dialog box includes these
miscellaneous settings.
Temporarily disable replication
Select this to temporarily suspend replication while you troubleshoot a
problem. You can select this for one database, or if you use the Domino
Administrator, you can disable replication of multiple databases. If a
database is on a cluster server, disabling replication suspends both
cluster replication and scheduled replication.
For more information on clusters, see the book Administering Domino
Clusters.
Scheduled replication priority
You can assign a priority of High, Medium, or Low to a database. Then
in a Connection document, you can schedule replication so that
databases of a particular priority replicate at specific times. For example,
you can schedule low-priority databases to replicate less frequently and
schedule high-priority databases to replicate more frequently. If you
assign a different priority to two replicas, the priority of the replica on
the server that initiates the scheduled replication takes precedence.
Replication priority doesnt apply to replicas on a cluster of servers.

Cluster replication occurs whenever a change occurs, not according to
schedules in Connection documents.
Specifying replication settings for one replica

1. Make sure you understand replication settings.
To specify replication settings for a replica as you create it, click
Replication Settings in the New Replica dialog box.
To modify replication settings on an existing replica, open the
replica and choose File - Replication - Settings. This requires
Manager access.
3. Click the Space Savers panel and then select/deselect options.
4. Click the Send panel and then select/deselect options to limit what
the replica can send to other replicas.
5. Click the Other panel and then select/deselect options.
6. Click the Advanced panel and then select/deselect any of the options
under Replicate. Ignore the options above Replicate. These are
used for managing replication settings for multiple replicas of a
database from one central source replica.
7. Click OK.
Configuration
CD-ROM publishing date

Some organizations for example, publishing companies distribute
databases on CD-ROM rather than replicate them. To receive updates,
users replicate with a replica on the organizations server. The users
specify the date the information was published on the CD-ROM so that
the first replication with the organizations replica scans only documents
created or modified since the publishing date. If users do not specify the
date, the initial replication unnecessarily scans the entire database, which
can be a slow process, especially if it occurs over a dial-up connection.
Specifying replication settings for multiple replicas from one source

replica
You can customize replication settings for multiple replicas of a database
from one central source replica and then replicate these custom settings
to the appropriate replicas. This approach to customizing replication
allows you to centralize replication management and requires that you
know the replication requirements for each replica.
The only replication settings you can specify using centralized
management are Replicate a subset of documents, to control which
documents a replica receives, and Replicate, to control which
non-document elements a replica receives.
Note that changing centrally-administered replication settings requires
two replications for the changes to take effect: the first replication to
replicate the new settings from the source server to the destination
servers and a second replication to replicate based on the new settings.
The second replication doesnt occur until the source database is updated
in some other way; to force the new settings to take effect if the source
database isnt updated, clear the replication history.
1. Make sure you understand replication settings.
2. Make sure you have Manager access in the ACL of the central source
replica. Make sure that the central source replica has Manager access
in the ACL of all destination replicas.
Click Replication Settings in the New Replica dialog box to specify
replication settings for a new replica.
Open the central source replica, and then choose File - Replication
- Settings to modify existing replication settings.
4. Click the Advanced panel.
5. To specify a destination server, click the computer icon next to
When computer, specify the name of the destination server, select
Add Server, then click OK. Or accept the default entry. To specify a
Notes client as a destination server, enter the Notes users
hierarchical name.
6. To specify a source server, click the computer icon next to Receives
from, specify the name of a source server, select Add Server, then
click OK. Or accept the default entry. To specify the name of a Notes
client as a source server, enter the Notes users hierarchical name.
7. To delete a server, click either computer icon, select a server, select
Delete Server, then click OK.
8. To have the specified destination replica receive a subset of

documents, click Replicate a subset of documents and then specify
the views/folders to replicate or specify a replication formula.
9. To specify which non-document elements the replica should receive,
select appropriate options under Replicate. You must select
Replication formula.
11. Click OK.
Examples of specifying replication settings for multiple replicas

Using the same replication settings for all destination servers
The Acme Corporation has a database called Technical Support on the
server Support-E/East/Acme, which it uses to post information about
customer problems and problem resolutions. The database displays
customer suggestions made during the support calls in a view called
Customer Suggestions. Acme has three servers at satellite sales offices:
Sales-Bos-E/East/Acme, Sales-Phil-E/East/Acme, and
Sales-Hart-E/East/Acme. The satellite sales offices are only interested in
customer suggestions and not in other details of technical support calls.
Therefore, Acme replicates only the contents of the Customer
Suggestions view to these servers. To accomplish this, it completes the
replication settings dialog box on the Technical Support database on
Support-E/East/Acme as follows. Note that although the When
computer box shows only Sales-Bos-E/East/Acme, there are similar
settings for Sales-Phil-E/East/Acme and Sales-Hart-E/East/Acme.
Using separate replication settings for each destination server
The Acme Corporation has a database called Sales Leads on the server
Sales-E/East/Acme. Acme has three servers at satellite sales offices:
Sales-Bos-E/East/Acme, Sales-Phil-E/East/Acme, and
Sales-Hart-E/East/Acme. Each satellite sales office is only interested in
leads pertaining to its area. Each document in the Sales Leads database
includes the field Office with one of these keywords selected: Boston,
Philadelphia, Hartford. To replicate only sales leads pertaining to Boston
to Sales-Bos-E/East/Acme, Acme completes the replication settings
dialog box on the Sales Leads database on Sales-E/East/Acme.
Acme sets up replication from Sales-E/East/Acme to
Sales-Phil-E/East/Acme and to Sales-Hart-E/East/Acme in a similar
fashion.
Configuration
10. Repeat Steps 5 through 9 for each additional destination/source

server combination.
Although these examples describe server-to-server replication, you could

use similar settings to configure replication between a central source
replica and replicas on Notes clients. For example, salespeople could
replicate directly with the source replica and receive only leads pertinent
to their areas. To accomplish this, specify Notes users hierarchical names
as destination servers.
Scheduling server-to-server replication

For replication to occur between two servers, you create a Connection
document that specifies how and when the information exchange occurs.
Connection documents are stored in the Domino Directory. Use only one
Connection document at a time to handle all replication between each
pair of servers. Creating unnecessary Connection documents increases
network traffic and congestion.
Both mail routing and replication are enabled by default, but you can
change this setting and use separate Connection documents to schedule
each task. This way, you can control the specific time(s), time range(s), or
the repeat interval for replication and mail routing separately, and
increase or decrease these settings, as needed.
How you connect servers for replication depends on the location of the
servers. You can connect servers for replication over a Local Area
Network (LAN) or over an intermittently connected serial line, such as a
dial-up modem or Remote access service connection. In addition, you can
use passthru servers for replication.
Replicating over the Internet is performed identically as with a LAN
using TCP/IP. The Domino server must be in the same Notes domain as
the Domino server with which you want it to replicate. If its not, your
server needs a certificate in common with the other server.
To set up Connection documents for replication
Schedule only one server to connect at a time.
1. Make sure that:
Each pair of servers can connect to each other.
The Domino Directory is replicating properly.
Directory on field.
5. Click the connection you want to work with, and then click Edit
Connection.
6. On the Basics tab, complete these fields:
Enter
Usage priority
Choose Normal to force the server to use the network

information in the current Connection document to make
the connection.
Source server
The name of the calling server.
Source domain
The name of the calling servers domain.
Use the Port(s)
The name of the network port (or protocol) that the

calling server uses.
If you dont want to specify the actual port for making a
local area network connection, but would prefer to have
Domino determine the port used, dont list any ports in
the Use the Port(s) field in the LAN Connection
document. Domino uses all the information it has,
including all enabled LAN ports and all enabled or
disabled Connection documents, to determine the best
path to use to connect with the other server.
Destination
server
The name of the answering server. You can also specify a

Group name that contains server names so that the Source
server replicates with each server listed in the group you
specify. To do this, you create a group that contains servers
only, and specify Servers only as the group type. The
group cannot contain the names of other groups of servers.
Destination
domain
The name of the answering servers domain.
7. Click the Replication/Routing tab, and then complete these fields:

Field
Enter
Replication task
Choose Enabled.
Replicate
databases of
Priority
Choose one:
High
Medium & High
Low & Medium & High (default)
Replication type Choose one:
Pull Pull
Pull Push (default)
Pull Only
Push Only
continued
Configuration
Field
Field
Enter
Files/Directories The names of specific databases or directories of

to Replicate
databases that you want to replicate.
Separate entries with semicolons (;) and specify the
names as they exist on the calling server. If the database
is in a subdirectory to the data directory, include the path
relative to the data directory for example,
EAST\SALES.NSF.
To specify all files within a directory and any of its
subdirectories, enter the directory name relative to the
data directory with the directory slash, for example
EAST\. You cant use wild cards (*).
Replication
Time Limit
The amount of time, in minutes, that replication has to

complete.
8. Click the Schedule tab, and then complete these fields:

Field
Enter
Schedule
Choose Enabled.
Call at times
The times between which you want replication to occur

each day; the default is 8 AM - 10 PM.
Repeat interval
of
The number of minutes between replication attempts; the

default is 360 minutes.
Days of week
The days of the week to use this replication schedule; the

default is Sun, Mon, Tue, Wed, Thu, Fri, Sat.
Customizing server-to-server replication

To customize replication, you can:
Specify replication direction
Schedule times for replication
Replicate only specific databases
Replicate databases by priority
Limit replication time
Use multiple replicators
Refuse replication requests
Force immediate replication
Specifying replication direction

When you choose replication direction, you identify which server(s) send
and receive changes. The direction you choose does not affect or restrict
the functionality of the replication process itself.
By default, Domino uses Pull-Push as the replication direction. However,
you can specify a different replication direction.
Pull-Pull is a two-way process in which two servers exchange

updates. Using Pull-Pull, two replicators one on the calling
server and one on the answering server share the work of
replication.
Push-only is a one-way process in which the calling server pushes
updates to the answering server. One-way replication always
takes less time than two-way replication.
Pull-only is a one-way process in which the calling server pulls
updates from the answering server. One-way replication always
takes less time than two-way replication.
To change the replication direction:
Directory on field.
Connection.
5. Click the Replication/Routing tab.
6. Select the new replication direction from the Replication Type menu.
You can also specify replication direction when you force replication. For
example, you could use the Push-only or Pull-only method from the
server console when there is an update in a Domino Directory on one
server and you want to manually propagate that change to the other
servers.
For information on forcing immediate replication, see the topic Forcing
immediate replication later in this chapter.
Configuration
Pull-Push, the default replication direction, is a two-way process

in which the calling server pulls updates from the answering
server and then pushes its own updates to the answering server.
Using Pull-Push, the replicator task on the calling server performs
all the work.
Scheduling times for replication

Whenever possible, schedule replication for times when there is less
activity on the network before or after work or at lunch time.
You can schedule server-to-server replication to happen at specific times,
or you can specify a time range with a repeat interval. By scheduling
replication for a time range, you ensure that the servers exchange
information several times a day. After the server makes a successful
connection, it waits the amount of time specified in the Repeat interval
of field on the Connection document before calling the other server again.
For example, suppose a Connection document schedules
Hub-E/East/Acme to call HR-E/East/Acme from 8 AM until 5 PM with
a repeat interval of 120 minutes. If Hub-E/East/Acme calls and
replicates successfully with HR-E/East/Acme at 8:30 AM,
Hub-E/East/Acme does not place the next call until 10:30 AM.
Be sure to consider time zones when you schedule replication between
servers in different countries. You want to replicate the documents created
during each time zones peak business hours and schedule replication for
an off-peak time. For example, to schedule replication between a server in
New York and a server in Germany, schedule replication between 3 AM
and 1 PM Eastern Standard Time (EST) to correspond to Germanys
business hours, which are six hours later than EST.
The default replication time setting is 8 AM to 10 PM, with a repeat
interval of 360 minutes.
Scheduling replication for one specific time

Use a specific time when you schedule replication of low priority
databases, when daily updates of databases are sufficient, or when
youre certain that attempts by the server to connect are successful after
just a few retries for example, on different networks at the same site.
You might want to replicate low-priority databases at night when the
rates are less expensive or there is less load on the system.
Directory on field.
Connection.
5. Click the Schedule tab.
6. In the Connect at times field, enter a specific time for example,

8 AM.
7. In the Repeat interval of field, enter 0.
Scheduling replication for a list of times

Use a list of times to schedule replication for medium and low priority
databases and for when a few daily updates of databases are sufficient or
when youre certain that connection attempts will be successful after just
a few retries for example, for a connection on different networks at the
same site.
Directory on field.
Connection.
6. In the Connect at times field, enter a list of specific times for
example, 8 AM, 1 PM, 4 PM.
The server calls at the first time specified, 8 AM. If unsuccessful, the
server retries for up to an hour, until 9 AM. Whether or not the call
succeeds, the next call occurs at the next scheduled time, 1 PM. If
unsuccessful, the server retries for up to an hour, until 2 PM. This process
continues for each specific time you specify.
Scheduling replication for a time range with a repeat interval

Specify a time range when you schedule replication for high priority
databases.
Directory on field.
Configuration
The server calls and attempts to connect at the exact time you specified. If
unsuccessful, the server tries to connect for an hour. Whether or not the
connection succeeds, the next call does not occur until 8 AM the next
morning.

Connection.
6. In the Connect at times field, enter a time range for example,
8 AM - 5 PM.
7. In the Repeat interval of field, enter how frequently replication
should take place for example, 120 minutes.
If the first call is unsuccessful, the server retries periodically until it
successfully establishes a connection and replicates. If the server cannot
connect, it keeps trying until the end of the time range. If the server
successfully replicates, it calls again at the specified repeat interval after
the previous call ended.
Scheduling replication for a time range without a repeat interval

Use a time range without a repeat interval for medium and low-priority
databases. Also use a time range without a repeat interval when daily
updates of a database are sufficient or when you know that a long retry
period is necessary for example, if you have busy phone lines and you
know it will take several attempts to make the connection.
Directory on field.
Connection.
6. In the Connect at times field, enter a time range for example,
8 AM - 5 PM.
The server attempts the first call at the start of the time range. If
unsuccessful, the server tries again and again. The time between call
attempts increases with each unsuccessful attempt. The server retries the
call for the entire range or until a connection is made. After a failed call,
the server retries periodically for the entire call range. However, it does
not call again after a successful exchange of information.
Scheduling replication for different days of the week

You can create a different replication schedule for different days of the
week.
Directory on field.
Connection.
6. In the Days of week field, enter the days on which you want
replication to occur.
7.
Click Save and Close.
For example, you could create two Connection documents one that
schedules replication for Monday to Friday, and another that schedules
replication for Saturday and Sunday.
Staggering schedules
You can use staggered schedules on hub-and-spoke topology. For
example, you could schedule the first server to replicate from 8 AM to 10
AM, the second server from 8:05 AM to 10:05 AM, and so on. You can
create a simple round-robin schedule for a hub server and its spokes,
repeating as often as is practical. This process spreads all data within a
hubs sphere of influence quickly.
Replicating only specific databases

By default, Domino replicates all databases that two servers have in
common. To replicate only specific databases:
Directory on field.
Connection.
Configuration
6. In the File/Directories to Replicate field, enter the database names

or directory names of specific databases you want to replicate.
Separate entries with semicolons (;).
To specify an individual database, enter the file name of the database,
including the NSF extension. If the database is in a subdirectory of the
data directory, include the path relative to the data directory for
example, EAST\SALES.NSF.
To specify all files within a directory and any of its subdirectories, enter
the directory name relative to the data directory with the directory slash,
for example EAST\. You cant use wild cards (*).
If the replication type is Pull-Pull, only the connecting server receives the
specified databases during replication. The other server still receives all
databases in common with the calling server.
Replicating databases by priority

Database managers assign a replication priority to databases so that
Domino administrators can schedule replication for databases based on
priority. For example, you can schedule high-priority databases that are
critical to business operations for example, the Domino Directory to
replicate frequently. You can schedule low-priority databases to replicate
during off-hours.
To replicate databases by priority:
Directory on field.
Connection.
6. In the Replicate databases of field, select the priority of databases
to replicate.
The default setting is Low & Medium & High. Domino automatically
replicates all databases that two servers have in common.
If two replicas are assigned different priorities, Domino uses the priority
assigned to the replica on the server that initiates the replication. If you
schedule databases to replicate by priority and a particular database isnt
replicating often enough, ask the database manager to increase the
priority level of that database.
Limiting the time a server has to replicate with another server prevents
extensive replication sessions and allows you to control the cost of
replication with servers in remote sites. For example, if replication
depends on a long-distance phone call and the database takes time to
replicate, you can limit how long the replication period lasts.
To limit the time a server has to replicate:
Directory on field.
Connection.
6. In the Replication Time Limit field, enter the maximum connection
time in minutes.
If the Replication Time Limit field has a value in it and the replication
isnt complete at the end of the specified time or if the server crashes,
then replication will begin where it left off once it restarts. When the field
is blank, Domino uses as much time as it needs to complete the
replication session.
Caution If you specify an inappropriately low value and the databases
do not have time to replicate completely, replication terminates upon
reaching the time limit, regardless of how little progress, if any, occurred.
The log file (LOG.NSF) records a message indicating that termination has
occurred but that the replication was successful. The replication history
isnt updated so that the next replication takes place after the last
complete replication event.
To limit replication time for all servers, edit the NOTES.INI file to
include the ReplicationTimeLimit setting.
Configuration
Limiting replication time
Using multiple replicators

If you create Connection documents that schedule a server for multiple
simultaneous or overlapping replications with different destination
servers, set up multiple replicators to handle the replication sessions
simultaneously. Multiple replicators efficiently use server resources,
shorten replication cycles (especially in hub servers), and save replication
time.
When you use multiple replicators, each replicator handles only one
replication session at a time. For example, if Hub-E/East/Acme is
scheduled to replicate with HR-E/East/Acme and with
Hub-W/West/Acme simultaneously, one replicator handles replication
between Hub-E/East/Acme and HR-E/East/Acme, while a second
replicator handles replication between Hub-E/East/Acme and
Hub-W/West/Acme.
Multiple replicators handle multiple replications between one source
server and multiple destination servers simultaneously. Multiple
replicators do not handle replications of multiple individual databases on
a source server with a single destination server. For example, if both
Database 1 and Database 2 on Hub-E/East/Acme need to replicate with
Hub-W/West/Acme, only one replicator handles each replication
session, one at a time.
Examine the Connection documents that schedule replication on each
server. By adjusting the schedules and enabling multiple replicators, you
can shorten the time it takes to complete a replication cycle. With this
shortened cycle, you can schedule one or more additional cycles per day,
which means fewer database updates and speedier replications per cycle.
After you start multiple replicators, you can use the Tell command to
stop all replicators; however, you cant use the Tell command to stop a
specific replicator.
If you do not enable multiple replicators, do not schedule a server to call
another server on different ports at the same time. For example, if you
use one replicator, do not schedule Hub-E/East/Acme to call
Hr-E/East/Acme on COM1 and Hub-E/East/Acme to call
Hub-W/west/Acme on COM2 simultaneously.
To enable multiple replicators

Steps
From the NOTES.INI

file
Edit the Replicators or ServerTasks setting in the

NOTES.INI file.
From the console
Enter the Load Replica command at the console. Use

this method if you need more replicators and you dont
want to shut down the server to change the NOTES.INI
file. Each time you enter this command, the server
loads another replicator.
For more information on settings in the NOTES.INI file, see the appendix
NOTES.INI File. For more information on entering server commands,
see the appendix Server Commands.
Refusing replication requests

To prevent a server from accepting a request for replication, edit the
NOTES.INI file to include the setting ServerNoReplRequests. If this
setting is set to 1, the called server refuses all replication requests.
You can use this feature to reduce the replication workload on a
particular server or to isolate a server for troubleshooting. Or you may
want to force the calling server to cover the time and cost of the entire
replication process.
Forcing immediate replication

You can replicate changes to critical databases, such as the Domino
Directory, without waiting for a scheduled connection. After you create
Connection documents to schedule server-to-server replication, you can
use a server command to force immediate replication.
There are many situations when forcing replication is necessary. For
example, you may want to update a database immediately, without
waiting for scheduled replication to occur, or you might need to replicate
with a different server because the usual server is unavailable. You can
force immediate replication to trace replication and mail routing
problems or to force changes to critical system databases such as in the
Domino Directory to spread quickly through the domain. When you
force immediate server-to-server replication, you can initiate replication
in one or in both directions.
Configuration
Method
Command
Result
Replicate
Replicates changes to databases in both

directions; Domino performs Pull-Push
replication.
Pull
Replicates changes to databases in one direction

where the initiating server pulls changes from the
other server.
Push
Replicates changes to databases in one direction

where the initiating server pushes database
changes to the other server.
Disabling database replication

You can disable replication of a database for example, to stop
replication while you troubleshoot problems. Then, after you correct the
problem, enable replication again. You can disable and enable replication
of one database, or if you use the Domino Administrator, you can disable
and enable replication of multiple databases at once.
To disable replication of one database

1. Open the database and choose File - Replication - Settings.
2. Select Other.
3. Select Temporarily disable replication and then click OK.
To enable replication again, repeat Steps 1 and 2, and in Step 3 deselect
Temporarily disable replication.
To disable replication of multiple databases

1. From the Domino Administrator, select the server in the server pane
on the left that stores the databases. To expand the server pane, click
the servers icon in the server pane.
3. Select the databases for which you want to disable replication.
4. From Tools, click Database - Replication. Or, drag the selected
databases to the Replication tool.
5. Select Disable, and then click OK.
To enable replication again, repeat Steps 1 - 4, and in Step 5 select
Enable replication.
Forcing a server database to replicate
Replicating from the database

1. Open the database.
2. Choose File - Replication - Replicate.
3. Select Replicate with options and click OK.
4. Select the server that stores the replica with which you want to
replicate.
5. Select Send documents to server to send updates from the replica
you selected on your workspace to the server you selected in Step 4.
6. Select Receive documents from server to send updates from the
server you selected in Step 4 to the replica selected on your
workspace.
7. Click OK.
Replicating from the server console

You can use a database option with the Replicate, Pull, or Push server
commands to force replication of a specific database that two servers
have in common.
Use the Replicate command to send changes to and receive changes

from a specified server
Use the Pull command to receive changes from a specified server
Use the Push command to send changes to a specified server
For example, to send changes to the database PRODUCTS.NSF from the

server Webstage-E/East/Acme to the server Web/East/Acme, enter the
following command from Webstage-E/East/Acme:
Push Web/East/Acme Products.nsf
Configuration
Replication between database replicas on servers typically occurs

according to schedules in Connection documents. However, there are
times when you want to force replication between two replicas, rather
than wait for replication to occur on schedule. For example, you might
force replication when you want to test replication settings or
troubleshoot replication problems.
Viewing replication schedules and topology maps

You can see a graphical representation of each servers replication
schedule at a glance with the Domino Administrator. Each servers
replication schedule appears separately, even if the server is a member of
a group listed in the Destination server field in a Connection
document.
You can also see a graphical representation of your replication topology.
Replication topology maps are most useful for quickly displaying the
replication topology and for letting you easily follow connections
between servers.
Each server, network, cluster, and cc:Mail Post Office has its own icon. A
line represents each replication connection. A replication connection
between two servers appears as a broken red line. Multiple connections
between servers appear as lines superimposed on each other.
To view replication schedules

1. From the Domino Administrator, click the Replication tab.
2. Click Replication schedule.
3. Patterns represent the replication status of each server: Schedule is
being performed; Schedule is complete; Schedule isnt complete.
To start the topology Maps task

The Maps task enables you to view replication topology from the
Domino Administrator. You only need to run this task on one server in
your domain. The information it gathers will replicate to the other
servers, as long as it has permission to do so. This task refreshes topology
information nightly.
This task is not enabled by default. To see replication topology
information, enable the Maps task manually.
1. From the Domino Administrator, click the Servers - Status tab.
2. Click Tools - Start.
3. Select Maps Extractor from the menu and then click Start Task.
4. Click Done.
To display the replication topology map

1. From the Bookmarks pane, select the server for which you want to
create a topology map.
2. Click the Replication tab.
Click Replication topology by clusters to view all server clusters

and their replication patterns.
4. (Optional) Double-click any server in the topology map to make that
server the center of the map.
5. (Optional) Double-click a line connecting any two servers to open the
corresponding Connection document in the Domino Directory.
To focus on a specific area of the topology map, use the plus (+) and
minus (-) keys to zoom in and out.
Configuration
Click Replication topology by connections to view connections

between the server you selected and all of the servers connected to
it.
Chapter 8
Setting Up Calendars and Scheduling
Calendars and scheduling

The calendar and scheduling features allow users to check the free time of
other users, schedule meetings with them, and reserve resources, such as
conference rooms and equipment. As an administrator, you can define
holidays that are particular to your organization or country. Lotus Domino
6 includes a set of default Holiday documents, which you can modify.
Users import this information directly into their personal calendars.
The calendar and scheduling features use the Schedule Manager (Sched
task), the Calendar Connector (Calconn task), and the Free Time system
(a combination of Sched, Calconn, and nnotes tasks) to operate. When
you install Lotus Domino 6 on a server (any server except a directory
server), the Sched and Calconn tasks are automatically added to the
servers NOTES.INI file. When you start the server for the first time, the
Schedule Manager creates a Free Time database (BUSYTIME.NSF for
non-clustered mail servers and CLUBUSY.NSF for clustered mail
servers) and creates an entry in the database for each user who has filled
out a Calendar Profile and whose mail file is on that server or on one of
the clustered servers.
Each user can keep a personal calendar and create a Calendar Profile that
identifies who may access the users free time information and specifies
when the user is available for meetings. When users invite other users to
meetings, the Free Time system performs the free-time lookups. The Free
Time system also searches for and returns information on the availability
of resources. If the lookup involves searching in Free Time systems on
different servers or scheduling applications, the Calendar Connector
sends out the queries. When users schedule appointments in their
calendars and reserve resources, the Schedule Manager task collects and
updates that information in the Free Time database.
By default, the Schedule Manager has access to the Free Time database,
so you do not have to define the ACL for this database.
8-1
Configuration
You can set up the calendar and scheduling features to allow users to
schedule meetings and reserve resources.
Using clustered Free Time databases

For clustered mail servers, the Schedule Manager creates the clustered
Free Time database (CLUBUSY.NSF) the first time a server starts. The
clustered version of the Free Time database works the same as the Free
Time database (BUSYTIME.NSF). Each clustered server has a replica of
the clustered Free Time database, which stores information about users
whose mail files exist on servers in the cluster.
If you add a previously non-clustered server to a cluster, the Schedule
Manager deletes the BUSYTIME.NSF database on that server and creates
CLUBUSY.NSF, which then replicates to all cluster members. If you
remove a server from a cluster, the opposite occurs: Schedule Manager
deletes CLUBUSY.NSF and creates BUSYTIME.NSF. Until the Schedule
Manager validates the database by checking to see if the location of
users mail files has changed, the clustered Free Time database contains
information about users whose mail server you removed from the
cluster. This validation also occurs once each day (at 2 AM) to update
free-time information for users whose mail files have been added to or
removed from a mail server. You can update the information at any time
by entering the Tell Sched Validate command at the console.
A benefit of clustered scheduling is that schedule information is always
available, even when users home servers are down. With non-clustered
scheduling, if users home servers are not available, the Free Time
database is not available for searching.
Other advantages of using clustered scheduling include improved
performance and reduced server traffic. Because the Free Time database
is available from other members in a cluster, the server that receives a
users query does not have to search another servers Free Time database
for schedule information about a user whose mail server is in the cluster.
Example of scheduling a meeting

This section describes the process of scheduling a meeting when users
share the same mail server and domain, have different domains, and use
different scheduling applications.
In the following examples, Kathy wants to check the free time of and
schedule a meeting with three users Bob, who is in the same domain
as Kathy; Robin, who is in a different domain; and Susan, who uses a
different scheduling application (Lotus Organizer).
Users in the same domain

1. Kathy creates a meeting invitation and chooses to search for Bobs
free time.
2. A free time query is sent to Kathys mail server.
3. The Free Time system looks for Bobs name in the Free Time
database (BUSYTIME.NSF or CLUBUSY.NSF) on Kathys mail
server.
If the Free Time system does not find any information on Bob, it
converts Bobs name into a fully qualified name.
If Bobs mail server is unavailable and his Free Time database is
not clustered, a message appears indicating that the server is
unavailable, and the Find Time dialog box indicates that Bobs
information is unavailable.
4. Kathys Domino Directory is checked for Bobs Person document.
When the Person document is found, the Calendar Connector sends
the request to Bobs mail server, the name of which is listed in Bobs
Person document.
5. The Free Time system on Bobs mail server looks in its Free Time
database and returns the information to Kathy via the Calendar
Connector. If the Free Time system doesnt find any information, the
query fails, and the Find Time dialog box indicates that Bobs
Users in different domains
1. Kathy creates a meeting invitation and chooses to search for Robins
free time. In addressing the invitation, Kathy specifies Robins
domain.
2. A query is sent to Kathys mail server.
3. The Free Time system looks for Robins name in the Free Time
database on Kathys mail server. It determines Robins mail server is
in a different domain.
4. Kathys Domino Directory is searched for a document that matches
Robins domain.
If the Free Time system finds an Adjacent Domain document, it
looks at the Calendar server name field of the document for the
name of a server that accepts calendar queries for Robins domain.
The Free Time system then forwards the query to this server for
processing.
Setting Up Calendars and Scheduling 8-3
Configuration
If Bob and Kathy have the same mail server or if Bobs and
Kathys mail servers are part of a cluster, the Free Time system
finds the information and returns Bobs free time to Kathy.
If the Free Time system finds an Adjacent Domain document with

an empty Calendar server name field, it fails; and the Find Time
dialog box indicates that Robins information is unavailable.
If the Free Time system finds a Non-adjacent Domain document, it
looks at the Route requests through Calendar server field of the
document for the name of the server (which is in a domain
adjacent to Kathys and Robins) that accepts calendar queries for
Robins domain. The Free Time system then forwards the query to
this server for processing.
If the Free Time system finds a Non-adjacent Domain document
with an empty Route requests through Calendar server field, it
fails; and the Find Time dialog box indicates that Robins
If the Free Time system doesnt find any domain documents, the
query fails; and the Find Time dialog box indicates that Robins
Users in other calendar domains
1. Kathy creates a meeting invitation and chooses to search for Susans
free time.
2. A query is sent to Kathys mail server.
3. The Free Time system looks for Susans name in its Free Time
database. It does not find the information, so it converts Susans
name into a fully qualified one.
4. Kathys Domino Directory is searched for Susans Person document.
5. The Free Time system looks in Susans Person document and locates
the name of her mail server in the Mail server field and the name of
her calendar domain in the Calendar Domain field.
6. Because Susan is using Lotus Organizer as her scheduling
application, the Free Time system finds that her calendar domain
does not match her mail server domain. The Free Time system then
looks for a Domain document for the calendar domain.
7. The Free Time system finds a Foreign Domain document for Susans
calendar domain. The Calendar server field in the Foreign Domain
document identifies the name of the server that accepts queries for
Susans domain; the Calendar system field identifies the name of
the add-in program for example, Organizer or IBM
OfficeVision that actually does the free-time lookup on Susans
server. The Free Time system forwards the query to the appropriate
server (the server listed in the Calendar server field) for processing.
If the Free Time system doesnt find a Foreign Domain document, the
query fails; and the Find Time dialog box indicates that Susans
Setting up scheduling
For users in the same Domino domain

Scheduling is automatically set up for non-clustered and clustered Free
Time databases. You need to create the Resource Reservations database
so that users can search for and reserve resources.
For users in adjacent Domino domains

1. Make sure that you have set up Adjacent Domain documents in the
Domino Directory to establish communication between the domains.
For more information on Adjacent Domain documents, see the
chapter Setting Up Mail Routing.
3. Choose the Domino Directory in the Use Directory on box.
4. Click Messaging - Domains, and then open each appropriate
Adjacent Domain document.
5. Click the Calendar Information tab, complete this field, and save the
document:
Field
Enter
Calendar server
name
The name of the server in the adjacent domain that

accepts and processes all scheduling queries for that
domain.
6. Set up the Resource Reservations database if you want to allow users

to search for and reserve resources.
Configuration
How you set up scheduling depends on where users are located that
is, in the same Domino domain or in different Domino domains and
whether users use alternate scheduling applications, such as Lotus
Organizer and IBM OfficeVision.
For users in non-adjacent Domino domains

In order for two non-adjacent domains to do free-time lookups between
each other, you need to define a Calendar server in an intermediate
domain that is adjacent to both the querying and the target domains.
Note Free-time lookups require reasonable network response time and
direct LAN connections from the intermediate domain to the two
separate non-adjacent domains.
1. Make sure that you have set up Non-adjacent Domain documents in
the Domino Directory to establish communication between the
domains.
For more information on Non-adjacent Domain documents, see the
4. Click Messaging - Domains, and then open each appropriate
Non-adjacent Domain document.
5. Click the Calendar Information tab, complete this field, and save the
document:
Field
Enter
Route requests
through calendar
server
The name of a calendar server that is in a domain

adjacent to both the querying and the target
domains. This server accepts and forwards free time
queries from the source to the target non-adjacent
domain.

For users of Lotus Organizer or IBM OfficeVision

Lotus Domino 6 scheduling works with both Lotus Organizer and IBM
OfficeVision. If users want to keep their schedules in either program,
set up scheduling to include them. You need to create a Foreign Domain
document for each alternate scheduling application.
1. Make sure you already set up a Foreign Domain document in the
Domino Directory for each alternate scheduling application.
For more information on Foreign Domain documents, see the chapter
Setting Up Mail Routing.

4. Click Messaging - Domains, and then open each appropriate Foreign
Domain document.
5. Click the Calendar Information tab, complete these fields, and save
the document:
Enter
Calendar server
name
The name of the server that is running the alternative

scheduling program.
Calendar system
Choose either Organizer or OfficeVision from the list.
6. For Notes mail users who use a different scheduling application,

enter the name of the foreign domain in the Calendar Domain field
of each users Person document.
Setting up the Resource Reservations database

The Resource Reservations database is where users schedule and manage
meeting resources. Resources may include conference rooms and
equipment, such as overhead projectors and video machines. Users can
select a particular resource and reserve a time for it, or they can choose a
time and let the Resource Reservations database display resources
available during that time.
The Resource Reservations database contains three types of documents:
Site Profile, Resource, and Reservation. A Site Profile document identifies
the site where particular resources are located. A Resource document
defines the resource name for example, the name or number of the
conference room. After you create Site Profile and Resource documents,
the Schedule Manager tracks the free time of a resource the same way it
tracks free time for users. To reserve a resource, a user can either create a
Reservation document or add the resource to a meeting invitation.
Configuration
Field
To set up the Resource Reservations database

2. Complete these fields on the New Database dialog box.
Field
Action
Server
Enter the name of the server on which you

are creating the database.
Title
Enter the name of the database.
File Name
Enter a file name for the database. Use the

file name extension nsf.
Template server
Choose the template server from which

you will be copying the template.
Show advanced templates
Click this check box to display additional

templates including the Resource
Reservations (RESRC60.NTF) template.
Inherit future design changes
Click the check box if you want the

database to inherit design changes that will
be made to the template in the future.
3. Select the Resource Reservations 6 (RESRC60.NTF) template.

4. Click OK.
Setting up the database ACL for the Resource Reservations

database
After creating the Resource Reservations database, set up the ACL for the
database. Assign the CreateResource role to anyone who needs to create
a site or a resource. The CreateResource role is required.
1. From the Domino Administrator, choose File - Database - Access
Control.
2. List the names of all users who are authorized to create Resources
and Site Profile documents and assign to them the [CreateResource]
role.
For more information on setting database ACLs, see the chapter
3. Click OK.
Creating Site Profile and Resource documents

A Site Profile document defines a particular site where a resource exists
and associates that site with a Resource Reservations database and the
Domino Directory. You must create at least one Site Profile document
before you can create Resource documents.
Room Typically a conference room that you want to allow users to

reserve for meetings. When you set up this resource, you must enter
the seating capacity of the room.
Online Meeting Place Meeting held online via Sametime 3.0

running with Domino Release 6.
For more information on setting up Sametime, see the IBM Lotus
Sametime 3.0 Administrators Guide. Go to
http://www.notes.net/doc to download documentation.
Other Resources that are not rooms or online meetings, but that
you want to make available for users to reserve
After you set up resources, users can search for the free time of a
resource and schedule the resource for a meeting while searching for free
time and inviting users to the meeting. For each Resource document you
create, the Administration Process creates a corresponding Resource
document in the Domino Directory. During a free-time query, the Free
Time system searches the Free Time database to find the location of these
resources and returns information on the availability of both the resource
and the invitees.
When setting up rooms as resources, enter the room information in a
consistent format, either by name or by number. Doing so will limit the
number of errors caused when a room cannot be located in the database.
When a user reserves a conference room with type-ahead enabled, Lotus
Domino 6 searches for the conference room by room number or by room
name, but not by both. Lotus Domino 6 looks up rooms according to how
they have been added to the Resource Reservations database either by
name or by number. If a user enters a room name and the room resource
is set up by room number, an error is generated and the room is not
located. Setting up all room resources by room name or by room number
helps eliminate this type of error.
Configuration
When you create a Resource document, you define the resource name,
type, and availability; and you specify who can reserve the resource.
There are three types of resources:
When you create a Site Profile or Resource document, the new resource is
not available for users to schedule until the Administration Process adds
the resource to the Domino Directory and the addition replicates to all
replicas that are on servers used for scheduling resources of the Domino
Directory.
To create a Site Profile document

1. Make sure that you have Manager access and the [CreateResource]
role in the ACL of the Resource Reservations database.
3. From the Servers pane, select the server from which you want to
work.
4. Open the Resource Reservations database, and select any view
except Calendar, My Reservations, and Reservations Waiting for
Approval.
5. Click New Site.
Field
Enter
Site name
The name of the site where the resource exists for

example, 50 West Lincoln Building.
Domain name
The name of the domain where the Resource

Reservations database resides. By default, your current
Domino domain is entered in this field.
To create a Resource document

1. Make sure that you have the [CreateResource] role in the ACL of the
Resource Reservations database and that at least one Site Profile
document has already been created.
work.
4. Open the Resource Reservations database.
5. Click New Resource.
6. Choose one of these Resource Types:

Room if the resource is a room
Other if the resource is not a room
Online Meeting Place if you will be meeting via Sametime
server.
7. Click the Resource Information tab, and complete these fields:
Enter
Name
A unique name that identifies the resource for

example, a room number.
Site
Click to display a list of available sites, and then

choose one.
Category
(Appears when you
select Other as
Resource Type)
Name for category of Resource for example,

Electronic or AV. This field also displays names of
all previously entered Category values, from which
you can choose.
Capacity
(Appears when you
select Room as
Resource Type)
The capacity of the resource, for example, the

seating capacity of a room.
Description
A description of the resource for example, large

conference room with a video monitor.
Internet address
An Internet address that iCalendar users can use to

reserve the resource.
The Internet Address field is not visible for Online
Meeting Place.
Configuration
Field
8. Enter the following Owner Options for resources of type Room or

Other. If you chose a resource type of Online Meeting Place, go to
Step 9.
Field
Enter
Choose one:
Owner
restrictions None Click if no owner is assigned to the resource and
anyone can reserve the resource.
Owner only Click to assign a Resource owner. Only the
Resource owner can process Resource requests without
special approval. Enter the name of the resource owner in
the Owners name field. The owner is the person or group
to whom requests from other users (those not listed in the
List of names field) are forwarded for approval and
processing.
Specific people Click to allow only specified users access
to the resource. Enter the names of users allowed to
reserve this resource in the List of names field.
Autoprocessing Click to allow only specified users and
groups access to the resource and to assign a resource
owner. Enter the name of the resource owner in the
Owners name field. The owner is the person or group to
whom requests from other users (those not listed in List of
names field) are forwarded for approval and processing.
Enter the names of users allowed to reserve this resource
in the List of names field.
Disable reservations Click to prevent users from
reserving a resource from a meeting notice and directly
from the Resource Reservations database.
Availability Choose one of these:
settings
24 hours everyday The resource is available 24 hours
each day. When you select this availability setting, other
availability settings are disabled.
Time zone Specify the time zone for the resource. The
default is Local Time, but you can specify others as
applicable, such as Eastern Time.
Days of week and hours of days Select the days of the
week that the resource is available. Specify availability
start time and end time for each available day selected.
Other
comments
(Optional) Enter additional comments as necessary.
9. Enter the following Online Resource data for resources of type

Online Meeting Place. If you chose a resource type of Room or Other,
complete step 8 and then Step 10. Do not complete Step 9.
Field
Enter
Online meeting
database
The default database, stconf.nsf, is entered by default.

This field cannot be modified.
Sametime server Name of the Sametime server hosting the meeting.

Audio Video
Support
Choose one:
Audio Voice only
Audio and Video support Voice and video display
Editing and deleting Resource documents

After you create a Resource document, the information that you can
change includes the Availability Settings, Description, Capacity, Online
resource data, Other Comments, and Ownership Options fields. To
change any other information about the resource, you must delete the
Resource document and then create a new one containing the new
information.
New resource information is not available until the Administration
Process updates the Resource document in the Domino Directory and the
change replicates to all relevant replicas of the Domino Directory that are
on servers used for scheduling resources.
If you delete a resource from the Resource Reservations database, an
Administration Process Request document for the resource deletion is
created in the Administration Requests database (ADMIN4.NSF). To
delete the resource and remove it from the Domino Directory, you must
open the Administration Requests database and approve the request for
deletion. Note that to approve requests you need the appropriate access
in the ACL of the Administration Requests database.
Configuration
External address Name of the mail-in database on the Sametime server.

The name you enter here must be identical to the name
of the Sametime Mail-in database in the Domino
Directory.
To edit a Resource document

Resource Reservations database.
work.
4. Open the Resource Reservations database, and then click Resources.
5. Open the Resource document you want to edit and click Edit
Resource.
6. Edit any of the following fields for resources of type Room or Other.
If you are editing a resource of type Online Meeting Place, do not
complete Step 6; go to Step 7.
Field
Enter
Description
Description of the resource.
Capacity (for Rooms The capacity of the resource, if it has one for
only)
example, the seating capacity of a room.
Category (for Other
only)
Name for category of Resource for example,

Electronic or AV. This field also displays names of
all previously entered Category values, from which
you can choose. Non-modifiable field.
Owner restrictions
Choose one:
None Click if no owner is assigned to the
resource and anyone can reserve the resource.
Owner only Click to assign a Resource owner.
Only the Resource owner can process Resource
requests. Enter the name of the resource owner in
the Owners name field.
Specific people Click to allow only specified
users access to the resource. Enter the names of
users allowed to reserve this resource in the List
of names field.
Autoprocessing Click to allow only specified
users access to the resource and to assign a resource
owner. Enter the name of the resource owner in the
Owners name field. The owner is the person to
whom requests from other users (those not listed in
List of names field) are forwarded for approval and
processing. Enter the names of users allowed to
reserve this resource in the List of names field.
Disable reservations Prevent users from
reserving a resource from their mail file.
continued
Field
Enter
Availability settings Choose one:

24 hours everyday The resource is available 24
hours each day. When you select this availability
setting, other availability settings are disabled.
Days of week and hours of days Select the days

of the week that the resource is available. Specify
availability start time and end time for each
available day selected.
Other comments
Enter additional comments about the resource as

necessary.
Internet address
An Internet address that iCalendar users can use to

reserve the resource.
7. Edit any of the following fields for resources of type of Online

Meeting Place. If you are editing a resource of type Other or Room
go to step 8. Do not complete step 7.
Field
Enter
Description
Description of the resource.
Online Meeting
Database
The default database, STCONF.NSF, is entered by

default. This field cannot be modified.
External address
Name of the mail-in database on the Sametime

server. The name you enter here must be identical to
the name of the Sametime Mail-in database.
Sametime server
Name of the Sametime server hosting the meeting.
Audio Video
Support
Choose one:
Other comments
Modify or enter comments regarding the resource as

desired.
Audio voice only

Audio and Video Voice and video display
Configuration
Time zone Specify the time zone for the

resource. The default is Local Time, but you can
specify others as applicable, such as Eastern Time.
To delete a resource
When you delete a resource, an administration request that requires
the administrators approval is also generated. After deleting the
resource in the user interface, open the Administration Requests
database and approve the deletion there. Instructions for both
procedures are included here.
Resource Reservations database.
work.
4. Open the Resource Reservations database, and then click Resources.
5. Open the Resource document that you are deleting, and click Delete
Resource.
6. Click Yes and click OK.
To approve the resource deletion

To process the deletion, the request needs approval in the Administration
Requests database. Complete these steps to approve the Approve
Resource Deletion administration request.
1. From the Domino Administrator, click Server - Analysis Administration Requests (6).
2. Click Pending Administrator Approval.
3. Open the Approve Resource Deletion request document and click
Edit Document.
4. Click Approve Resource Deletion.
5. Choose Yes and then click OK to approve the deletion.
Setting user access rights to edit and delete reservations

To allow a user to delete a reservation in the Resource Reservations
database on a Notes Client, assign Editor access to that user in the
database ACL of the Resource Reservations database. The Delete
Reservation button is then enabled.
To allow a Web user to delete a reservation in the Resource Reservations
database, via a Web browser, assign Editor access to that user in the
database ACL of the Resource Reservations database. In a Web view, the
Move to Trash and the Empty Trash buttons are then enabled.
Reservations that are created manually or with Calendaring and

Scheduling, can be deleted by a requester with Editor access to the
Resource Reservations database, a resource owner with Editor access to
the Resource Reservations database, or by a database manager with
Editor access to the Resource Reservations database and the
CreateResource role.
Creating Holiday documents

Holiday documents provide a way for your organization to have a
centrally managed collection of documents that contain information on
scheduled holidays and events. Users select the type of Holiday
documents to import and add the information to their personal
calendars. Lotus Domino 6 includes default Holiday documents that you
can modify or delete; you can also add Holiday documents specific to
your organizations needs. Holiday documents are stored in the Domino
Directory.
You categorize Holiday documents according to a group name. For
example, you may have a group named Full-time that contains all the
company holidays for full-time employees. The default Holiday
documents included with Lotus Domino 6 have group names associated
with countries or religions for example, United States or Italy and
the groups contain documents specific to holidays in each country. As an
administrator, you may want to modify or delete these documents to
reflect your organizations needs. Then you can advise all users to import
a specific group of Holiday documents.
To add a document to an existing group, select the group when you
create a new Holiday document. To create new groups, enter a new
group name in the Holiday document. Remember that your users import
Holiday documents according to group name, not document name, so be
sure to plan the organization of documents in groups.
Configuration
Single-room, non-repeating reservations that are created manually in the

Resource Reservations database can be edited by the requester of the
reservation, with Editor access to the Resource Reservations database, if
the reservation has a status of waiting for approval or if the reservation
has been accepted. Repeating room or resource reservations that are
created manually cannot be edited.
To create a Holiday document

2. Select the Domino Directory server in the Use Directory on field.
3. Click Miscellaneous - Holidays.
4. Click Add Holiday.
Title
Action
Group
Do one of these:
Select a group from the list
Add a new group in the New keyword field and
then click OK
Title
Enter the name of the holiday for example, Christmas
Repeat
Specify how often the holiday repeats:
Monthly by Date
Monthly by Day
Yearly
Custom If you choose Custom, enter one or more
dates on which the holiday repeats.
6. If you chose Custom in the Repeat field in Step 5, do not complete

Step 6. Instead, go to Step 7.
Field
Action
Start date
Enter the date when the holiday first occurs. This date
may be the actual date of the holiday (such as New
Years day) or it may be the date from which to start
the holiday. For example, if your organization gives
employees every other Friday off from June through
August, enter June 1 as the Start Date and select For
from the Continuing field to specify an end date of
August 31.
Continuing
Choose one:
Until Click Until and then enter a specific date in
the Repeat Until field.
For Click For and then specify the number of
months or years during which the holiday repeats in
the Repeat For field.
Repeat until
(Displays if you
select Until in the
Continuing field.)
Enter the last date on which the Holiday should repeat.
continued
Field
Action
Repeat For
Enter the number of months or years during which the
holiday should repeat.
(Displays if you
select For in the
Continuing field.)
If the date falls on

a weekend
(Applies to
Monthly by Date
only)
Choose one:
Dont Move
Move to Friday
Move to Monday
Move to Nearest Weekday
7. Complete this step only if you chose Custom in the Repeat field in
Step 5.
Field
Enter
Repeat Dates
(Applies only to
Custom.)
Enter the date or dates when the holiday occurs for

example, 01/01/02, 01/02/2003.

Field
Action
Mark time as
Choose how each users calendar will record this

holiday:
Busy This holiday will appear as Busy time in the
users schedule so that meetings cannot be
scheduled on the holiday.
Free This holiday will appear as Free time in the
users schedule, so that meetings can be scheduled
on that holiday.
Detailed
description
(Optional) Enter a detailed description of the holiday.
Configuration
Repeat Interval
Choose how often the holiday repeats by month and
day.
(Applies to
Monthly by
Date and by Day)
To view the default Holiday documents

Lotus Domino 6 includes default Holiday documents that contain
information on holidays observed around the world. The Holiday
documents are organized into groups by country or religion. For
example, the Italy group contains documents specific to Italian holidays.
3. Click Miscellaneous - Holidays to see all the default Holiday
documents.
To modify an existing Holiday document

After you modify or delete an existing Holiday document, users receive
the modifications only when they choose to run import from their mail
files.
3. Click Miscellaneous - Holidays.
4. Choose the geographical/religious category for the Holiday.
5. Select the desired Holiday document and click Edit Holiday.
6. Modify fields as you wish.
For more information on the individual fields, see the topic To create a
Holiday document in this chapter.
Collecting detailed information from user calendars

If a user requests it, additional detailed data is available to other users.
This information is stored in the Freetime database, BUSYTIME.NSF or
CLUBUSY.NSF. For clustered servers, the database is CLUBUSY.NSF, for
non clustered servers, the database is BUSYTIME.NSF. To limit growth
of this database, do not enable the server to collect this data. You can
enable or disable this feature across the entire Domino domain from the
servers Configuration Settings document, or you can set it for specific
servers.
To collect detailed calendar information from user calendars

2. Choose Server - Configurations.
3. Select the Server Configuration document you want to modify, and
click Edit Configuration.
5. Choose any of these calendar details to extract:

Chair Allows other users to see who will chair the meeting
Location Allows other users to see the site location of the
meeting
Room Allows other users to see the name or other identifier for
the room
Configuration
4. On the Basics tab, click the check box Extract calendar details. The
feature is enabled.
Chapter 9
Using Policies
Configuration
Using policies, you can distribute and control a standard set of

administrative settings for user registration and setup, desktop
configuration, mail archiving, and security.
Policies
Using a policy, you control how users work with Notes. A policy is a
document that identifies a collection of individual policy settings
documents. Each of these policy settings documents defines a set of
defaults that apply to the users and groups to which the policy is
assigned. Once a policy is in place, you can easily change a setting, and it
will automatically apply to those users to whom the policy is assigned.
Policy settings documents cover these administrative areas:
Registration If a policy including registration policy settings is in

place before you register Notes users, these settings set default user
registration values including user password, Internet address format,
roaming user designation, and mail.
Setup If a policy including setup policy settings is in place before

you set up a new Notes client, these settings are used during the
initial Notes client setup to populate the users Location document.
Setup settings include Internet browser and proxy settings, applet
security settings, and desktop and user preferences.
Desktop Use desktop policy settings control and update the users
desktop environment or to reinforce setup policy settings. For
example, if a change is made to any of the policy settings, the next
time users authenticate with their home server, the desktop policy
settings restore the default settings or distribute new settings
specified in the desktop policy settings document.
Mail archiving Use archive policy settings to control mail

archiving. Archive settings control where archiving is performed and
specify archive criteria.
9-1
Security Use security settings to set up administration ECLs and

define password-management options, including the
synchronization of Internet and Notes passwords.
Organizational and explicit policies

There are two types of policies: organizational and explicit.
Understanding the differences between the types helps you plan the
implementation.
Organizational policies
An organizational policy automatically applies to all users registered in a
particular organizational unit. For example, to distribute default settings
to all users registered in Sales/Acme, create an organizational policy
named */Sales/Acme. Then when you use the Sales/Acme certifier ID to
register a user, that user automatically receives the settings in the
corresponding organizational policy.
If you move a user within the hierarchical structure for example,
because the user transfers from the Sales department to the Marketing
department the organizational policy for the corresponding certifier
ID is automatically assigned to the user. For example, if you move the
user from Sales/Acme to Marketing/Acme, all settings defined in the
desktop, archiving, and security policy settings documents associated
with the */Marketing/Acme organizational policy are assigned to the
user. The new policy settings become effective the first time users
authenticate with their home server.
Explicit policies
An explicit policy assigns default settings to individual users or groups.
For example, to set a six-month certification period for contract workers
in all departments, create an explicit policy and then assign it to each
contract employee or to the group that includes all contract employees.
There are three ways to assign an explicit policy: during user registration,
by editing the users Person document, or by using the Assign Policy
tool.
For information on assigning an explicit policy, see the topic Assigning
an explicit policy, later in this chapter.
Using Exceptions
You can assign an exception attribute to either an organizational or
explicit policy. You use an exception to allow the user to override a
policy setting that is otherwise enforced throughout an organization.
When you create an exception policy, you specify only the settings that
will not be enforced. Then when you assign the exception policy, it
exempts users from enforcement of those settings only.
Policy hierarchy and the effective policy

The effective policy for a user is a set of derived policy settings that are
dynamically calculated at the time of execution. The field values in an
effective policy may originate from many different policy settings
documents. Each hierarchical level can have an associated policy, so
users may have a combination of policy settings that include the values
set at their OU level, and those inherited from a parent policy. The
resolution of those settings, stepping up through the organizational
hierarchy, determines the effective policy for each user.
In addition to organizational policies, users may also have explicit
policies assigned to them. In that case, the order of resolution is that all
organization policy settings are resolved first, then any explicit policy
settings are resolved.
For example, if you want all users to use the same Internet mail name
format, set that value in the Registration policy settings document for the
top-level policy. Once you have set this value, you do not have to change
it or reenter it in subsequent child policies. You simply inherit this
value from the parent by selecting the inherit option. However, if you
have a select group of international users for whom this setting is a
problem, you can create an explicit policy that applies to the select group
only. The combination of the explicit and organizational policies together
provide the control and the flexibility you need.
Using Policies 9-3
Configuration
Exception policies are a way to give someone in an organization special

treatment, possibly because of their position or job requirements. For
example, the */Acme policy includes a Registration policy setting that
enforces a mail database quota of 60 MB. However, a small group of
employees in Acme need to exceed this quota. The solution is to create an
exception policy that includes only a Registration policy settings
document, that does not set a quota limitation on the mail database.
When this exception policy is assigned to users, they can override the
database quota setting. Because exception policies defeat the
enforcement of policy settings, use them sparingly.
There are two tools that help you determine the effective policy
governing each user. The Policy Viewer shows the policy hierarchy and
associated settings documents, and a Policy Synopsis report shows the
policy from which each of the effective settings was derived.
Inheritance and the child policy relationship

Inheritance plays an important role in determining a users policy
settings in both organizational and explicit policies. Through the
parent-child relationship, you create a hierarchy of policies to set your
administrative practices across the enterprise. In a policy hierarchy,
policy documents build the relationship, and policy settings documents
determine the value of the fields based on their position in the hierarchy.
Using field inheritance and enforcement, you control the default settings.
In organizational policies, the hierarchy of policies is determined
automatically based on the Organizations hierarchy. The policy
*/Sales/Acme is the child policy of */Acme. Since explicit policies do not
follow the organizational structure, when you create explicit policies, you
build in the hierarchy, based on the naming structure. For example, if
you create an explicit policy named /Contractors that includes several
settings that apply only to contract employees who may be employed for
six month to a year. However you want short-term temporary
employees, employed for only one or two weeks, to inherit only some of
those settings. You create a child explicit policy called Short
term/Contractors.
The following figure shows a policy hierarchy. In this hierarchy, the policy
at each organizational level has set its own password quality setting.
Policy
*/Acme
*/Acme
*/Sales/Acme
*/NE/Sales/Acme
Joe User/NE/Sales/Acme
PQ=6
RegSetting
PQ =8
Reg
Reg
Reg
PQ=8
=8
PQ
PQ
=7
Policy
*/Sales/Acme
Reg
RegSetting
PQ=8
=8
PQ
Policy
*/NE/Sales/Acme
Reg
RegSetting
PQ=8
=8
PQ
Reg
Reg
Reg
PQ=8
=8
PQ
PQ
=6
In the following figure, Joe User inherits a password quality setting from
a parent policy. Inheriting a setting occurs in the child policy at the field
level in a policy settings document.
*/Acme
Policy
*/Acme
*/NE/Sales/Acme
PQ=9
PQ =8
Reg
Reg
Reg
PQ=8
=8
PQ
PQ
=9
Policy
*/Sales/Acme
Reg
RegSetting
PQ=8
=8
PQ
Policy
*/NE/Sales/Acme
Reg
RegSetting
PQ=8
=8
PQ
Reg
Reg
Reg
PQ=8
=8
PQ
PQ
=8
RegSetting
PQ =9
Enforce
Inherit
Another way that a user inherits field-level settings is through

enforcement. In the illustration below, the password quality setting is
enforced in the parent policy at the field level in the Registration policy
settings document. If settings are enforced in a parent policy, the settings
at the child policy level do not apply.
*/Acme
Policy
*/Acme
*/Sales/Acme
Reg
Reg
Reg
PQ
=8
PQ=8
=8
PQ
Reg
RegSetting
PQ=8
=8
PQ
RegSetting
PQ =8
Enforce
*/NE/Sales/Acme
Enforce
PQ=8
Policy
*/Sales/Acme
RegSetting
PQ =8
Policy
*/NE/Sales/Acme
Reg
Reg
Reg
PQ=8
=8
PQ
PQ
=9
Reg
RegSetting
PQ=8
=8
PQ
Using Policies 9-5
Configuration
*/Sales/Acme
RegSetting
Example of using policies

The administrator at the Acme company wants to use policies to:
Set the same Internet address format for all users
Set users in Acme/Sales to be roaming users
Set a custom mail template for employees in Acme/Sales
Set a 24-month certification expiration for permanent employees
Set a 6-month certification expiration for temp
To accomplish these goals, the administrator creates these policies:
An organizational policy for all Acme employees (*/Acme) that

includes a registration policy settings document that specifies the
Internet mail format and other default settings that will populate the
registration dialog. These default policy settings include a 24-month
certification expiration period.
An organizational policy for Sales/Acme (*/Sales/Acme) that sets

roaming options and specifies a custom mail template.
An explicit policy for temporary employees that specifies a 6-month

certification expiration. When temporary employees are registered,
this explicit policy is applied along with the organizational policy
that correlates to the organizational unit in which the employees are
registered.
Planning and assigning policies

Before you register and set up users, plan and create policies. Then,
during user registration, assign the policies. If users are already
registered, you can plan and create policies, but you cannot assign any
registration and setup policy settings, since those apply only once,
during user registration and setup.
To plan and assign policies

1. Determine which settings to assign to all users in specific
organizational units. For these settings, create organizational policies.
2. Determine which settings to assign to individual users or groups. For
these settings, create explicit policies.
3. Register users and assign explicit policies during registration.
4. For users who are already registered, assign explicit policies by
editing the Person document or using the Assign Policy tool.
5. (Optional) Create and assign exception policies.
To plan and assign policies for a hosted organization

When you use policies for hosted organizations, your policy must
include registration policy settings. You can use either an organizational
or explicit policy. Depending on the type of policy you use, you create
the policy either before you register the hosted organization or during
registration.
Explicit policy Create an explicit policy that includes a registration

settings document before you register the hosted organization.
Organization policy When you are registering a hosted

organization, create an organizational policy and a registration
settings document when you are prompted to do so.
Creating policies
Creating a policy is a two-step process. If you create an organizational
policy, it automatically applieswhen you register users. If you create
an explicit policy, you assign it manually during user registration, in the
Person document or by using the Policy Assignment tool.
For more information on assigning explicit policies, see the topic
Assigning an explicit policy, later in this chapter.
1. Create one or more of the following policy settings documents to
define default settings that you want to assign to users:
Registration policy settings
Setup policy settings
Desktop policy settings
Security policy settings
Archive policy settings
2. Create a Policy document, which identifies specific policy settings.
Creating a registration policy settings document

If you include a registration policy settings document in a policy, when
you register users, many registration settings are filled in for you. If you
use an organizational policy, when you register users with the
corresponding certifier ID, that policy is automatically applied. If you use
an explicit policy, you select the policy during registration.
Using Policies 9-7
Configuration
For a hosted organization, do one of the following:
For more information on user registration settings, see the chapter

Setting Up and Managing Notes Users. For more information about
the password quality scale, see the chapter Protecting and Managing
Notes IDs.
To create registration settings
1. Make sure that you have Editor access to the Domino Directory and
one of these roles:
PolicyCreator role to create a settings document
PolicyModifier role to modify a settings document
2. From the Domino Administrator, select the People & Groups tab,
and then open the Settings view.
3. Click Add Settings, and then choose Registration.
Field
Action
Name
Enter a name that identifies the users that use

these settings.
If you are a server provider, enter the name
of the hosted organization.
Description
Enter a description of the settings.
Choose a registration server Select the registration server from the list.
Choose a password quality Select a password quality level.
If you are a service provider, you must select
a minimum password quality of Any
Password or, if specifying a number, level 2.
After users authenticate with their home
servers, password quality is governed by
security settings.
Check the Set Internet password check box

to set the password that is stored in each
users Person document. This password gives
users access to Internet services. If you are a
service provider, you must complete this
field.
5. If you are setting up roaming users, choose Roaming User, and

then complete these fields. If you are a service provider, note that
Roaming User is not supported for hosted organizations.
Field
Action
Use mail
server for
roaming
server
Do one:
Create
roaming files
options
Choose one:
Select to store the users roaming information on the

same server used for mail.
Create roaming files now to create the users roaming

files during user registration.
Create roaming files in background to use the
Administration Process to create the users roaming files
after user registration.
Cleanup
options
Choose one:
Do not clean up to not clean up roaming user files.
Clean up every N days and enter a number between
0 an 365.
Clean up at Notes shutdown to clean up files when
Notes shuts down.
6. Click the Mail tab, and complete these fields:

Field
Action
Mail system
Choose a mail system.

If you are a service provider, choose Lotus Notes only if
you run Domino Off-Line Services (DOLS) in the hosted
organization.
If you choose Other, Other Internet, or None, continue
with Step 8.
Mail server
Choose the server that stores the users mail file.

If your organization supports DOLS, choose a
DOLS-enabled server.
Mail template Choose one:

MAIL6.NTF if the organization uses Lotus Notes,
POP3, or IMAP.
INOTES5.NTF if the organization uses iNotes.
Your organizations custom mail template
continued
Using Policies 9-9
Configuration
Deselect and enter the name of the server to store the

users roaming information.
Field
Action
Create mail
file
Choose one:
Create mail file now to create the mail file immediately.
Create mail file in the background to use the
Administration Process to create the mail file. Choose
this option if you are creating many mail files at once.
7. Under Internet Address options, complete these fields:

Field
Action
Internet
Domain
Enter the Internet domain (or, if you are a service

provider, the Internet domain for the hosted organization).
This domain becomes part of the Internet address that is
added to the Person document for each user who receives
Internet mail.
Choose an
Choose the address format for Internet mail.
Internet
address format
Choose an
Internet
address
separator
Choose the separator character to use in the users name

portion of the Internet address.
8. Under Advanced Mail Options, complete these fields:

Field
Action
Mail file
owner access
Choose the access level. The default is Editor with delete

rights.
Note This is a change from previous versions of Domino
in which the default mail owner access was Manager. The
change was made to prevent users from accidentally
deleting mail files.
Create full text (Optional) Check this option to allow users to perform a
index
full-text search on their mail files. The default is
unchecked.
Full-text indexing is supported for Lotus Notes, POP3,
IMAP, and iNotes Web Access. If you are a service
provider, full-text indexing is supported for only IMAP
and iNotes Web Access.
Set database
quota
(Optional) Check this option (default is unchecked) to

enforce a database size quota on mail databases, and then
enter a size in MB.
Set warning
threshold
(Optional) Check this option (default is unchecked) to notify

users automatically when their mail files are nearing the
maximum size quota, and then enter a size in MB.
9. Click the ID/Certifier tab. In the Create a Notes ID field, do one:

Uncheck the field if you do not want to create Notes IDs for users,
and then continue with Step 9.
Check the field to create Notes IDs. Then complete these fields:
Action
Security Type
Choose North American or International
Certificate Expiration
Date
Choose one:
Static date and then enter an expiration
date. The default static date is 24 months
from the creation.
Months from user creation and then
enter the number of months. The default is
24 months.
Location for storing user Choose one or more:

ID
In Domino Directory to store the ID in
the users Person document.
In File and then click Set ID File to
select the path and specify the location to
store the ID.
In Mail File to store the ID in the users
mail file.
For more information on security types, see the chapter Encryption

and Electronic Signatures. For more information on the password
quality scale, see the chapter Protecting and Managing Notes IDs.
10. Click the Miscellaneous tab, and complete any of these fields:
Field
Action
Group assignments
Choose the group to which you will add all

users you register using these registration
settings. Leave this field blank if you are not
registering all users into one group.
Local administrator
Enter the name of the administrator.

If you are a service provider, enter the name
of the administrator at the hosted
organization in this format:
administrator name/certifying hosted
organization
Using Policies 9-11
Configuration
Field
Creating a setup policy settings document

Use a setup policy settings document to define the default look and
content of the user workspace and create Location and Connection
documents that simplify server connections. Setup policy settings are
applied only once, during user setup. To maintain these settings, specify
the same settings in a desktop policy settings document. If a change is
made to any policy setting, the desktop policy settings will reinforce the
setup settings the next time users authenticate with their home server.
Among the settings you can specify are the user preferences. These are
preferences that Notes users can usually specify for their desktop
environment. If you set these preferences in a policy and then reinforce
them using desktop policy settings, Notes users will be able to change
their preferences, but the change will be only temporary.
Before you create a setup policy settings document, set up the Domino
system for any or all of the following:
Domain search server
Web Navigator and InterNotes server
Databases you want to add to the users bookmarks in the Favorites

folder
Mobile directory (or client directory) catalogs
Passthru servers, LAN servers, Internet servers, and remote servers
TCP/IP and NDS Notes name servers
Host domains where Java applets are assumed to be safe
Proxy servers
To create setup policy settings

one of these roles:
3. Click Add Settings, and then choose Setup.

Action
Name
Enter a name that identifies the users (and, if you are a

service provider, the hosted organization) that use
these settings.
Description
Catalog/Domain
Search server
Choose the name of the server used for domain

searches.
Directory server
Enter the name of the server whose Domino Directory

you want users to use.
Sametime server
Enter the name of the server used to connect to

Sametime.
Local mailfile
Choose this option to create a local copy of the users

mail file.
Internet browser
Choose the Internet browser used from this location.
Retrieve/open
pages
If you chose Notes or Notes with Internet Explorer as

the Internet browser, choose the location from which to
run the Web Retriever process.
5. On the Databases tab, complete one or more of these fields to add

databases to the users workspace:
Note You cannot use the Web Administrator to create links.
For information on creating a link, see the chapter Organizing
Databases on a Server.
Field
Action
Default databases Create a link for each database to add to the user
added to
workspace.
bookmarks
If the server that stores a database is down during
setup, a bookmark will not be created.
Create As new
Create a link for each database to add as a new replica
replicas on users to the user workspace.
machine
Mobile directory
catalogs
Create a link for each mobile directory catalog to add

automatically to the user workspace.
6. On the Dial-up Connections tab, enter information about the default

passthru and other remote servers.
7. On the Accounts tab, enter the default account information for
Internet servers.
Using Policies 9-13
Configuration
Field
8. On the Name Servers tab, enter the names and addresses of

secondary TCP/IP and NDS Notes name servers.
9. On the Applet Security tab, complete these fields:
Field
Action
Trusted hosts
Enter the name of trusted hosts.
Network access for trusted hosts
Choose one:
Disable Java
No access allowed
Allow access only to originating host
Allow access to any trusted host
Allow access to any host
Network access for untrusted

hosts
Choose one:
Trust HTTP proxy
Choose one:
Disable Java
No access allowed
Yes
No
10. On the Proxies tab, enter the default proxies to assign to users.
11. On the Mail tab, choose the format to use for messages to Internet
addresses.
12. On the Preferences tab, choose user preferences.
For information on user preferences, see Lotus Notes 6 Help.
Creating a desktop policy settings document

You use a desktop policy settings document to control the users
workspace. Desktop settings are enforced the first time a user logs in to
Notes and runs setup. After the initial setup, you can use them to update
the users desktop settings or to reinforce setup settings desktop settings.
Users receive updates to the settings when any of the policy settings
change, and then the desktop policy settings are enforced the next time
users authenticate with their home server.
To use a desktop policy settings document to enforce the settings
specified in the setup policy settings document, specify the same settings
in a desktop policy settings document. For example, to ensure that the
Sametime server specified in the setup policy settings document remains
the same each time the user logs in, enter the Sametime server name in
both the setup and desktop policy settings documents.
You also use a desktop policy settings document to manage and update
bookmarks. You can, for example, set up a bookmark hierarchy for Notes
users by creating an outline of bookmarks that includes folders and links
such as database links, document links, and URL links. You can create
folders that have links within the folders. All of the folders and
bookmarks in the outline are then placed on the Bookmark Bar of the
Notes client. To add bookmarks to an existing folder on the users
desktop, such as More Bookmarks, include the folder in the bookmark
outline. Any links included in that folder are merged with the
corresponding folder in the Notes client. You can also create a folder
called Startup that includes links that open automatically every time
the user logs in to Notes.
You can also set user preferences, usually set by Notes users. If you set
user preferences, Notes users will still be able to change their
preferences, but the changes will be only temporary. The next time the
desktop policy is enforced, their preferences will be reset to the original
policy settings.
For more information on seamless mail upgrades, see the Upgrade Guide.
To create Desktop settings
one of these roles:
and open the Settings view.
3. Click Add Settings, and then choose Desktop.
Using Policies 9-15
Configuration
To use a desktop policy settings document to add to or update the users

desktop workspace, change the setting in the desktop policy settings
document. For example, to change the Sametime server specified in the
setup policy settings document, specify a different server in the desktop
policy settings. Other changes you can make to the users desktop
workspace that do not reflect setup policy settings include setting up a
default home page, customizing the welcome page, upgrading the mail
template, and specifying how and when Smart Upgrade runs to upgrade
the Notes client. If you are updating from a previous version of Domino,
you can use a desktop policy settings document to define the settings
used when converting previous mail file templates to the Domino 6 mail
template, mail6.ntf.
4. Under Basics, complete these fields:

Name Enter a name that identifies the users (and, if you are a
service provider, the hosted organization) that use these settings.
Description Enter a description of the settings.
5. Under Server Options, complete these fields:
Field
Action
Catalog/Domain
Search server
Choose the name of the server used for domain

searches.
Domino Directory Enter the name of the server whose Domino Directory
server
you want users to use.
Sametime server
Enter the name of the server used to connect to

Sametime.
Local mailfile
Check the field Create local mailfile replica to create a

local copy of the users mail file.
Deploy version
If you use Smart Upgrade, enter the Notes version to

which you want users to upgrade.
Upgrade deadline If you use Smart Upgrade, use mm/dd/yyyy format to

enter the date by which users must upgrade. If users to
do not upgrade by this date, the upgrade happens
automatically.
6. Under Mail Template Information, complete these fields if you are

converting from a previous Domino mail template:
Field
Action
Prompt user before Do one:

upgrading mail
Check yes to inform users before upgrading their
file
mail files. Allows users to defer upgrade.
Uncheck (default) to upgrade without notification.
Old design
The default asterisk (*) uses any mail template.
template name for (Optional) Enter the name of the current template you
your mail files
are using.
If running this
version of notes:
Enter the build version of the Notes client in the

format Build Vnn_mmddyyyy (example, Build
V60_06282002). To upgrade all versions, use an
asterisk *.
To find the build version, use Help - About Domino
Administrator.
Use this Mail

template
Enter the new mail template file name.

continued
Field
Action
Ignore 200
category limit
By default the number of folders created during

conversion is limited to 200 folders. Do one:
Check yes to override that limit and create as many
folders as necessary (default).
Uncheck to enforce the limit.
Uncheck if IMAP will not be used (default).

Upgrade the
design of custom
folders
The conversion does not upgrade private folders

automatically. Do one:
Check yes to include custom folders in the design
upgrade (default).
Uncheck to exclude custom folders in the design
upgrade.
Prompt before
upgrading folder
design
Do one:
Check yes to inform users before upgrading their
mail folder design. Allows users to defer upgrade.
Uncheck (default) to upgrade folder design without
notifying users.
Notify these
administrators of
mail upgrade
status
If you chose to notify users before updating mail

template or folders, enter the names of administrators
who should receive status information.
Using Policies 9-17
Configuration
Mail file to be used Do one:

by IMAP mail
Check if mail file will be used by an IMAP mail
clients
client.
7. Specify the Homepage/Welcome Page options:

Field
Action
Corporate Welcome
Pages database
Add the database link to the database containing

custom welcome pages.
Note You cannot use the Web Administrator to
create links.
Default Welcome
page
Do one:
Select the welcome page users see when they start
Notes.
Select No default Welcome Page if there is no
default welcome page. (default)
Homepage selection For the field Do not allow users to change their
home page do one:
Check to prohibit users from choosing their own
home page.
Uncheck (default) to allow users to change their
home page.
For more information on welcome pages, see the chapter Setting Up

8. Under Internet Browser, choose the Internet browser used from this
location. If you chose Notes or Notes with Internet Explorer as the
Internet browser, choose the location from which to run the Web
Retriever process.
9. On the Databases tab, complete one or more of these fields to add
databases to the users workspace:
Note You cannot use the Web Administrator to create links.
For information on creating a link, see the chapter Organizing
Databases on a Server.
Field
Enter
Create As new replicas

on users machine
Create a link for each database to add as a new

replica to the user workspace.
Mobile directory
catalogs
Create a link for each mobile directory catalog to

add automatically to the user workspace.
Bookmarks to merge
with users bookmarks
Drag and drop or copy links to add to the users

bookmarks. Arrange links in the order you want
them to display. However, do not add any links
above the Favorites folder, because they will be
added to the bottom of the users bookmarks list.
10. On the Dial-up Connections tab, enter information about the default
passthru and other remote servers.
11. On the Accounts tab, enter the default account information for
Internet servers.
12. On the Name Servers tab, enter the names and addresses of
secondary TCP/IP and NDS Notes name servers.
13. On the Applet Security tab, complete these fields:
Action
Trusted hosts
Enter the name of trusted hosts.
Network access for trusted

hosts
Choose one:
Network access for untrusted

hosts
Choose one:
Trust HTTP proxy
Choose one:
Disable Java
No access allowed
Allow access to any trusted host
Allow access to any host
Disable Java
No access allowed
Yes
No
14. On the Proxies tab, enter the default proxies to assign to users.
15. On the Mail tab, choose the format to use for messages to Internet
addresses.
16. On the Preferences tab, choose user preferences.
For information on user preferences, see Lotus Notes 6 Help.
Creating a security policy settings document

A Security policy settings document controls the Administration ECL as
well as Notes and Internet passwords.
To create Security settings
one of these roles:
Using Policies 9-19
Configuration
Field
3. Click Add Settings, and then choose Security.

Field
Action
Name
Enter a name that identifies the users (and, if you

are a service provider, the hosted organization) that
use these settings.
Description
5. On the Password Management tab, complete these fields:

Field
Action
Choose one:
Allow users to
change Internet
Yes (default) to allow users to use a Web
password over HTTP
browser to change their Internet passwords.
No
Synchronize Internet Choose one:
password with Notes No (default)
password
Yes to allow users to use the same password to
log in to both Notes and the Internet.
Check Notes
password
Choose one:
No (default)
Yes to require a password for Notes
authentication.
6. In the Enforce password expiration field, choose one:

Disabled (default) to disable password expiration.
Notes only to enable password expiration for only Notes
passwords.
Internet only to enable password expiration for only Internet
passwords.
Notes and Internet to enable password expiration for both
Notes and Internet passwords.
Note Internet password expiration settings are recognized only by
the HTTP protocol. This means that Internet passwords can be used
with other Internet protocols (such as LDAP or POP3) indefinitely.
Caution Do not enable password expiration if users use Smartcards
to log in to Domino servers.
7. If you enabled password expiration, complete these fields.

Otherwise, go on to Step 9:
Action
Required change
interval
Enter the number of days a password can be in effect

before it must be changed.
Allowed grace
period
Enter the number of days users have to change an

expired password before being locked out.
Password history
(Notes only)
Enter the number of expired passwords to store.

Storing passwords prevents users from reusing old
passwords.
8. Choose one of the following to specify Password Quality Settings for

IDs:
Required password quality and then choose the quality level
required when users create passwords.
Use length instead and then enter a number from 0 to 16 to
require that users create passwords of a specific length.
For more information on password quality, see the chapter
9. On the Execution Control List tab, complete these fields:
Field
Action
Admin ECL
The default administration ECL is the default value

for this field.
Choose one:
Edit to edit the default administration ECL.
New to create a new administration ECL. Enter
the name of the new ECL and choose options in the
Workstation Security: Execution Control List dialog
box. The name of the new ECL appears in this field.
Update Mode
Choose one:
Refresh to update workstation ECLs with
changes made to the Administration ECL. If a
setting appears in both the administration and
workstation ECL, the administration ECL setting
overrides the workstation ECL setting.
Replace to overwrite the workstation ECL with
the Administration ECL. This option overwrites all
workstation ECL settings.
continued
Using Policies 9-21
Configuration
Field
Field
Action
Update Frequency
Choose one:
Once Daily to update the workstation ECL when
the client authenticates with the home server and
either it has been a day since the last ECL update or
the administration ECL has changed.
When Admin ECL Changes to update the
workstation ECL when the client authenticates
with the home server and the administration ECL
has changed since the last update.
Never to prevent the update of the workstation
ECL during authentication.

For more information on Notes and Internet passwords, see the chapters
Protecting and Managing IDs and Setting Up Name-and-Password
and Anonymous Access to Domino Servers.
For more information on administration and workstation ECLs, see the
chapter Protecting User Workstations With Execution Control Lists.
Mail archiving and policies

For the first time in Lotus Domino 6, administrators can centrally control
mail file archiving using policies. Archiving is particularly useful for mail
databases because when a user sends a mail message, Notes
automatically saves a copy of it in the Sent view, causing the mail file to
increase in size. Archiving the mail file frees up space and improves the
performance of the mail database by storing documents in an archive
database when they are old or not in use anymore.
The mail archive database is a Notes database, and can be accessed like
any other Notes database. The views in a users mail archive mirror the
views in the mail file and includes all the folders that exist when mail is
archived. So users can find and retrieve archived messages easily from
within their archive database. When a document has one or more
responses, the entire document hierarchy is archived.
You can also use archiving policy settings to define a document retention
policy for your mail files. With document retention, you define the
criteria for old documents, and then simply delete them from the mail
database without archiving them.
If you choose not to include archiving policy settings in your policies,

Notes users can still archive mail files using database archive settings in
the Notes client.
How mail file archiving works

Mail file archiving is a three-step process that includes document
selection, copying files to an archive database, and mail file cleanup.
Document selection choosing which documents to archive based
on activity and on folder selection. For example, you can define an
old document as a one that has not been modified for 365 days. You
can then archive all documents that match that criteria, or you can
archive only documents in specific folders that match that criteria.
Copying copying selected documents from the source mail file to

an archive database destination.
Mail file clean up reducing the size of the source mail file by
deleting archived documents or reducing them in size. You can
reduce the size of the document by first removing attachments, and
then leaving only the header information or leaving the header
information and a portion of the mail document.
Client-based and server-based archiving

When you use policies to manage archiving, you use either server-based
archiving or client-based archiving. In either case you can archive to a
server. The terms server-based or client-based refer to where the
archiving process occurs, either on a server or on the clients workstation.
If you choose to archive on a server, you must create a program
document to run the Compact server task. If you choose client-based
archiving, however, the workstation must be running in order to archive
documents. If archiving is scheduled at a time during which the
workstation is not running, archiving will not occur. You can archive
mail files to the following:
Server-based archiving Using this option, the mail server archives

to the mail server itself, or to another server that you designate as the
archive server.
Client-based archiving Using this option the individual

workstations process mail file archiving. Depending on where the
mail file resides, either on a mail server or on their individual
workstations, mail is archived to the mail server, a designated server,
or to their local workstations.
For more information on using a program document to run the Compact

server task, see the chapter Improving Database Performance.
Using Policies 9-23
Configuration
An example of using policies to manage mail file archiving

Acmes administrator is happy to learn of policy-based archiving because
of these issues with archiving mail files:
Space is tight on the mail server.
Acme needs a centralized archive server.
Archiving cannot occur during peak work hours.
End users must not be allowed to control their archive settings.
Lotus Notes 6 clients will not be rolled out immediately.
To resolve the problems to Acmes archiving issues, the administrator

uses these Archive policy settings, and applies them to all users, via
organizational policies.
Archive settings are centrally managed and enforced by the

administrator; users are prohibited from changing or creating
archive settings.
Server-based archiving is enabled from a mail server to a designated

archive server.
The designated archive server is a Domino 6 server so that policies

can be enforced in a mixed environment.
Archiving is scheduled to occur during off hours.
Optionally, pruning (removing attachments and body of mail, but

leaving header information intact) might be helpful, depending on
how tight space is on the mail server.
Using the mail archive log

To monitor mail document archiving, you can log archiving activity to an
archive log database. Information stored in a users Archive Log include
the log date, the number of documents stored in the archive database and
deleted from the mail file, archive failures, and the locations of the
original mail file source and archives destinations.
You can use the mail archive log, for example, to track a document you
thought was deleted. You can easily scan the Archive Log to see if the
document was archived. And since the archive log provides links to
archived documents, you can access the archived document from within
the archive log.
Specifying the name and location for the Archive Log database
By default, the archive log database is stored in c:\notes\data\archive,
where archive is the default name for the archive directory. The default
name format for a users archive log database file is l_xxxx.nsf, where l_
is the prefix and xxxx is the name of the users mail database. The name
of the log database is based on a specified number of characters (the

default is 6) from the users ID. For example, for the end user John Smith,
whose ID is jsmith, the archive log database name is l_jsmith.nsf.
For more information about the type of information stored in an
Archiving Log, see the chapter Improving Database Performance.
Creating an archive policy settings document
If you allow archiving, use the archive policy settings document to define
whether archiving is server-based or client-based, to specify source and
destination archive servers, and to set the archive schedule. You can also
change the name and location of the default archive log file if you choose.
Each archive policy settings document requires at least one archive
criteria policy settings document, which specifies the criteria for
document selection and defines how to clean up the mail file.
To create archive policy settings
one of these roles:
3. Click Add Settings, and then select Archive.
Name Enter a name that identifies the users (and, if you are a
service provider, the hosted organization) that use these settings.
Description Enter a description of the settings.
5. (Optional) Under Archiving options, choose one of the following if
you want to prohibit archiving. The default is to allow both.
Prohibit archiving to prohibit all archiving. Then save the
document.
Using Policies 9-25
Configuration
To set up mail file archiving, you use both archive and archive criteria
policy settings documents. The archive policy settings document
specifies whether or not to allow archiving either centrally by
administrators or privately by Notes users. If you prevent all archiving,
then that is your archive policy setting, and you must include it in your
policy. If you prevent private archiving, then the Archive Settings policy
document determines how documents in the users mail file are archived
and users cannot change these settings or create private archive settings.
Prohibit private archiving settings to prohibit Notes users from

creating private archive settings or modifying the archive settings
defined in this settings document.
6. Under Archive locations, choose one:
Archiving will be performed on users local workstation to use
the Notes client workstation to perform the archive process (the
default).
Archiving will be performed on a server to use a server to
perform the archive process.
Note If you choose Archiving will be performed on a server, you
must create a program document to run the compact task.
For more information on using a program document to run the
Compact server task, see the chapter Improving Server
Performance.
7. Under Archive source database is on, specify the server or
workstation on which the mail file that will be archived is located.
Choose one:
Local if the mail file is on the users workstation (available for
client-based archiving only).
Specific server if the mail file is on a server other than the mail
server. Then specify the name of the server.
Mail server if the mail file is on a mail server (default).
8. Under Destination database is on, specify the server or
workstation on which of the archive database will reside. If you
allow private archiving, you must give the user Create access on the
destination server to create an archive database. Choose one:
Local to create the mail archive database on the users
workstation (available for client-based archiving only).
Specific server to create the mail archive database on a server
other than the mail server. Then specify the name of the server.
Mail server to create the mail archive database on the mail
server.
9. On the Selection Criteria tab, do one or more of the following:
Click New Criteria to create a new Archive Criteria Settings
document. Then, click Add Criteria and select your newly defined
criteria document.
Click Add Criteria, and then choose an archive criteria settings
document to add criteria.
Click Remove Criteria, and then choose an archive criteria settings

document to remove criteria.
For information on creating an archive criteria settings document, see
the topic Creating Criteria for mail archiving, later in this chapter.
10. Click the Logging tab. Under Archive Logging, check the field Log
all archiving into a log database to log archiving activity to a log
database (the default).
Field
Action
Log Directory
The default is archive. Enter a new name if you want

to change it.
Log Prefix
The default is the letter l, followed by an underscore

(_). Enter a new prefix if you want to change it.
Log Suffix
The default is no suffix. Enter a suffix for the archive

log database name if you want to add one.
Number of
characters from
original filename
The default is 6. To change this, enter the number of

characters you want to use from the users ID to
create the archive log name.
12. In the field Include document links to archived documents, do one:

Check the field to include links to archived documents in the log
(default). If you include links, users can open archived documents
from within the log database.
Uncheck the field to exclude links to archived documents in the
log. If you exclude links, users must open the archive database to
view archived documents.
13. If you chose client-based archiving, click the Schedule tab. In the
field Enable client-based scheduled archiving do one:
Check (default) to set up a schedule for client-based archiving,
and then specify the schedule.
Uncheck to allow users to set their own schedule for archiving.
Using Policies 9-27
Configuration
11. (Optional) Change any of these fields if you want to change the
location of the log directory and log file name.
14. (optional) If you checked Enable client-based scheduled archiving

complete one or more of these fields.
Field
Action
Allow end user to

modify schedule
settings
Do one:
Check to allow users to modify the archive
schedule. You can enable this setting even though
private archive settings are prohibited.
Uncheck (default) to prohibit users from
modifying the archive schedule.
Frequency
Choose one:
Daily and then select the days of the week on
which to archive.
Weekly (default), and then choose the day of the
week on which to archive.
Run at
Specify the time. The default is 12:00 pm.

Note The Notes client must be running for
scheduled archiving to occur.
15. Under Location, specify the locations from which to archive. For
example, if you are using client-based archiving, you may want to
archive only from a users office workstation, not from an island or if
the user has dialed in. Choose one:
Any location to archive from any location.
Specific location and then specify one or more locations.
16. On the Advanced tab, the field Dont delete documents that have
responses do one:
Check (default) to archive but not delete documents that have
responses.
Uncheck to archive and then delete documents that have
responses.
Creating criteria for mail archiving

You use an Archive Criteria policy settings document to define sets of
criteria to use when archiving a Notes users mail documents. You create
an Archive Criteria policy settings document from within an Archive
policy settings document. After you create archive criteria, you can use it
in one or more archive policy settings documents.
When you specify archive criteria, you determine what to do with old
documents in a users mail file. Do you archive them (copy them to an
archive database) or just delete them? If you archive them, you
determine how to clean up the copies of the archived mail documents

that remain the users mail file. And finally, you define what an old
document is.
Mail file criteria answers these questions:
How should documents be archived? Archiving can be a
combination of copying old documents to an archive database and
then performing clean-up tasks on the users mail file, or just deleting
them
How should documents be cleaned up? Once documents have been

copied to an archive database, you can either delete the copies that
remain in the users mail file, or reduce the size of the document.
Which documents should be cleaned up? You provide a definition of

an old document by specifying age criteria, and then applying that
age criteria either to all documents or all documents in specified
folders.
Specifying the name and location for the Archive database

By default, the archive mail database is stored in the directory archive,
located in the data directory. Archive is the default name for the archive
directory. The default name format for a users archive database file is
a_xxxx.nsf, where a_ is the prefix and xxxx is the name of the mail
database. The name of the archive database is based on a specified
number of characters (the default is 6) from the users mail file. For
example, for the end user John Smith, whose mail file is jsmith, the
archive database name is a_jsmith.nsf.
To create archive criteria policy settings
2. Do one:
Select the Archive policy settings document for which you want to
create archive criteria settings, and then click Edit Settings.
Click Add Settings and then select Archive to create a new
Archive policy settings document.
3. Select the Archive Criteria tab, and then click New Criteria.
Using Policies 9-29
Configuration
4. Provide the following information on the Basics tab.

Field
Action
Name
Enter a name that identifies the archive criteria.

When you add criteria to a criteria policy settings
document, this is the name that appears in the
selection box. This name also appears in the users
mail folder outline under tools - archive.
Description
Enter a description of the criteria.
Archiving is enabled
Do one:
Check to enable this archive criteria.
Uncheck if you are creating archive criteria to
use later.
5. For How should documents be archived?, choose one:

Copy old documents into archive database; then clean up
database to archive (copy) documents to the archive database
and then clean up (delete those documents) from the users mail
database.
Clean up database without archiving to delete documents from
the users mail database without copying them into an archive
database. Use this setting to enforce document-retention policies
that delete all documents after a specified time.
6. (Optional) If you chose to archive documents and then clean up,
the copies that remain in the users mail file, for How should
documents be cleaned up?, choose one:
Delete older documents from the database to delete copies of
archived documents that remain in the users mail database.
Reduce the size of the documents in the database to truncate
copies of the archived documents that remain in the users mail
database. Then choose one:
Leave summary to leave only the header information on the
mail document.
Leave summary + 40KB to leave the header information and
40KB of the body of the mail document. This will truncate large
documents only.
7. Under Which documents should be cleaned up? specify the criteria
that defines an old document. This criteria determines which
documents are candidates for archive and cleanup, or deletion. For
the field All documents do one:
Check this option to include all documents that meet the age
criteria (default). Then specify the age criteria.
Not accessed to specify documents not opened in the specified

time frame. Do not use this option unless the database property
Maintain LastAccessed is in set. If this property is not set, Notes
does not consider a document accessed even if it is opened. Then
specify a time period.
Marked expired to specify documents that the Notes user has

marked expired.
Uncheck this option to include documents based only on location
in selected views and folders, instead of age criteria.
8. (Optional) If you use a custom mail template, complete these fields
Change template server select the name of the server on which
your mail template is stored.
Choose template select the name of your custom mail template.
9. For In views or folders do one:
If you checked All documents in step 7, check this option to
apply the all documents age criteria to the documents in the
selected views and folders.
If you did not specify age criteria for All documents, check this
option to clean up all documents in the selected views and folders,
with no age criteria applied.
10. (Optional) Click the Destination tab and change any of these fields if
you want to change the location of the archive database.
Field
Action
Archive Directory
The default is archive. Enter a new name if you

want to change it.
Archive Prefix
The default is the letter a, followed by an

underscore (_). Enter a new prefix if you want
to change it.
Archive suffix
The default is no suffix. Enter a suffix for the

archive database name if you want to add one.
Number of characters
from original filename
The default is 6.To change this, enter the

number of characters to use from the users
mail file to create the archive database name.
Using Policies 9-31
Configuration
Not modified to specify documents that have not been

modified in the specified time frame (default). Then specify a time
period. This is the recommended setting.
Creating a policy document

When you create a policy, you use a Policy document to specify which
policy settings documents to include. You can create policy settings
documents before you create the policy document, or you can create
them while you create the Policy document.
If you are creating an exception policy, include only the policy settings
documents that have settings whose values you do not want to enforce.
For each setting you do not want to enforce, change the value as
required. Exceptions are made at the policy setting level. When the
effective policy settings are resolved, any settings you specify in the
exception policy apply.
Policy document names
The names of Policy documents must be in one of the formats below.
However, when you create a Policy document, you do not have to
include the asterisk (*) or slash (/) when you enter a policy name.
Domino adds them for you depending on the type of policy you specify.
*/organization an organizational policy that is automatically
applied at the organization level
*/organizational unit/organization an organizational policy that is
automatically applied to an organizational unit
*/hosted organization an organizational policy that is automatically
applied to a hosted organization
* an organizational policy that is automatically applied to
everyone in the Domino Directory
/policyname an explicit policy that must be assigned manually, but
can be assigned at any organizational level
To create a policy document
one of these roles:
PolicyCreator role to create a policy document
PolicyModifier role to modify a policy document
then open the Policies view.
3. Click Add Policy.
4. Under Basics, complete these fields:

Field
Action
Policy name
Enter one:
A unique name, for an explicit policy.
The name of the organization or organizational unit,
such as Acme or Sales/Acme
Policy type
Choose one:
Explicit to create a policy to assign to specific users
and groups.
Organizational to create a policy that is automatically
assigned to all users in the part of the organization
specified in the Policy name field.
Description
Enter a description of the policy.
5. (Optional) Click Create Child to create a child policy document that

includes the name of the parent policy. You can save the child policy
document and return to it at a later time. When you close this
document you return to the parent policy document.
6. To specify the policy settings documents to include in this policy, for
each type of settings do one:
Select a policy settings document from the list.
Click New to create a new policy settings document. Then, after
you create the policy settings document, select it from the list.
Note If the name of the new policy settings document does not
appear as a selection, you may need to refresh. Press F9)
7. (Optional) To create an exception policy, click the Administration tab
and enable Exception Policy.
Caution Be cautious when creating an exception policy. An
exception policy allows a user to override enforced policy settings.
For more information on exception policies, see the topic Organizational
and explicit policies, earlier in this chapter.
Using Policies 9-33
Configuration
The name of the hosted organization

To create a policy for all hosted organizations in the
Domino Directory, do not enter a policy name. By
default Domino will enter the asterisk for you.
Creating a child policy document

When you create a child policy, you use a Policy document to specify
which policy settings documents to include.
In explicit policies, you create a child policy by setting up the
child/parent name structure. For example, the policy /Contractors may
have a child policy called /Short term/Contractors.
In organization policies, child policies follow the hierarchy of the
organization. So the child of */Acme is */Sales/Acme.
To create a child policy
one of these roles:
PolicyCreator role to create a policy document
PolicyModifier role to modify a policy document
then open the Policies view.
3. Select the name of the policy for whom you want to create a child
policy and click Edit Policy.
4. Under Basics, click Create Child.
5. In the Policy Name field do one:
Organizational policy enter the name of the organizational unit,
followed by the Organization or the Organizational unit that
displays in the Parent Policy field. For example, if */Acme is in the
Parent policy field and you want to create a child policy for the
Sales/Acme organization unit, enter Sales/Acme. When the policy
is saved, the name will be */Sales/Acme.
Explicit policy enter a name for the child policy followed by the
text that displays in the Parent policy field. For example, if the
Parent policy field is /Contractors and you want to create a child
named Short term, enter Short term/Contractors. When the policy
is saved the name will be /Short term/Contractors.
6. Complete the remaining fields using the same procedure you used to
create a policy document.
Managing policies
To manage policies, you can do any of the following:
Edit policies
Delete policies
Create a report of the effective policy
View policy relationships
Assign an explicit policy or change a policy assignment
Editing policies
Use this procedure to edit existing policy and policy settings documents.
Although you can delete a policy from the Domino Directory, you must
use the Policy - Delete tool on the Configuration tab to remove all
occurrences of the policy and its settings.
1. Make sure that you have at least Editor access to the Domino
Directory and the PolicyModifier role.
3. Open the Domino Directory, and choose one of these views:
Policies to edit a policy document.
Settings to edit a policy settings document.
4. Open, edit, and then save the document.
Deleting policies
Use this procedure to delete policy and policy settings documents. This
table describes the result of each type of deletion:
Deletion
Result
Explicit policy
An Administration Process request searches the Person

documents of all users in the domain and deletes all
references to the deleted policy.
Organizational policy
Deletes the policy document from the Domino

Directory. All settings documents named in the deleted
policy remain intact.
Settings document
Deletes the settings document from the Domino

Directory. Deletes references to the policy settings
document from all policy documents.
Using Policies 9-35
Configuration
To delete a policy
1. From the Domino Administrator, click the Configuration tab, and
then open the Policies - Hierarchy view.
2. Select the policy or settings document you want to delete.
3. Click Tools - Policies - Delete.
The policy tools are not available in the Web Administrator client. For
more information on deleting policies in the Web Administrator, see the
chapter Setting up and Using Domino Administration Tools.
Using the Policy Synopsis tool to determine the effective policy

To determine the effective policy governing a selected user, use the
Policy Synopsis tool to generate a report that is written to the Policy
Synopsis Results database (POLCYSYN.NSF).
Note The policy tools are not available in the Web Administrator client.
To use the Policy Synopsis tool
2. Select the People view, and then select one or more users.
3. From the Tools pane, select Policy Synopsis.
4. Under Select Report Type choose one:
Summary Only (default) to produce a report that lists the
hierarchy of policy documents used to derive the effective policy
for the specified user.
Detailed to produce a report that lists the hierarchy of policy
documents of the effective policy for the specified user, and
includes the actual values, and the policy and policy settings
documents from which the value was derived. Then select the
policy settings documents for which you want details.
5. Under Results Database choose one:
Append to this database (default) to add to the list of previous
reports.
Overwrite this database to remove reports in the database and
write the new reports.
6. (Optional) Click Results Database to change the name or location of
the results database. The default is Policy Synopsis Database on local.
7. Click OK. When the Policy Synopsis Results database
(POLCYSYN.NSF) opens, double-click the report to open it.
Viewing policy relationships
How to use the policy viewer

The policy viewer has three panes. Depending on your selection in the
top left pane, the results in the right top pane differ. The bottom pane
always shows either an actual policy settings document or an effective
policy settings document, based on your selections in the top two panes.
You can edit a policy settings document in the policy viewer. You cannot
edit an effective policy because the settings are derived settings.
Example of using the By Settings view
The administrator at the Acme company wants to use the policy viewer to:
View all policy settings documents in a domain
View all policies that use a selected policy settings document
View and edit a policy settings document
View the effective policy settings
To view this information the administrator performs these tasks:
Selects the By Settings view in the policy viewer and looks in the
upper left pane to view all policy settings documents, grouped by
administrative area.
Selects one of the policy settings in the upper left pane. All policies
that use that policy settings document display in the upper right
pane. The actual policy settings document displays in the bottom
pane, where it can be edited.
In the top right pane, selects one of the policies. The effective
policy settings display in the bottom pane. These cannot be edited.
Using Policies 9-37
Configuration
The policy viewer is a convenient tool you can use to view each policy,
the settings associated with each policy, and how they relate to each
other. The policy viewer is also versatile because of the number of ways
in which you can view policy documents. For example, you can view the
settings for each policy, the settings by functional area, or the settings
assigned to a specific users. You can also view effective policies on
different levels in the policy hierarchy, which helps you to understand
the impact of changing a policy setting. You can view policy documents
using one of two views, By Hierarchy and By Settings.
Example of using the By Hierarchy view

The administrator at the Acme company wants to use the policy viewer to:
View the policy hierarchy for the Acme domain
View the policy hierarchy for a Notes user in the Acme domain
View the settings documents used by each policy
View the differences between the effective policy and the policy
settings for a policy settings document
To view this information the administrator performs these tasks:
Selects the By Hierarchy view in the policy viewer and in the field
Show policy hierarchy for, selects Acme domain. Looks in the
upper left pane to view the policy hierarchy.
In the field Show policy hierarchy for, selects Specific User,
and then selects the name of a user to view the users policy
hierarchy in the upper left pane.
Selects a policy in the left pane to view the policy settings
documents used by the selected policy in the upper right pane.
In the top right pane, selects one of the policy settings documents.
The administrator can switch from the effective policy settings to
the actual policy settings document in the bottom pane.
To see how changing a policy setting affects the effective policy,
the administrator can edit the policy settings document and then
switch views in the bottom pane.
Using the policy viewer

You use the policy viewer to view the relationships of policies and policy
settings documents in a policy hierarchy.
By Settings view
2. Open the Policies view, and then select the By Settings view.
3. Choose any of the following tasks:

Task
Action
View a list of all policy

settings documents in
your domain
Expand the functional areas in the left pane.
In the left pane, select a policy settings

document.
View the policies that use that policy settings
document display in the right pane.
View and edit a policy

settings document
Select a policy settings document in the left

pane.
The selected policy settings document
displays in bottom pane. Double-click the
document to edit it.
1.
2.
View the effective policy 1.

settings for a functional
area (displays in the
2.
bottom pane)
3.
Select a policy settings document in the left

pane.
Select a policy document that uses those
settings in the right pane.
View the effective policy in the bottom pane.
By hierarchy view
2. Open the Policies view, and then select the By Hierarchy view.
3. Choose any of the following tasks:
Task
Action
View the policy

hierarchy for the a
domain
1.
View the policy

hierarchy for a Notes
user
1.
2.
2.
View the settings
1.
documents used by each 2.
policy
In the field Show policy hierarchy for,

select a domain.
View the domains policy hierarchy in the
upper left pane.
In the field Show policy hierarchy for,
select Specific User, and then select the
name of a Notes user.
View the policy hierarchy for the user in the
upper left pane
Select a policy in the left pane.
View the policy settings documents used by
the selected policy in the upper right pane.
continued
Using Policies 9-39
Configuration
View a list of all policies 1.

that use a policy settings
document (display in the 2.
right pane)
Task
Action
View the differences

between the effective
policy and the policy
settings for a policy
settings document
1.
2.
In the top right pane, selects a policy

settings document and make any changes to
the settings.
In the bottom pane choose one of the
Show options to view either the effective
policy settings or the actual policy settings
document.
Assigning an explicit policy

You assign explicit policies manually in one of three ways, during user
registration, using the Assign Policy too, or in the person document. If
your policies include setup and registration settings, assign them during
user registration so that you can take advantage of these settings.
Use the Assign Policy tool to apply explicit policies to existing Notes
users or to groups, or to change the assignment from one explicit policy
to another.
Note The Assign Policy tool is not available in the Web Administrator.
You can also add, change, or remove an explicit policy assignment to an
individual Notes user in the Person document. All changes to policy
assignments are recorded in the log file (LOG.NSF).
Assigning explicit policies in the Person document

You can assign or change a users explicit policies in the Person
document. Changes to the Desktop, Security, or Archive policy settings
that are associated with an explicit policy can be distributed this way.
Changes to a users settings that were previously defined using
Registration and Setup policy settings are not made retroactively, so you
would need to make any changes to those settings manually in the
Person document. For example, roaming user settings can be defined in a
Registration policy setting document. But you cannot change a users
roaming user status by changing the Registration policy setting
document for that user.
Assigning explicit policies using the Assign Policy tool

You can assign an explicit policy to a user or group, or you can change
the explicit policy assignment using the Assign Policy tool. Use this tool
when you want to make changes to multiple users or groups. You can
distribute changes to the Desktop, Security, or Archive policy settings
that are defined in explicit policies using this tool. When you change the
explicit policy for a user or group using this tool, you have the option of
viewing the way the policy assignment change impacts the effective
policy for that user or group.
From the Person document
Directory or that you have Author access with the UserModifer role.
3. Select the name of the person whose policy assignment you want to
change, and click Edit Person.
4. In the Person document, click the Administration tab.
5. Under Policy Management, in the Assigned policy field, do one:
To assign or change an explicit policy assignment, select a policy
from the list.
To remove an explicit policy assignment, select the name of the
explicit policy and delete it.
From the Assign Policy tool
Directory and the ObjectModifier role.
3. Do one:
Open the People view, select one or more users, and then from the
Tools pane, click People.
Open the Groups view, select one or more groups, and then from
the Tools pane, click Groups.
4. Choose Assign Policy.
5. For the field Allow replacement of an existing policy, do one:
Check this option to replace an existing explicit policy with a new
one.
This option is not available if the selected user or if no users in the
selected group have an explicit policy currently assigned.
6. In the Policy field, select the explicit policy you want to assign from
the list.
7. Check the Perform updates in background option when you are
assigning policies to a large number of users.
Using Policies 9-41
Configuration
then open the People view.
8. (Optional) Click View policy synopsis to see the new effective

policy.
9. In the Choose Organizational Policy dialog box, choose the
organizational policy you want to combine with the explicit policy to
create the new effective policy.
The policy tools are not available in the Web Administrator client. For
more information on deleting policies in the Web Administrator, see the
chapter Setting up and Using Domino Administration Tools.
Chapter 10
Setting Up Domain Search
Domain Search
Notes and Web users can use Domain Search to search an entire Domino
domain for database documents, files, and attachments that match a
search query.
To support Domain Search, you need to designate a Domino server as
the indexing server, which builds a domain wide index that all Domain
Search queries run against. In order for the indexing server to build the
index, you must first create a Domain Catalog on the server a database
that controls which databases and file systems get indexed. The indexing
server then spiders, or crawls, the servers that contain the content to be
indexed.
When a user submits a query, the results that the indexing server returns
contain only database documents to which that user has appropriate
access.
If the indexing server is set up as a Domino Web server, it can support
searches from both Lotus Notes and Web browsers.
Support for multiple languages

With Domain Search, you can index and search on documents regardless
of their language. Even multiple-language documents can be indexed.
If users choose to display document summaries in their search results,
Domain Search cannot create these summaries in all languages. You can
use the NOTES.INI setting FT_Summ_Default_Language to specify
which language the summary should default to in these cases.
10-1
Configuration
This chapter describes how to set up Domain Search, which Lotus Notes
or Web users can use to search an entire Domino domain for documents,
files, and attachments from a centralized server.
Domain Search and single-database full-text search

Single-database full-text indexing and domain indexing are distinct
processes in Lotus Notes/Domino, and most likely you will want to use
both.
Use Domain Search for less active databases such as archives and
product specifications. Use full-text indexes for single databases for
active databases such as mail files, discussion databases,
problem-tracking databases, or any database used for generating reports.
You might also want to have single-database full-text indexes on servers
with restricted user access, or in cases where users already know what
database they want to search in.
For information on setting up full-text indexes for single databases, see
the chapter Setting Up and Managing Full-text Indexes.
Implementing Domain Search

Implementing Domain Search in a Domino domain involves these major
tasks:
Planning the Domain Index
Creating the Domain Index
Customizing Domain Search forms
Setting up Notes users for Domain Search
Setting up Web users for Domain Search
Server configurations for Domain Search

This topic describes required and optional configurations for the servers
you use for Domain Search.
Configuration for the Domain Catalog
It is best to set up the Domain Catalog on the same server that indexes
the Domino domain. If you have a very large number of databases to
catalog, you can decrease network traffic by running the Catalog task
nightly on all servers. That way, when the Catalog task runs on the
server that contains the Domain Catalog, the Domain Catalog uses pull
replication from the local catalogs rather than spiders every database.
You can shorten the time it takes to run the Catalog task by splitting it
among several servers: Server A catalogs servers 1 to 25, Server B
catalogs servers 26 to 50, Server C catalogs servers 51 to 75, and so on.
You can also limit the scope of the Domain Catalog by using the Limit
domain cataloging to the following servers field.
Configurations for the Domain Index

The indexing server must be capable of handling the load of creating
indexes and handling user queries. The indexing server should be fast,
powerful, and have a large amount of disk space. Multiple processors, a
large amount of RAM, and multiple high-volume drives will increase the
efficiency and capabilities of searches.
An Intel Pentium II 350MHz processor
256MB RAM
Free disk space equal to approximately 30 percent of the size of the

data being indexed
For information on estimating the size of the data to be indexed, see
the topic Estimating the size of the Domain Index later in this
chapter.
If your organization has more than six Domino servers, dedicating one
server as the indexing server provides optimal performance.
Consider clustering indexing servers to ensure greater reliability and
fault-tolerance and to balance the load from user queries. If you use
clustered indexing servers, create a replica of the Domain Catalog on
each of those clustered servers.
For more information, see the book Administering Domino Clusters.
Domain Search over a WAN
If your organization is geographically dispersed, cataloging databases
over a WAN is the only way that different locations can share a single
Domain Index. The cataloging server should access the WAN directly
rather than through a hub server, because cataloging uses large amounts
of processing resources.
To index data in different locations, you can choose to replicate all
databases to be indexed to servers in the same location as the indexing
server, thus eliminating the need for the indexing server to spider over
the WAN. The servers containing the databases to be indexed should be
ones with fast LAN connections. Even within the same location,
databases on servers with slow LAN connections should be replicated to
ones with fast connections.
Tip You can use replication events in the Notes Log as a guide for
determining which servers have fast connections by looking at the
information for the Domain Catalog database (CATALOG.NSF).
Setting Up Domain Search 10-3
Configuration
For indexing servers running Windows NT or Windows 2000, the

following minimum configuration is required:
Determine which servers the Catalog was able to do pull replication with
in an average time of less than 1 minute.
Reset the Include in multi database index database property for each
replica on the servers to be indexed, because this setting does not always
replicate.
When you create the Domain Index, use the Limit domain wide
indexing to the following servers field to limit indexing to these servers.
Planning the Domain Index

Because the initial process of spidering databases and file systems and
creating a full-text index for an entire Domino domain can take days or
even weeks, it is important to plan carefully before starting the indexing
server. The more you have thought about what data sources should be
indexed, how they should be categorized in the Domain Catalog and
search form, and how much space your Domain Index requires, the less
work you will have to do.
Note Indexing unnecessary databases causes users search results to be
less meaningful, takes up space on the server, and adds time to the
indexing process, which indexes about 700MB to 1GB of information per
hour, depending on hardware and the content being indexed. At a
minimum, avoid indexing the following types of databases:
Administration Requests databases, database catalogs, database libraries,
Event message databases, log databases, mail databases, portfolio
databases, and server statistics databases.
Here is a methodology for planning the Domain Index.
1. Use the Domain Catalog to control settings for which databases to
index.
2. (Optional) Use the Domain Catalog to control settings for which file
systems to index.
3. (Optional) Estimate the size of the Domain Index.
4. (Optional) Prevent attachments from being indexed.
5. Use the Domino Administrator to assign each database to be indexed
to one or more categories in the Domain Catalog and the search
form.
6. Analyze any security issues that implementing Domain Search in
your organization might raise.
The Domain Catalog

The Domain Catalog, a database that uses the CATALOG.NTF template,
controls which databases and file systems get indexed for Domain
Search. Even if your organization is not implementing Domain Search,
the Domain Catalog is a useful administrative tool for such tasks as
keeping track of the location of database replicas.
The portions of the Domain Catalog of interest to the Domain Search

administrator are those that indicate which databases and file systems
the indexing server will include in the Domain Index, as well as the
forms used to search the index. Database designers and managers select
a database for indexing by enabling the database property Include in
multi database indexing. (Administrators can configure this setting for
multiple databases using the Domino Administrator.) These settings are
saved to the Domain Catalog when the Catalog tasks runs.
Administrators can also control which databases are included in the
Domain Index by customizing the selection formula for a hidden view
($MultiDbIndex) in the Domain Catalog.
Administrators specify which file systems to index by adding a File
System document to the Domain Catalog for each file system on a server.
Because the Catalog task creates the Domain Catalog by using pull
replication of the database catalogs on individual servers, updating the
Domain Catalog is usually not a lengthy process if you have already
created a database catalog on every server. What can be time consuming,
however, is rebuilding the views in the Domain Catalog after an update.
For more information on creating database catalogs, see the chapter
Setting Up Database Libraries and Catalogs. For more information on
rebuilding views, see the chapter Maintaining Databases.
Configuration
You create the Domain Catalog by enabling the Catalog task on the
server that will index the Domino domain.
Domain Catalog views

The Domain Catalogs views provide information about the databases,
servers, and users in the Domino domain.
View
Displays
Access control lists
ACL information by Database, Level, and Name. Use this

view to see who has what level of access to the different
databases in the domain.
Content
Documents in the domain by Author, Category, and Date

(if your organization has implemented document content
categories).
Databases
Databases in the domain by Category, Hierarchy, Replica

ID, Server, and Title.
Domain Indexer
Status
Last-time indexed for databases included in the Domain

Index, by both Server and Indexing Server.
File Systems
File systems and servers included in the Domain

Catalog.
Hidden views
You can display hidden views in the Domain Catalog by holding down
CTRL-SHIFT as you open the Catalog. Server tasks use hidden views to
access information quickly. The hidden views $MultiDbIndex and
$FileSystem are the work queues for the Domain Indexer task. These
views show which databases and file systems will be spidered to create
the Domain Index. The $MultiDbIndex view is sorted by replica ID,
number of documents in the replica, and server to ensure that the most
recent replica (the one containing the greatest number of documents) is
the one included in the Domain Index.
Creating the Domain Catalog
You create the Domain Catalog by enabling the Catalog task on the
server that hosts the Catalog for the Domino domain. The Catalog task
uses pull replication to create the Domain Catalog from the individual
catalogs you have created on servers throughout the Domino domain.
You can replicate the Domain Catalog to other Domain Catalog servers
(such as those in a cluster).
1. From the Domino Administrator, select the server that you want to
contain the Domain Catalog.
5. Click Edit Server, and then click the Server Tasks - Domain Catalog
tab.
6. In the Domain Catalog field, select Enabled.
7. Click OK.
Tip Use this field to limit the scope of the Domain Catalog to
regional locations or to expand its scope to multiple Domino
domains by cataloging multiple Domain Catalog servers.
10. Make sure the Catalog task is included in the ServerTasksAt1 setting in
the servers NOTES.INI file, or use another method (start the Catalog
task at the console or create a Program document) to run the task.
When the Catalog task starts for the first time, Domino creates the
Domain Catalog database based on the CATALOG.NTF template and
adds entries to the ACL so the database replicates properly within the
domain. The Administration Process creates the group
LocalDomainCatalogServers in the Domino Directory and adds the
server that contains the Domain Catalog to that group.
Selecting which databases to include in the Domain Index
The indexing server spiders databases that have the option Include in
multi database indexing selected on the Design tab of the Database
Properties box.
Begin by using the hidden view $MultiDbIndex in the Domain Catalog to
see which databases have already been selected to be included in the
Index by database managers. If you see databases in the view that should
not be in your Domain Index, such as personal mail databases or
databases of limited interest, or if important databases are missing from
the view, either customize the $MultiDbIndex views selection formula or
use the Domino Administrator to include or exclude databases.
Using $MultiDbIndex to view which databases will be indexed
1. From the Domino Administrator, choose File - Database - Open.
2. Select the cataloging server for the domain, and then select Domain
Catalog.
3. Hold down CTRL-SHIFT and click Open.
The Domain Catalog opens and displays its hidden views.
Configuration
8. To change the scope of the Domain Catalog, select the servers that
you want to include in the Limit domain cataloging to the following
servers field. Use wildcard characters to index all servers certified
with a specific certifier for example */Sales/East/Acme. If the
field is blank (default), all servers in the domain are cataloged.
4. In the view pane, click $MultiDbIndex.

The view displays the replica ID of each database that will be
included in the Domain Index, followed by a line of information
about each replica.
Note If multiple replicas of a database were selected for indexing,
Domain Search selects the replica containing the greatest number of
documents.
Using $MultiDbIndex to change which databases will be indexed
Customizing the selection formula for the $MultiDbIndex view is the
simplest and best way to control which databases are included in the
Domain Index.
The following is an example of a custom selection formula. In this
example, the indexing server will ignore Include in multi database
indexing settings and index only databases in the smoketestdata
directory on servers that contain hub in the server name.
SELECT @IsAvailable(ReplicaID) &
@IsUnavailable(RepositoryType) & @Contains((pathname);
"smoketestdata") & @Contains((server); "hub")
Using Domino Administrator to change which databases will be

indexed
You can use the Domino Administrator to select or deselect the Include
in multi database indexing option on multiple databases at the same
time.
1. From the Domino Administrator, select the server that contains the
databases you want to include in or exclude from the Domain Index.
3. Make sure you have Manager access in the ACL for each database
you want to include or exclude.
Tip On the Files tab, you can right-click a database and choose
Access Control - Manage to display its ACL.
Note If you want to include databases whose ACLs restrict default
access, make sure that the LocalDomainServers or
LocalDomainCatalogServers group has at least Reader access to each
database you want to include.
4. Select the databases you want to include or exclude.
Note If you plan to limit the servers to be indexed and have placed
replicas on those servers, you might need to select those replicas
now, even if the Include in multi database index database
property was set in the original databases, because this setting does
not always replicate.
5. In the Tools pane on the right, select Database - Multi-Database

Index.
6. Select Enable or Disable.
7. Click OK.
8. Assign categories for each database that you included.
Selecting which file systems to include in the Domain Index

For each server in a domain, you can create a File System document in
the Domain Catalog to specify which file system directories to include in
the Domain Index. You can index any file system that resides on the
indexing server or on a network resource mapped to that server, as long
as the server has at least Read access to the file system.
For file system searches, the indexing server must also be set up as a
Domino Web server. This allows the server to return links to documents
in the file system and to return those documents in response to queries
from both Notes and Web clients.
For information on setting up a Web server, see the chapter Setting Up
the Domino Web Server.
Caution Domain Search filtering of results to users based on access
works only with Domino databases.
For more information on file system security and Domain Search, see the
topic Domain Search security later in this chapter.
To select which file systems to include
Add a reference to each file system in the File System document, and
then map the URL path to the file system directory so that the Domino
Web server can retrieve the found documents for users. Complete the
following steps for each server that has file systems you want to index.
1. Start the Domino Administrator or Notes client.
2. Choose File - Database - Open.
3. In the Server field, select the server that contains the Domain
Catalog.
4. Select the Domain Catalog and click Open.
5. In the view pane, click File Systems.
6. Click Add File System.
7. Select the server that contains the file system you want to index.
Configuration
For information on assigning categories, see the topic Assigning

database categories for the Domain Search form later in this
chapter.
8. Beside the Current file system list box, click Add.

9. In the Add File System dialog box, enter the location of a file system
to include, for example c:\lotus\domino\data\files.
10. Enter a keyword, such as files, to associate with the file system.
You need to use this keyword in Step 14, as the portion of the
incoming URL pattern that follows the forward slash (/).
11. Click OK to add the file system to the list.
12. Repeat Steps 8 through 11 to add more file systems to the list.
13. When you have completed the list, click Save and Close.
14. Create a Web Site Rule document for the Web site for this file system.
This step is needed to map the incoming URL pattern to the file
system directory on the target server.
For more information, see the chapter Setting Up the Domino Web
Server.
15. Restart the server, or enter this command at the server console so
that the mapping settings take effect:
tell http restart
Assigning database categories for the Domain Search form

On the Design tab of the Database Properties box, you can assign one or
more categories to each database to be included in the Domain Index.
These categories appear on the search form to provide a user with a way
to narrow a search. Categories are also displayed in views of the
database catalog and Domain Catalog. You must have Manager access to
a database to create the categories.
Note Searching within categories is supported only for Domino
databases. Whenever a user specifies a category on the search form,
search results will not include any documents from file systems.
Use the Categories view in the Domain Catalog to see whether database
managers have assigned databases to appropriate categories. To edit or
add categories, use Database Properties for each database.
To view the search categories
1. Open the Domain Catalog.
2. In the view pane, click Databases and then click By Categories to
view a list of categories.
3. To see information on the databases that have been included in each
category, select View - Expand All.
To add or change search categories

databases to which you want to assign categories.
3. Make sure you have Manager access in the ACL for each database to
which you want to assign a category.
4. Select the database that you want to categorize.

5. Choose File - Database - Properties.
6. Click the Design tab.
7. Make sure List in Database Catalog is selected.
8. In the Categories box, enter one or more categories for the database.
Separate category names with a comma.
Estimating the size of the Domain Index

The size of a Domain Index is related to the size of the data being
indexed, not to the size of the database. A small database with a lot of
text can generate a larger index than a large database that has a lot of
design elements. There is no easy way to measure the data in a database,
but you can use a percentage of database size to estimate the size of the
Domain Index.
You can use the hidden view $MultiDbIndex in the Domain Catalog to
find the sizes of all databases selected for indexing. You can also use this
view to find out which of these databases have already been indexed
individually by their database managers and use full-text index size as
a more accurate indicator of the space a database will take up in the
Domain Index.
1. From the Domino Administrator, choose File - Database - Open.
2. Select the cataloging server for the domain, and then select Domain
Catalog.
3. Hold down CTRL-SHIFT and click Open.
4. In the view pane, click ($MultiDbIndex).
Configuration
5. For each database listed, double-click the database entry to display

the Database Entry document.
Note If more than one replica of a database is listed, the indexing
server indexes the replica on the server you include in the Limit
domain wide indexing to the following servers field when you
create the index. If this field is blank, the indexing server indexes the
replica with the greatest number of documents.
6. Do one of the following for each database set to be part of the
Domain Index:
If there is a value in the Number of bytes indexed field on the
Full Text tab, record it.
If there is no value in the Number of bytes indexed field, record
a number between 20 and 40 percent of the value in the Database
size field on the Database tab. Record 20 percent if the database is
heavy on design, 40 percent if it is heavy on text.
7. Add the values from Step 6 to obtain an estimate of the Domain
Index in bytes.
Tip To convert your estimate to megabytes, divide by 1024 twice.
Excluding attachments from the Domain Index

The following types of attachments are excluded from the Domain Index
by default: .au, .cca, .dbd, .dll, .exe, .gif, .img, .jpg, .mp3, .mpg, .mov, .nsf,
.ntf, .p7m, .p7s, .pag, .sys, .tar, .tif, .wav, .wpl, .zip.
To exclude all other types of document attachments, set the following
NOTES.INI variable for the indexing server:
FT_Index_Attachments=2
Domain Search security

When a user performs a Domain Search on Domino databases, Domain
Search checks each result against the ACL of the database in which the
result was found to verify that the user has access to read the document.
To perform this check, the Domain Catalog contains a listing for all
databases that includes each databases ACL. For Domino to include a
link to a result document in a users result set, the user must have the
necessary access to read the document that is, have at least Reader
access to the database that includes the document and be included in the
Readers field, if the document has one. The security check works as follows:
1. Domino checks the -Default- entry in the database access control list.
If the -Default- entry has Reader access or greater, the user can
read the document, and Domino returns the result in the result set.
2. If the user has Reader access or greater, Domino checks whether the
result document has a Readers field.
If the result document does not have a Readers field, the user can
read the document, and Domino returns the result in the result set.
If the result document has a Readers field, Domino checks
whether the user is included in the Readers field. If not, Domino
does not include the document in the result set because the user is
not authorized to read that document.
If the user is included in the Readers field, the user can read the
document, and Domino returns the result in the result set.
Caution The security checking works only for search results from
Domino databases. Results from file system searches depend on file
system security users see the search result even if they are not
authorized to view the document. Thus, users may not be able to access
all search results or they might be able to discern confidential
information from the existence of a particular search result. Be sure to set
file system security properly and index only file systems for which
security is not a high priority.
Tip If you want to index file systems for which security is a high
priority, you can attach the files to Notes documents in a database
selected for indexing.
Search security and server access lists
If you use server access lists within a domain to limit access to
information, you might need to check the ACLs of databases on those
servers to ensure that results are filtered. Otherwise, a search might
return a result to a user who cannot access the result document. In some
cases, users might be able to discern confidential information from a
search result.
Configuration
If the -Default- entry has less than Reader access, Domino checks
whether the user has Reader access or greater in the ACL. If not,
Domino does not include the document in the result set because
the user is not authorized to read that document.
For example, the Acme corporation has two application servers,

App-E/East/Acme and App-W/West/Acme. Acme users are certified
with one of two organizational unit certifiers: /East/Acme or
/West/Acme. App-E/East/Acme does not allow access to any user with
a /West/Acme certificate. Databases on the server have the -Defaultsetting in their ACLs set to Reader to ensure that /West/Acme users
cannot access those databases.
When Acme implements Domain Search, /West/Acme users who query
Domain Search might receive search results that include links to and
summaries of documents in databases on App-E/East/Acme, because
the ACLs of those databases do not prohibit /West/Acme users from
seeing those results. (On Windows systems, document summaries are
included in the search results if users select the Detailed Results option.)
The server access lists continue to maintain database security in this
environment, because /West/Acme users cannot access documents from
those links, but the mere existence of links and summaries could reveal
confidential information to the /West/Acme users.
To avoid this issue, check the ACLs for databases that are protected by
server access lists to ensure that they are set to filter correctly. To do this,
assume that the server access list does not exist. Change the ACL so that,
in the absence of a server access list, the database would be secured
appropriately. This ensures that when Domain Search checks the
database ACL, it filters out results that users cannot access.
If you are running Domino on Windows and are not sure that you can
properly maintain database ACLs, you might want to prevent anyone
from seeing document summaries by setting the indexing servers
NOTES.INI variable to FTG_No_Summary=1.
Note This example assumes that the indexing server has a certificate
that allows access to both App-E/East/Acme and App-W/West/Acme.
Creating and updating the Domain Index

The indexing server relies on the Domain Catalog to tell it which
databases and file systems to include in the Domain Index. You use the
Server document to enable the Domain Indexer task and set a schedule
for it to run. By default, the Domain Indexer task runs once an hour.
To set the Domain Indexer task

1. If you have Web clients, make sure you have set up the indexing
server, as well as each server to be spidered by the indexer, as a
Domino Web server.
For more information on setting up a Domino Web server, see the
chapter Setting Up the Domino Web Server.
For more information, see the topic The Domain Catalog earlier in
this chapter.
Note The Catalog task that creates the Domain Catalog must have
finished before you start the Domain Indexer task.
3. From the Domino Administrator, select the server that you want to
be the indexing server.
7. Click Edit Server, and then click the Server Tasks - Domain
Indexer tab.
8. In the Schedule field, select Enabled.
9. Click OK.
10. Set the indexing schedule to meet the needs of your organization.
11. Select the servers that you want to include in the index in the Limit
domain wide indexing to the following servers field. Use wildcard
characters to index all servers certified with a specific certifier for
example */Sales/East/Acme. If the field is blank (default), the
Domain Indexer indexes all databases for which the Include in
multi database indexing property is enabled.
12. If you have Web clients, do the following to allow the indexing
server to form valid URLs when the results of a search are displayed
in a browser:
a. Click the Internet Protocols - HTTP tab.
b. For the host name, enter the fully qualified name of the computer
that serves as the indexing server, for example,
servername.acme.com.
c. Click the Domino Web Engine tab.
Configuration
2. Make sure you have created the Domain Catalog on the indexing
server.
d. Under Generating References to this Server, enter the

information for the indexing server. Make sure you use the
servers fully qualified domain name in the Host name field.
e. Under Conversion/Display, in the Redirect to resolve external
links field, select By Database.
Selecting By Database allows the indexing server to resolve more
URLs for users. If the indexing server cant resolve the database link
in a URL, it checks with the Domain Catalog to locate a replica of the
database.
14. Restart the server by entering this command:
restart server
The Domain Indexer runs when next scheduled.

Note The indexing server must complete the initial indexing pass before
users can perform searches. Check the Domain Indexer Status view in the
Domain Catalog to be sure the initial pass is complete.
Tuning Domain Indexer performance

Each time the Domain Indexer task runs, it looks in the Domain Catalog
for new databases that have the Include in multi database indexing
property enabled. It then looks for documents and files in existing
databases and file systems that are new or changed since the last time it
ran, and adds them to the Domain Index.
To meet the specific needs of your organization, adjust the frequency
with which the Domain Indexer runs. Greater frequency results in more
up-to-date indexes, but consumes greater CPU resources. By default, the
Domain Indexer task runs every 60 minutes. Experiment with different
indexing frequencies to yield the best results for your organization.
You can also enhance search performance by tuning the number of
indexing threads used by Domain Search. Each indexing thread indexes
one repository at a time. With a greater number of threads, the indexing
server can index more databases simultaneously, but this requires more
CPU utilization, and response to search queries may be slow. With fewer
indexing threads, response to queries is faster because of greater CPU
availability, but changes are not reflected in the index as quickly.
By default, the indexing server uses two indexing threads per CPU, so a
server with two CPUs uses four indexing threads when indexing. By
adding the variable FT_Domain_Idxthds=n to the NOTES.INI file of the
indexing server, you can control the total number of threads used for
indexing on that server. For example, by adding
FT_Domain_Idxthds=8 to the NOTES.INI file of an indexing server
with two CPUs, you change the number of indexing threads to eight.
Changing the location of Domain Index files

By default Domain Index files are placed in a directory named
FTDOMAIN.DI in the Domino data directory of the indexing server. You
can change the location of the Index files by specifying a different
directory in the following NOTES.INI setting:
FT_Domain_Directory_Name=directory
Deleting databases from the Domain Index

You must have Manager access to a database to delete it from the
Domain Index.
The database will be deleted from the index after the next update has
been performed by both the Catalog task and the Domain Indexer task.
databases that you want to delete from the Domain Index.
3. Make sure you have Manager access in the ACL for each database
you want to delete.
4. Select the databases you want to delete.
5. In the Tools pane on the right, click Database and then select
Multi-Database Index.
6. Select Disable.
7. Click OK.
Note Removing a database from the Domain Catalog or deleting every
copy of a database also has the effect of deleting the database from the
Domain Index.
Configuration
Note Do not exceed eight threads per server or you may degrade the
performance of the server, even on servers with more than four CPUs.
Backing up the Domain Index and Catalog

Back up the Domain Index and the Domain Catalog as often as necessary
to be useful to your organization. Weekly backups are probably sufficient
for most organizations.
Backing up the Domain Index
Make sure you back up the entire FTDOMAIN.DI subdirectory on the
indexing server as soon as the server has completed building the index
for the first time.
Caution Before you back up the Domain Index, check the Domain
Indexer Status view in the Domain Catalog to make sure that the Domain
Indexer task has finished if you attempt to back up the Domain Index
while the Domain Indexer task is running, catastrophic data loss can
result.
Backing up the Domain Catalog
You can include the Domain Catalog (CATALOG.NSF) in the databases
for transaction logging. However, do not back up the Catalog while the
Catalog task is running.
For more information on transaction logging, see the chapter
Transaction Logging and Recovery.
Customizing Domain Search forms

Domain Search includes several default forms, including forms for
searching, specifying file systems, and presenting results.
Both the search and results forms can be customized to suit
organization-specific needs. An application developer can, for example,
add a corporate logo to either form, or rearrange the fields.
For more information on customizing search forms, see the book
Application Development with Domino Designer.
The developer can create additional search forms, and you can use setup
policy settings (for new users) or desktop policy settings (for existing
users) to provide bookmarks to the new forms to users. For example,
users might use one form to search only Human Resources databases, or
use another form to store searches for future use. The bookmarks for
search forms appear in the users More Bookmarks folder.
For more information on using policy settings, see the chapter Using
Policies.
Results forms where do the document titles come from?
Note Computing the window title for large numbers of documents

requires CPU utilization. You can omit this computation by adding the
following setting in the indexing servers NOTES.INI file:
FT_No_Compwintitle=1
In file systems such as IBM Lotus SmartSuite or Microsoft Office, the
title and author are extracted from the document properties fields. For
HTML files, TITLE and AUTHOR tags are used.
Setting up Notes users for Domain Search

Notes users can perform domain searches as soon as you add the
designated indexing server to the Catalog/Domain Search server field
in their Location documents.
For information on how users perform domain searches, see Lotus Notes
6 Help.
Using Policies
After you set up a Domain Search server for a Domino domain, you can
use policies to automate the process of setting up Domain Search for new
or existing Notes users in that domain. For new users, record the name of
the Domain Search server in setup policy settings; for existing users,
record the servers name in desktop policy settings. Setup policy settings
populate the new users Location document at registration. Whenever
existing users authenticate with their home server, Lotus Notes checks
desktop policy settings and updates the current Location document with
the name of the Domain Search server.
For more information on policy settings, see the chapter Using Policies.
Manual setup from a Notes workstation
The following circumstances require users to set up Domain Search at
their workstations.
Configuration
When viewing a Domain Search results form, it can be helpful to know

where the Domain Indexer finds the document titles that it displays in
the results. The Indexer checks each document for the following Notes
fields or items that might represent the documents title: Title, Subject,
Headline, and Topic field; window title (as designated by the developer
of that Domino application); and view summary (using the default form
and default view). If the Indexer cant find any of these items,
Document has no title is displayed in the results.
A new user wants to do a domain search before the workstation has

authenticated with its home server.
A user wants to be able to do domain searches from alternate Notes

locations.
A user wants to do a domain search in a Domino domain other than

the one to which the user belongs.
To perform the setup:

1. Start the Notes client.
2. Choose File - Mobile - Edit Current Location.
3. Do the following for each location for which you want to use Domain
Search:
a. Click the Servers tab.
b. In the Catalog/domain search server field, enter the name of
the indexing server.
c. Click Save and Close.
Note If the user enters the name of the indexing server incorrectly or
specifies a server that is not an indexing server, Notes returns an error.
Tip If users enter the name of an indexing server in a Domino domain
other than their own but you have included the name of their indexing
server in the desktop policy settings applied to them, the
Catalog/domain search server field reverts to the policy setting the
next time the users authenticate with their home server. To preserve links
to an indexing server in another Domino domain, users can bookmark
the search form from that server while they are performing a search.
Setting up Web users for Domain Search

For Web users to have access to Domain Search functionality, the
indexing server, as well as all the servers being spidered by the indexer,
must be set up as Domino Web servers.
For information on setting up a Domino Web server, see the chapter
Setting Up the Domino Web Server.
When you are ready to roll out Domain Search to Web users, the Web
application developer must add to the sites home page a link to the
search form, which is contained in the Domain Catalog on the indexing
server.
To see for yourself what performing a domain search is like for a browser
user, you can use a URL command in your browser to simulate such a
link. Enter the following command in your browser, substituting the
common name of your indexing server for servername:
http://servername/catalog.nsf?domainquery
Using content maps with Domain Search

Content maps let users browse for information rather than search for it
using full-text search. Content maps organize documents by topics, or
content, into categories that are similar to the categories on sites such as
AltaVista and Yahoo!
You can assign document content categories for documents in the
Domain Catalog to organize information in a content map.
To assign content categories
You can assign content categories to both Lotus Notes documents and
Web URLs. You assign content categories from a Lotus Notes client, and
you must have Author access to the Domain Catalog database.
1. Start the Lotus Notes client.
To categorize a Notes document, navigate to the document. You
must have at least Editor access to the document (or Author access
if you created the document).
To categorize a Web URL, make sure that the default browser in
your Location document is set to Lotus Notes. Then, in the Lotus
Notes client, navigate to the Web page by clicking the Open URL
icon (top right) and entering the URL in the Address field.
3. Choose File - Document Properties.
4. Click the Meta tab (plus sign).
To assign the document to an existing category, click Categorize,
select one or more categories, and click OK.
To assign the document to a new category, type the category name
in the Keywords field.
Configuration
When the search form displays, you can define your search. If you have
properly configured the indexing server and the servers holding the
data, your search results display links that can be successfully followed
to each document found.
6. Click Post to Catalog.

Note If the Post to Catalog button is dimmed, try clicking another
field on the Meta tab, or click another tab and then return to the Meta
tab, to enable it.
For a Lotus Notes document, click the Post to Catalog button to
add content category information to hidden meta fields in the
document header and to add a content categories document for the
document to the Content by Category view in the Domain Catalog.
For a Web URL, click this button to add a content categories
document for the URL to the Content by Category view in the
Domain Catalog.
To view content categories
The Domain Catalog displays content categories in the Content - By
Category view.
2. Click the arrow to the right of the search icon:
3. Choose Domain Search.
4. Click Browse Catalog.
5. In the view pane, click Content and then click By Category.
6. Expand the categories to display document and URL titles.
7. Double-click a document or URL title to open a link to the document
or URL.
You can customize the Content by Category view to suit
organization-specific needs.
For more information on customizing views, see the book Application
Development with Domino Designer.
To change content categories
You change content categories by editing the DocContent Link
documents in the Domain Catalog. You must have Editor access to the
Domain Catalog.
2. Click the arrow to the right of the search icon.
3. Choose Domain Search.
4. Click Browse Catalog.
5. In the view pane, click Content and then click By Category.
6. Expand the categories to display document or URL titles.
7. Select an entry to re-categorize and choose Actions - Edit Document.

This displays the DocContent Link document for the entry.
8. Specify a new category in the Keyword field.
NOTES.INI settings for Domain Search

The following table describes the NOTES.INI settings that pertain
specifically to Domain Search.
For more information on these settings, see the NOTES.INI File
appendix.
Setting
Description
FT_Domain_Directory_Name
Specifies the directory for the Domain Index

files on the indexing server.
FT_Domain_Idxthds
Specifies the total number of threads used for

indexing by the indexing server.
FT_Index_Attachments
Specifies whether to exclude document

attachments not already excluded by default
from the Domain Index.
FT_No_Compwintitle
Specifies whether to compute the window

titles for documents that are returned by a
search.
FT_Summ_Default_Language
Specifies the language for document

summaries in search results whenever the
language in the document is not supported
by the summary feature.
FTG_No_Summary
Specifies whether to display document

summaries in search results.
Configuration
Note This procedure updates the category information for this entry in
the Domain Catalog but does not change the category information saved
in the meta fields of the document itself.
Chapter 11
Setting Up Domino Off-Line Services
Configuration
This chapter explains how to enable an application to go offline with

Domino Off-Line Services (DOLS) and how to administer DOLS
applications on the Domino 6 server.

Domino Off-Line Services (DOLS) provides a way for users to take IBM
Lotus Domino Release 6 Web applications offline, work in them, and
synchronize the changes with an online replica on the Domino server.
Users are not required to have IBM Lotus Notes 6 client because the
applications are accessed with a browser.
Nearly all Notes functionality is retained when a DOLS-enabled
application (called a subscription) is taken offline. Users can compose,
edit, delete, sort, and categorize Notes documents, and perform full-text
searches. DOLS subscriptions can make full use of Java applets, agent
execution, and workflow. DOLS also supports full data replication,
retains application logic, and supports the full Notes security model.
The developer and administrator must set up and configure a DOLS
subscription for offline use.
The developer copies a number of elements into the subscription, makes
design changes if necessary, and configures the subscription in the
Offline Subscription Configuration Profile document.
The administrator makes sure DOLS is installed properly on the server,
sets security for the subscription, sets up agents, makes changes to the
Offline Subscription Configuration Profile document if necessary, and
helps users install the subscription.
11-1
Once the subscription is enabled, users can access it on the server using a
browser. The user clicks in a new frame on the subscriptions main page
to open a JavaScript menu. When the user selects install from the
menu, the subscription is installed on their computer.
Also installed on their computer is the Lotus iNotes Sync Manager, a
utility for managing DOLS subscriptions. Users can open subscriptions
online or offline, synchronize, and set subscription properties with the
Sync Manager.
For more information, see the Lotus iNotes Sync Manager Help
(available from the Help menu of the Lotus iNotes Sync Manager).
Overview of DOLS administrator tasks

Developers and administrators perform different tasks to prepare a
DOLS subscription for users. Administrators perform the following
tasks:
1. Setting up DOLS on a server.
For more information on setting up DOLS on a server, see the
chapter Installation.
2. Creating a DOLS Offline Security Policy document.
3. Increasing security for DOLS subscriptions.
4. Increasing the servers output timeout for DOLS downloads.
5. Configuring the DOLS subscription.
6. Setting up agents for the DOLS subscription.
7. Send users the URL of the subscription. If the offline security policy
is Prompt for ID, also make sure they have a Notes user ID and
Internet password so they can open the subscription.
How DOLS works

The following diagrams show how the iNotes Sync Manager gets
installed, and how it supports Web applications offline.
Domino Server
nHTTP
1b
Network
1a
Network
Browser
PC Client
Typically, the first step is for a user to enter the URL of a Domino server,
along with the path and name of a DOLS-enabled Web application on
that server, into their browser. The browser contacts the server through
the Web Server task, also called the nHTTP task (1a), and the Web Server
then communicates with the Web application (1b).
If the Web application has appropriate security levels set in the ACL, the
user is prompted to log into the Web application using their name and
Internet password. This authentication is also handled by the Web
Server.
Setting Up Domino Off-Line Services 11-3
Configuration
Web
App
Domino Server
nHTTP
DOLS
File
Sets
Network
2b
DOLS Filter
2c
Network
2a
Browser
2d
DOLS
File
Sets
PC Client
If the application is DOLS-enabled, and an Offline Configuration
Document (OCD) was created and saved, the user sees the DOLS Web
Control when they open the application. The user clicks the Web control
and selects Install Subscription... to start downloading the application
to their computer.
When the user selects Install Subscription..., the application requests
the OCD (2a). A special DSAPI filter file on the server, listening for URL
Web server requests, notices the OCD request. The filter queries the
client to determine if the iNotes Sync Manager (iNSM) client software is
already installed. If not, the filter tells the browser to begin downloading
a set of DOLS File Sets to the client over the HTTP connection (2b). These
file sets are used to install the iNotes Sync Manager software.
Domino Server
Web
App
Network
4a
nRPC
Browser
iNotes
Sync Mgr
4b
DOLS
File
Sets
Web
App
PC Client
Once the DOLS File Sets are downloaded, they are uncompressed, and
the iNotes Sync Manager launches (3). The Sync Manager then
configures the client for the incoming application, and launches a Sync
Task, which initiates a Remote Procedure Call (nRPC) connection with
the Domino server (4a). This secure, Domino replication connection
performs a number of operations to download and initialize the
application on the client (4b). When synchronization is complete, a
subscription of the application exists on the client. A subscription
includes all databases that were listed in the OCD as making up the
application. Their contents are adjusted according to Administrator and
user settings, as well as security information to ensure that the user on
the client has access to only the data to which they had access on the
server. Also, full-text indexes of all offline databases can be created if the
user requests it.
Configuration
Network
Domino Server
Network
Network
Browser
5b
5a
Local
nHTTP
5c
iNotes
Sync Mgr
Web
App
PC Client
When the user wants to open the application offline, they select it from a
list in the Sync Manager and click Open Offline. The Sync Manager
launches a local copy of the Web Server and the local browser (5a). The
Sync Manager tells the local Web server to connect with the local browser
(5b), and with the offline copy of the application (5c). The local Web
Server then validates the users login and password information, and
displays the application offline (locally) just as it would display it online
(on the server). Any data the user creates, modifies, and saves while
using the offline application is stored in the local version of the
application.
Domino Server
Web
App
Network
6a
nRPC
iNotes
Sync Mgr
6b
Web
App
PC Client
In order to synchronize the data between the offline and online versions
of the application, the Sync Manager, either by the users command or
automatically on a schedule, launches the Sync Task, which again creates
an nRPC connection to the Domino server (6a). The Sync Task then
replicates any or all data between the client copy of the application to the
server copy. Any changes to the security levels of the online application
are synchronized offline. Any outgoing e-mail which has accumuIated in
the local mail.box file is copied to the server and dispatched to the mail
router task for delivery. When synchronization is complete, the user may
disconnect from the network and continue using the application offline.
Creating a DOLS Off-line Security Policy document

Use Offline Security Policy documents to set different ID policies for
users in different domains. For example, you can generate IDs
automatically for users inside the company, but require users in a
domain outside the company to provide IDs you have given them.
To create an Offline Security Policy Document, do the following:
1. Open Lotus Domino Administrator 6.
3. Click Offline Services.
Configuration
Network
4. Click Security.
5. Click New Security Policy.
6. Fill out the following fields in the Basics tab:
Field
Description
Security domain
Enter the domain that this policy affects. For

example, /US/Company, or /Company (include
the leading slash). All users in this domain are
subject to the deployment policy you set in this
document.
The domain specified in this field includes users
one level down from the root. For example,
/Cambridge/Lotus includes users in
/Security/Cambridge/Lotus and
/Dev/Cambridge/Lotus.
Prompt for ID during

download
Before the subscription installs, users are asked to

specify where on their computer their user ID is
stored. The administrator must provide an ID to
the user. This is the default ID deployment policy.
Automatically generate Before installation, a certifier ID is generated for

the user automatically.
user IDs
The Automatic tab appears when this option is
selected. Click this tab and attach the certifer ID to
be generated, set the password, and set the ID
expiration date.
It is recommended that you do not attach the
absolute root certifier for your organization (for
example, /Lotus). Instead, you should
automatically generate a user ID against a
subcertifier (for example, /NewUsers/Lotus). You
may also want to generate the user ID in a new
domain.
Use the Domino
Directory for ID
lookup
Before installation, the server looks for an existing

user ID in the Domino Directory (formerly called
the Names and Address book).
The Lookup tab appears when this option is
selected. Enter the relative path for the Domino
Directory that contains the IDs.
continued
Description
Roaming User
Override security policy for roaming users. Select

this box to set the Domino server to behave
appropriately with Roaming users who access
the subscription. The server will recognize the
user as a Roaming user, ignore the current
security policy, and find the users ID on the
users home server.
ID Management
Overwrite existing user IDs. Select this box to have

users offline ID overwritten with a new ID each
time they install a subscription.
Caution This setting should not be turned on in
an enterprise that uses encrypted subscriptions.
Users whose IDs are overwritten will not be able
to open an offline subscription encrypted with a
key from the previous ID.
7. If you selected Automatically generate user IDs, fill out the

following fields in the Automatic tab:
Field
Description
Certifier ID to use
Attach a certifier ID to this rich text field. The

certifier ID must support the Security domain
specified in the Security domain field.
For example, if the Security domain is /A/B/C,
then either /A/B/C, /B/C, or /C would be
acceptable certifiers.
The certifier ID file attached here must share the
same root certifier as the servers ID for DOLS. If
they do not share the same root certifier, the user
may receive replication errors about a lack of
cross-certifiers.
Password for certifier

ID
Enter the password for the certifier ID. The

password, which is case-sensitive, must be correct
or the user will not be able to install.
Make sure you protect stored passwords by
appropriately restricting the ACL of this database
(doladmin.nsf).
Expiration date to set

on created user IDs
Select or enter an expiration date for the ID. For

example, 03/31/2006.
Configuration
Field
8. If you selected Use NAB for ID lookup, fill out the following fields
in the Lookup tab:
Field
Description
Address book to look up ID

files from
Enter the database filename, with relative

path, of the directory where your servers
user IDs reside. The target database must
have standard NAB views and documents,
with ID files attached to each person
document.
Increasing security for DOLS subscriptions

You have several options for increasing security on DOLS subscriptions:
Option
Description
Tighten access to the database Open the ACL for the subscription and
add the users and groups to whom you
want to grant access. Anonymous must
have No Access.
Tighten security on the
configuration document
To limit who can open and edit the Offline

Subscription Configuration Profile
document for a particular subscription,
open the subscriptions DOLS Offline
Configuration form in Lotus Domino
Designer 6 and change security settings in
the Form properties.
Tighten security on offline

data
To ensure that unsanctioned users cannot

access the subscription data offline using
another software product, encrypt the
subscription in the Offline Subscription
Configuration Profile document.
Tighten security for all

subscriptions on the server
To propagate a security setting to all the

existing DOLS subscriptions on a server,
make sure the subscriptions are set to
inherit design changes from the DOLS
Resource template (DOLRES.NTF); change
the setting in DOLRES.NTF; then run the
Designer task.
For more information on the Designer task,
see the topic Synchonizing databases with
master templates.
Increasing the servers output timeout for DOLS downloads

DOLS administrators should increase the output timeout time if users
will be installing the DOLS file set over a phone line. To increase the
server output time:
1. Open Lotus Domino Administrator 6.
2. In the navigation pane, click Server - Current Server Document.
Configuring the DOLS subscription

You choose configuration settings for the subscription in the Offline
Subscription Configuration Profile document. You must edit and save a
configuration document in every subscription even if you make no
changes to the document. A subscription can have only one configuration
document, even if the subscription has multiple databases. The
configuration document must be stored in the main database. The main
database is the database in the subscription from which the user
downloads the subscription.
You can change configuration settings even after users have downloaded
the subscription.
To edit the configuration document
1. Copy the appropriate design elements into the main database.
2. Open the database in Notes.
3. Choose Actions - Edit Offline Configuration to open the document.
Note that some of the fields have default values, which you can
change. You can use wild card characters in any field.
4. Click the Basics tab. The name of the main database should be in the
Subscription title field. If it is not, enter it.
Configuration
3. Click the Internet Protocols tab, then the HTTP tab. Change the
Output timeout field to 18000 seconds to allow enough time for
downloads. Change this accordingly, depending on the speed of
your connection.
5. Click the Services tab and fill in the following fields.

Name of Field
Action
Domino services to install The offline subscription may need support for
offline
full-text indexing, LotusScript and
unscheduled agents (such as Web open), Java
Basic services
back-end classes and applets, MAPI
(required)
enablement, or custom services.
Full-Text Indexing
Select the appropriate boxes so that only files
LotusScript and
the users actually need are downloaded to
unscheduled agents
their machine.
Java classes and applets
MAPI enablement is available only when you
Custom Services
use the Extended Mail Template
MAPI enablement
(MAIL6EX.NTF) for Web Mail or iNotes
Default Language
Access for Microsoft Outlook users.
Choose a default language for the Web Control
menu and the iNotes Sync Manager. Users can
override this setting by selecting a different
language from the Web Control menu.
Custom services to install
offline
This field is available only when you select the

Custom services box.
Enter the name of custom service files to be
unpacked and executed on the users computer
during installation of the subscription. Custom
services have the following syntax:
CustomServiceName [Setup.exe
[SetupArguments]]. For example:
mycustomname mysetupfile.exe -z -r -u
If you specify more than custom service,
separate the services with commas. For
example:
mycustomname mysetupfile.exe -z -r -u,
mycustomname2 mysetupfile2.exe -z -r -u
For more information on custom file sets, see
the topic Creating custom file sets for a DOLS
subscription.
6. Click the Schedule tab and complete the following fields. Note that
the user can override most of these fields from within the
Subscription Properties box of the iNotes Sync Manager.
Name of Field
Action
Type of schedule
Select this field, then specify the time of day
you want synchronization to occur.
Weekly
Select this field, then check the days you want

the synchronization to occur.
Monthly
Select this field, then specify the day of the

month you want the synchronization to occur.
Start time
Enter the time of day for the subscription to

start scheduled synchronization.
Frequency
Repeating schedule
Select this box if you want synchronization to

repeat at certain intervals after the initial start
time.
Interval
Specify the time between repeating

synchronizations. Enter a number and then
choose either minutes or hours. For example,
you can enter 180 minutes or 3 hours.
Limitations
Stop synchronization at
Specify the time you want the synchronization

to stop.
Recurrence exceptions
Schedule disabled
Select this box to make a disabled

synchronization schedule the default state. The
subscription only synchronizes once, when it is
installed. The user can override this setting in
the offline synchronization properties.
Configuration
Daily
7. Click the Sync Options tab and complete the following fields:
Name of Field
Description
File Rules
Required files to
replicate
Enter the subscriptions required files. Required files

are databases, templates or directories that are
automatically installed offline, and are replicated every
time the subscription is synchronized.
All required files and directories must be specified
relative to the servers data directory.
For tips on using directory names and wildcards when
you specify more than one Required file or Optional
file, see the topic Creating multiple database DOLS
subscriptions.
Optional files to
replicate
Enter the subscriptions optional files. Optional files are

databases, templates or directories that can be enabled
or disabled in the sync manager for offline installation
and replication. For example, in addition to the
required file(s), you may want to download a related
Help database or an archived discussion database as an
optional file.
All optional files and directories must be specified
relative to the servers data directory.
Optional databases replicate as stubs, meaning only
the design is replicated. Users can open Sync
Properties, click the Sync Options tab, select the
database, and deselect the disable box. The data is then
replicated at the next synchronization. To save disk
space, users can disable an optional file, and the data is
removed at next synchronization.
Enable replication of optional files by default:
Select this box to automatically download and
synchronize new databases found in the subscriptions
directories on the server. For example, if one of the
optional databases is designed to create new databases,
the new databases are automatically downloaded and
synchronized.
continued
Name of Field
Description
Encryption
Encrypt this subscription:

Select the box to enable encryption. Then select the level
of encryption. Encryption prevents an unauthorized
user from accessing the offline subscriptions data
using another software product.
If the subscription has multiple databases, all of these
databases are encrypted.
If the subscription has a shared file, you must encrypt
all susbcriptions sharing the file. An unencrypted
subscription may not be able to open an encrypted file.
Using strong encryption causes a database to open
more slowly than it would using a weaker encryption
or no encryption.
Do not encrypt the database from the Database Properties
box. Use the Offline Subscription Configuration
document to prevent unauthorized users from reading
subscription data using other applications.
continued
Configuration
Directory catalog Synchronize directory catalog:

Select this box to install a directory catalog with the
subscription. Then enter the file name, including
directory path, of the catalog database on the server (for
example, dircats\mydircat.nsf). If the server
administrator has specified a default offline directory
catalog for the server by adding
$DOLSDirectoryCatalog = nameofcatalog.nsf to the
NOTES.INI on the server, you can leave this field blank
and the servers default offline catalog is replicated with
the subscription. A catalog filename specified here will
override the servers default offline directory catalog.
Choose the Replicate as an optional file checkbox to
specify the catalog as an optional file. If the directory
catalog is specified an optional file, the Enable
replication of optional files by default checkbox must
be checked for the catalog to replicate the first time.
In order for iNotes Access for Outlook users, or iNotes
Access for Web Mail users, to take a directory catalog
offline, you must add the name of a directory catalog,
including the NSF extension, to the
$DOLSDirectoryCatalog setting in the servers
NOTES.INI file.
For more information on using directory catalogs with
DOLS, see the topic Adding a directory catalog to the
application before adding one to your subscription.
Name of Field
Description
Sync Options
Date Filtering
Only sync documents modified within the last [number]

days:
Select this box to preset a default, date-based filter on
all databases created offline. For example, if you specify
30 days, only documents created or modified in the last
30 days will synchronize. Once installed, users can reset
this for each subscription file using the iNotes Sync
Manager.
Halt Conditions
Limit database size to [number] MB: Select this box to

specify the maximum size in megabytes of the offline
database. You cannot specify a number less than 10.
Limit subscription size to [number] MB: Select this box
to specify the maximum size in megabytes of the entire
offline subscription. You cannot specify a number less
than 10.
You can preset an automatic halt to the offline
synchronization when a database exceeds a particular
size, or when the subscription as a whole exceeds a
particular size. The user can override this setting.
Be careful not to specify a size that may be too limiting.
The offline subscription may not be fully operational if
synchronization is interrupted prematurely.
Sync Options: Optional actions

Full-Text Index
Select this box to force full-text indexing of the
subscription after subscription after synchronization. The user can
sync
override this setting.
Compact
Select this box to force the subscription to compact after
subscription after synchronization.
sync
Notify on
completion of
sync
Select this box if you want the user to receive a message

when synchronization is complete. The user can
If warnings are displayed during the synchronization
process, and this option is selected, each warning
message will display.
Route mail on
client shutdown
Select this box so that pending outgoing mail messages

are sent before the user exits from the iNotes Sync
Manager. The user can override this setting.
continued
Name of Field
Description
Replicate on
client shutdown
Select this box so that synchronization occurs before the

user exits from the iNotes Sync Manager. The user can
Use multi-user
data directory
Select this box so that the subscription can be installed to

a client with a Notes multi-user setup. Subscription data
is stored in the users personal profile data directory.
8. Click the Admin tab and complete the following fields:

Name of field
Action
Push
subscription
settings:
Push subscription settings to iNotes Sync Manager.

Select this box to push changes made to the active
Off-Line Subscription Configuration Profile Document
(on the server), down to the iNotes Sync Manager (on
the client), without requiring a reinstallation of the
subscription.
The following are the only settings and actions that
cannot be changed on the users computer unless the
user deletes and reinstalls the subscription.
Encryption
Per-user shared subscriptions
Multi-user data directories
Passthru server settings
Optional TCP/IP addresses
A change in the subscription title
Adding new services or custom filesets
Deleting or moving the main.nsf
Force user to accept subscription changes. This box is
only visible when Push subscription settings to iNotes
Sync Manager is selected. Select this box to force the
user to accept changes in the Offline Subscription
Configuration Profile document. Not selecting this box
allows users to prevent the changes from occurring on
their subscriptions.
continued
Configuration
Allow per-user
Select this box to allow the subscription to share a file
with another subscription, as long as as the same user
shared
subscription data has installed both files.
For example, a user installs this subscription with the
directory catalog dircat1.nsf. If the user then installs
another subscription that uses dircat1.nsf., and also selects
this option, the two subscriptions share dircat1.nsf.
All subscriptions that share the same file must be either
encrypted or not encrypted. Non-encrypted subscriptions
may not be able to share a file that is encrypted.
Name of field
Action
Read only
subscription
settings:
Make schedule read-only. Select this box to dim the

scheduled replication settings in the Properties dialog Schedule tab of the subscription on the users computer.
You can push this to users by selecting it before they
install the subscription, or by using the Push
subscription settings feature.
Make sync options read-only. Select this box to dim the
Sync Options settings in the Properties dialog - Sync
Options tab of the subscription on the users computer.
You can push this to users by selecting it before they
install the subscription, or by using the Push
subscription settings feature.
Passthru server
settings:
Use passthru server to connect to destination server.

Select this box to use a passthru server to connect to the
Domino server that hosts the subscription. You must
enter the name of the passthru server.
Network
Settings:
Use optional TCP/IP address to connect to destination

server. Select this box to provide primary and/or
secondary TCPIP addresses for the destination Domino
server hosting the subscription. This is especially useful
for users who access the server through both an intranet
and an extranet. If the primary address is not reachable,
the iNotes Sync Manager tries the secondary address to
connect to the server.
Then enter the name of the primary and secondary
addresses. If users connect to the host server through a
passthru server, the addresses must be for the passthru
server.
Alternatively, an administrator can configure these
settings for all the subscriptions hosted on a particular
server by adding addresses to the
$DOLS_TCPIPAddress and $DOLS_TCPIPAddress2
settings in the servers NOTES.INI.
9. (Optional) At the bottom of the configuration document, select

whether to display the default download page or create your own
download page. The download page is what users see while theyre
installing a subscription. Its useful for showing instructions,
company graphics, warnings, or tips. Do one of the following:
Select Display only the custom contents below to create a

download page. A rich-text field appears in which you can add
text, HTML, or images.
10. Save and close the configuration document.
11. Save and close the subscription.
12. (Optional) Customize the subscription. For more information on
customizing the subscription, see the topic Optional tasks for DOLS
developers.
Setting up agents for the DOLS subscription

Agents are small programs that perform actions in a subscription.
Because they can be powerful tools, they must have permission from the
server to perform their actions. Agents inherit the permissions of their
signer. An agents signer can be the user who created it, or a user or
organization designated by an administrator. An administrator can also
register a dummy user on the server and make it the signer of agents.
This provides more control and security, because the dummy user wont
do anything the administrator doesnt want done.
For an agent to perform actions on a server an administrator must add its
signer, or a group the signer is in, to the Server document (Security Agent Restrictions).
Agents can perform both unrestricted actions and restricted actions.
Restricted actions can potentially cause serious damage to the server, so
administrators must be careful about the permissions of agents that
perform restricted actions.
Note There are also two kinds of agents: triggered and scheduled.
Triggered agents are activated by a user action, like clicking a button or
selecting a menu item. Scheduled agents run automatically, on a
schedule, or when events happen inside a database, such as a new mail
document arriving. Only triggered agents work offline.
Configuration
Leave Display default download page contents selected to have

the download page contain the default text and graphics. You can
add text, HTML, or images in the rich-text field below the default
text and graphics.
If a subscription contains triggered agents, do the following to make

them work offline.
1. If the subscription contains restricted agents, create a group called
DOLS_Restricted_Agents in the Domino Directory.
2. Add the full names of the signers of the restricted agents to the
DOLS_Restricted_Agents group.
If an agent has been configured to run as a Web user (Agent
Properties - Design tab - Run as web user), use the full name of its
signer. Otherwise, use the full name of the signer who modified it
last (for example, NewDevelopment/IBM).
3. If the subscription uses unrestricted agents, create a group called
DOLS_Unrestricted_Agents in the Domino Directory.
4. Add the full names of the signers of the unrestricted agents to the
DOLS_Unrestricted_Agents group.
If an agent has been configured to run as a Web user (Agent
Properties - Design tab - Run as Web user), use the full name of its
signer. Otherwise, use the full name of the signer who modified it
last (for example, NewDevelopment/IBM).
5. In the Server document, on the Security tab - Agent Restrictions
section, add DOLS_Restricted_Agents to the Run restricted
LotusScript/Java agents field. Add DOLS_Unrestricted_Agents
to the Run unrestricted LotusScript/Java agents field.
6. Make sure agent signers have at least Editor access in the ACLs of all
databases where the agent runs.
7. Use the DOLCert.id (in the Domino data directory) as the certifier ID
to create cross-certificates for each user or organization you specified
as being able to execute agents. DOLCert.id creates cross-certificates
issued by O=DOLS. There may already be cross-certificates issued
by the Lotus Domino 6 server for these names. You can use the ID
file or public key for the agent user and organization to generate
cross-certificates.
Note If a database uses agents, make sure theyre all signed and that the
servers CERT.ID is cross-certified with the DOLCERT.ID.
Optional tasks for DOLS administrators

In addition to required administration tasks, there are a few optional
tasks for the administrator:
Adding a directory catalog to the subscription
Viewing DOLS download information
Reducing DOLS download time with selective replication

Web Control instructions for DOLS users
Adding a directory catalog to a DOLS subscription
Adding a directory catalog to a DOLS subscription allows users to take
Domino Directory information offline. To add a directory catalog to a
subscription:
1. Read the following.
Adding a catalog means more for a user to download. To keep
download time reasonable, you may want to create a directory
catalog specifically for offline users, which contains only the
information they absolutely need.
To add a default catalog, open the NOTES.INI file on the server
and add the line $DOLSDirectoryCatalog=nameofcatalog.nsf
(nameofcatalog being the actual name of the catalog). Once you do
this, you dont need to specify a catalog in the Directory catalog
to replicate field in the Offline Configuration Profile document.
You must add a default catalog for iNotes Access for Outlook
users.
From the DOLS Customize subform, you can create a field that
looks up a catalogs name on the server record and populates the
Directory catalog to replicate field with that name.
2. Open the Offline Subscription Configuration Profile document.
3. Enter the name of the catalog in the Directory Catalog field in the
Rules tab.
Configuration
Reducing DOLS download time with the client installation CD
Viewing DOLS download information

To view information on subscription use, click the Configuration tab in
Lotus Domino Administrator 6. Then click Offline Services - Users. In the
Users view, you can see the name of each user who has installed a
subscription, the names of the security domains, the names of the
applications downloaded, and the download dates and times.
Click a column header to change the order of the data in the view. Open
a document to see all the information on a particular download.
Reducing DOLS download time with selective replication
By controlling what is replicated offline, you can control the size of a
subscription and reduce download time for remote users who may have
a slow connection. To set limits on what users take offline, do the
following:
1. Open the main subscription.
2. Open the Database Properties box.
3. From the Database Basics tab, click Replication Settings.
4. In the Replication Settings dialog box, click Advanced.
5. Enter one of the following in the When computer field:
OfflineSync/DOLS - Settings apply to all users of the
subscription.
User/Domain - Settings apply to that user only.
Note Individual user settings take precedence over
OfflineSync/DOLS settings.
6. Choose replication settings:
For example, you can check Replicate a subset of documents and
choose the folders and views you want synchronized to the users
machine. You can also have the documents synchronized by formula.
For example, you can check Select by Formula and enter a formula
so that only selected users are able to synchronize a selected folder.
Note DOLS requires that you add the following text to any selective
replication formula that you create. If you forget to add this text,
offline users will not be able to open their offline applications:
|Form="DOLSOfflineConfiguration"
The following example shows a selective replication formula with

the required text:
SELECT From=@UserName|Form="DOLSOfflineConfiguration"
7. To save the settings, click OK.
Web Control instructions for DOLS users

The Web Control is a pop-up menu in the subscription from which users
can install the subscription, synchronize, choose a language for the
interface text, and open the subscription online or offline. To open the
pop-up menu, users click on either the words Go Offline, or an image
in a frame on the main Web page of the subscription.
To access the Web Control menu using shortcuts

The following are instructions on installing a DOLS subscription with
minimal use of a mouse. Along with a username, password, and address,
you may want to send these instructions to users who want or require
alternative access to software features.
To take a subscription offline:
1. Open the subscription online.
2. Click once anywhere on the Web page.
3. Press TAB to move the focus to different frames until the focus is on
the image or words Go Offline. This is the Web Control.
4. Press ENTER. The pop-up menu opens.
5. (Optional) Press the up and down arrow keys to navigate to the
Language menu item, then press the right arrow key. The list of
languages opens. Press the up and down arrow keys to navigate to a
language and press ENTER. This is the language the subscription
interface appears in offline.
6. Open the pop-up menu again.
7. Press the up and down arrow keys to select Install Subscription.
Note There are no keyboard shortcuts for the Languages menu.
DOLS troubleshooting and error messages

If you have problems configuring a subscription to go offline, you may
want to look at the following log files:
DOL.LOG (found in the \Program Files\Lotus iNotes directory on

the client machine).
LOG.NSF (found in the \Program Files\Lotus iNotes\Data directory

on the client machine). To open this file from a browser while offline,
enter http://127.0.0.1:89/LOG.NSF.
Configuration
For more information on customizing how users install the subscription,

see Customizing how users install the DOLS subscription in the Lotus
Domino Designer 6 Help.
Error messages
The following table lists client and server error messages you may see as
you use DOLS. These error messages are logged in LOG.NSF under
Miscellaneous Events. You can locate LOG.NSF in the \Program
Files\Lotus iNotes\Data directory on the client machine. To open this
file from a browser while offline, enter http://127.0.0.1:89/LOG.NSF.
Error Message
Description
Error requesting offline configuration The Offline Subscription Configuration

Profile document is missing or you may
from the server.
have a connection error. Open LOG.NSF
to see the corresponding server error
message.
This subscription is not configured
correctly to go offline.
An error occurred during download.

Open LOG.NSF to see the corresponding
server error message.
Unable to download file set

component information for this
subscription.
This is an HTTP request error and

involves an access restriction. Open
LOG.NSF to see the corresponding
server error message.
HTTP Error 404.
The Offline Subscription Configuration

Profile document may be missing.
The remote server is not a known

TCP/IP host.
Synchronization failure.
Chapter 12
Planning the Service Provider Environment
This chapter describes the server and IP configurations and discusses
configuration-related decisions that you will make before you set up an
xSP server.
Planning the xSP server environment
A Domino service provider delivers services to small-and medium-sized

businesses, or multiple hosted organizations from a single Domino
domain. To those hosted organization, the service provider offers
Internet protocol-based access to a specific set of applications running on
Domino servers. By using a service provider, a company can outsource
the administration of applications and services that were formerly run on
the companys computer infrastructure.
This portion of the documentation focuses on the decisions you will be
making when planning and setting up your xSP server environment. You
can then use your xSP server to host small and medium businesses.
The Domino service provider administrator

The responsibilities of a service provider administrator, include
maintaining both the server environment at the host site and to varying
degrees, the hosted organizations.
First and foremost, the service provider administrator is responsible for
setting up and maintaining xSP servers that is, protocol and database
servers as well as any Domino clusters and network routers.
12-1
Service Provider
The generic term xSP can refer to many different types of service
providers application, Internet, storage, and management to name
just a few.
Although the hosted organization administrator can perform some of the

user and group maintenance, the service provider administrator
performs a significant amount of the administrative tasks required to
maintain a hosted organization. At a minimum, the service provider
administrator is responsible for registering and maintaining hosted
organizations and controlling which applications the hosted organization
uses. In addition, the service provider administrator must create and
maintain a mechanism that the hosted organizations administrators use
to communicate problems and issues that require the intervention of the
service provider administrator.
Ways to set up a service provider environment

There are two ways to set up a service provider environment. You can set
up an xSP server, which features a shared Domino Directory or you can
user server partitioning. The term shared Domino Directory indicates
that there is one Domino Directory shared by multiple hosted
organizations. All data is secured and accessible only by the small or
medium business that owns the data. A second option is Domino server
partitioning, which you use to run multiple instances of the Domino
server on a single computer.
Set up an xSP server to offer pure Internet protocol-based access to a
specific set of applications on Domino servers. For example, iNotes Web
Access is such an application. Using an xSP server reduces the total cost
of ownership for a designated set of services, offered to several
customers accessing the server through standard Internet protocols. In a
service provider environment, you are hosting multiple companies in one
Domino domain.
Use Domino partitioning to offer a Domino server where the customer
can have Notes Client access and can create and run their own Domino
applications. Setting up a partitioned server is particularly effective when
the partitions are in different Domino domains. Partitioning provides a
completely separate server for each customer, as well as a completely
separate Domino Directory.
For more information on partitioned servers, see the chapter Setting Up
the Domino Network.
Securing the service provider environment

The Domino service provider environment uses all of the standard
Domino security features to ensure complete security for the service
provider and the hosted organizations that subscribe to the service
provider services. An xSP environment that has multiple hosted
organizations has potentially thousands of users whose access must be
restricted to their own data only.
In addition, the service provider configuration uses extended ACLs in
the Domino Directory to protect the data of each hosted organization
from access by users in other hosted organizations. The extended ACLs
required to support the xSP security model are automatically established
when new hosted organizations are created. Plan and test carefully if you
want to modify ACLs and extended ACLs in an xSP environment
security is extremely important.

Extended ACLs and for more information on ACLs, see the chapter
A user in a hosted organization cannot directly access databases in any
subdirectories other than the hosted organizations directory. Exceptions
are the help and common subdirectories of the Domino data
directory which contains databases accessible to users in all hosted
organizations.
To provide users with access to databases outside that of the hosted
organizations subdirectory, create a directory link within the hosted
organizations directory.
For more information on how directory links work and how to create
them, see the chapter Organizing Databases on a Server.
Planning the Service Provider Environment 12-3
Service Provider
The authentication controls in Site documents control only who can

authenticate and use the Internet protocols. After authentication, ACLs
and extended ACLs control the data that can be read from and written to
Using Domino features in a hosted server environment

There are several Domino features that need to be set up for a hosted
environment, just as they would need to be set up in a non-hosted,
enterprise environment. This section describes the features are required
in a hosted environment and explains when to set them up.
Domino certificate authority

For some Internet certificates and for Domino Off-Line Services (DOLS),
you must use the Domino certificate authority (CA). The Domino CA is
required only if a hosted organization uses DOLS or wants to generate
Notes IDs. For example, a hosted organization may require Notes IDs for
its users if it uses a third-party application that uses the C API to perform
a function. If a hosted organization uses the Web Administrator to
manage their own users and groups, the hosted organization must use
certifiers issued by the Domino server-based CA.
If a hosted organizations users are registered at the service provider site,
they can be registered with certifier IDs and passwords or with the
Domino server-based CA.
Using SSL in a hosted environment

To use SSL in a hosted environment, you must do the following for each
hosted organization:
Create a new Domino server-based Certificate Authority (CA). Two

or more hosted organizations cannot share the same Domino CA.
Create a Certificate Requests database.
For more information on setting up and using the Domino server-based

CA and creating the Certificate Requests database, see the chapter
Setting Up a Domino Server-Based Certification Authority.
Policies
Policies are required when using the Domino service provider software.
Before registering a hosted organization, the service provider
administrator must decide which policy settings to implement. Before
registering a hosted organization, the service provider administrator can
create policy documents and policy settings documents and then assign
those documents during registration, or the service provider
administrator can create the documents during the hosted organization
registration process.
For more information on policies, see the chapter Using Policies and
see the topic Using Policy Documents in a hosted environment later in
this chapter.

Domino Off-Line Services (DOLS) is supported in a hosted environment.
If a hosted organization uses DOLS, the hosted organization must be
registered with the Domino server-based CA. The registration process for
hosted organizations that support DOLS is almost identical to the setup
and registration of hosted organizations that do not support DOLS.
For more information on Domino Off-Line Services (DOLS), see the
chapter Setting Up Domino Off-Line Services.
Using the C API Extension Manager in a hosted environment
For more information, see the C API Users Guide and the C API Reference
Guide on the IBM Web site, www.ibm.com.
Planning the IP Address configurations in a hosted environment

A crucial step in planning an xSP configuration is to determine which of
the following IP address configurations to use:
One IP address that is shared by multiple hosted organizations
One IP address for each individual hosted organization
A combination of the above two configurations
The IP address configuration that you choose will have an impact on
your entire xSP configuration.
Service Provider
The C API Extension Manager is fully supported in a hosted

environment; however, there can be only one Extension Manager on a
server. If the Extension Manager must provide different services for each
hosted organization, program the Extension Manager to do the filtering.
One IP address that is shared by multiple hosted organizations

The following figure shows xSPserver1 supporting multiple hosted
organizations sharing IP address 92.32.2.0.
xSPserver1 supports three hosted organizations with one
shared IP Address.
CompanyA
home page
www.CompanyA.com
92.32.2.0
www.CompanyB.com
92.32.2.0
CompanyB
home page
www.CompanyC.com
92.32.2.0
xSPserver1
IP Address 92.32.2.0
CompanyC
home page
HTTP protocol server

Database server
Application server
Note SSL is not supported in this configuration because Domino does

not provide server authentication on a per-hosted-organization basis.
If the configuration features one IP address shared by multiple hosted
organizations, POP3, IMAP, HTTP, SMTP, LDAP and Domino IIOP are
the available protocols. In this configuration, each IP address entered on
the Internet Site documents must be the same for each protocol. The
POP3, IMAP, and LDAP users must use their Internet e-mail addresses
to authenticate. This configuration does not support anonymous access to
LDAP.
One IP address for each individual hosted organization

If you are using SSL, use a unique IP address for each hosted
organization. To use this configuration, you must bind the IP address to
the xSP server.
For more information on binding an IP address to a hosting server, see
the chapter Setting Up the Service Provider Environment.
The following figure shows xSPserver2 supporting three hosted
organizations, each with its own unique IP address.
Individual IP addresses for each hosted organization.
Multiple hosted organizations on one server.
CompanyA
home page
www.CompanyB.com
92.32.2.3
CompanyB
home page
www.CompanyC.com
92.32.2.4
xSPserver2
CompanyC
home page
HTTP protocol server

Database server
Application server
Service Provider
www.CompanyA.com
92.32.2.2
Combination of IP address configurations

You can use a combination of the two IP address configurations shown
above. The following figure shows three servers that collectively host
many hosted organizations.
xSPserver10
www.CompanyD.com
92.32.3.1
www.CompanyE.com
92.32.3.2
CompanyE
home page
www.CompanyF.com
92.32.3.3
www.CompanyG.com
92.32.3.5
CompanyD
home page
CompanyF
home page
www.CompanyI.com
92.32.3.7
CompanyI
home page
www.CompanyH.com
92.32.3.5
CompanyG
home page
xSPserver12
CompanyH
home page
xSPserver11
Planning the distribution of hosted organization data

The following four configurations are supported for distributing hosted
organization data within the service provider environment.
When you configure a hosted environment, databases must reside on the
xSP server that is, the server to which the hosted organizations are
connecting.
Hosted organization data on one server
All of a hosted organizations data can reside on one server. As the
number of hosted organizations increases, you can easily add additional
servers.
One hosted organization with all data on one server.

As the customer base increases, servers may be added.
xSPserver1
Service Provider
Data for
Hosted Organization
CompanyJ
Multiple organizations on one server with a shared application

Multiple hosted organizations can share an application that is served
from a single server. Data for the hosted organizations resides on the
server with the application.
Three hosted organizations sharing one application from a single server.
xSPServer2
Order entry application
resides on server
Data for
Hosted Organization
CompanyA
Data for
Hosted Organization
CompanyB
Data for
Hosted Organization
CompanyC
A hosted organization's data distributed across multiple servers

A hosted organizations data can be distributed across multiple servers
that all run the same set of applications on each server to provide load
distribution and hot backups. You can include Domino clusters and
network routers in this configuration.
One hosted organization's data is distributed across three servers, each offering the same
applications to provide hot backups and load distribution. All servers are part of a Domino
cluster.
Data for Hosted

Organization
CompanyB
xSPServer3
Data Distribution Application
xSPServer4
Data for Hosted

Organization
CompanyB
xSPServer5
Service Provider
Data for Hosted

Organization
CompanyB
Combined configuration
You can use any combination of the above configurations.
Combined Configuration
Data for Hosted

Organization
CompanyJ
Data for Hosted

Organization
CompanyA
xSPserver8
xSPserver6
CompanyA
Server
xSPserver7
CompanyJ
Server
Contains workflow
application for CompanyA
and for CompanyJ
Data for Hosted

Organization
CompanyA
Data for Hosted

Organization
CompanyJ
Deciding which protocols and services to offer in the xSP

environment
Another aspect of planning a hosted environment is determining which
services to offer to customers. There are some considerations unique to
the Lotus Domino service provider environment that you will need to
take into consideration when determining which protocols (services) you
are offering to hosted organizations.
If you are offering mail services, you must provide the protocols to
support them. If you do not offer mail services, you do not need the
POP3, IMAP, or SMTP protocols.
Requirement
HTTP with iNotes

Web Access
When sending mail via iNotes Web Access, enable HTTP

on the server that stores the mail file.
IIOP
Domino IIOP is required to run Java code.
LDAP
If you use POP3 or IMAP and the client mail application

supports LDAP, you can also use LDAP to provide the
mail clients with addressing services.
Lightweight Directory Access Protocol (LDAP) is a
standard Internet protocol for accessing and managing
directory information. If LDAP will be used with the
Domino Directory, the LDAP protocol must be started.
POP3 and IMAP
POP3 and IMAP are access protocols only, that is, they
retrieve mail. SMTP is required to enable POP3 and
IMAP users to send mail. Additionally, the POP3 or
IMAP client must be configured to send mail via an
SMTP server.
SSL
SSL can be used in addition to Dominos security

services. SSL supports data encryption to and from
clients and provides message-tampering detection and
optional client authentication.
Note SSL is supported only for hosted environments
that use a unique IP address configuration.
Service Provider
Protocol/Service
Resolving mail addresses in a hosted environment

IP addresses are resolved via the Domain Name System (DNS), local host
file, or a combination of the two.
For ease-of-access and ease-of-administration, you can use host names
and Web site names to resolve mail addresses and to process transactions.
The following table indicates which names are used by each protocol.
Name
Protocol
Server host name

For example,
serverA.corporation.com
POP3 and IMAP clients use server host

names to locate host servers when
retrieving mail.
Inbound HTTP transactions can use
server host names when resolving
transactions.
LDAP clients use server host names
when performing directory lookups.
Web browsers can use server host names
in URLs, in addition to other types of
DNS names.
Web site name

HTTP transactions are resolved via Web
For example, www.corporation.com site name.
The domain portion of an Internet
e-mail address. For example, the
corporation.com portion of the
e-mail address
JUser@corporation.com
SMTP mail transactions use the domain

portion of an Internet e-mail address.
This domain name must also be entered
in the Global Domain document. MX
records must designate the IP addresses
for the servers receiving SMTP mail.
For information on the Domain Name Service (DNS) and MX records,

see the chapter Overview of the Domino Mail System.
For more information on the Domain Name System (DNS) and MX
records, see the topics The Domain Name System (DNS) and SMTP mail
routing and Examples of using multiple MX records.
Using activity logging for billing at hosted organizations

Using activity logging, you can collect data about the server activity
generated by users such as, user activity on a POP3 server and
server activity not generated by users - such as, replication of a hosted
organizations databases. The log file (LOG.NSF) records activity logging
data. To create reports of activity data, write a Notes API program to
access the information in the log file.
Note The activity logging C API is included in the Lotus C API Toolkit
for Domino and Notes 6. This public C API can be used to read activity
data.
For more information on activity logging, see the chapter Setting Up
Activity Logging.
Activity records
Many sessions that the Domino server hosts last for an extended period
of time. To avoid losing activity information, many activity types
generate regular checkpoint records. For example, a two-hour Notes
session creates eight records: one open record, six checkpoint records and
one close record, assuming that the default checkpoint interval of 15
minutes is used. You need only review the most recent checkpoint record
for any activity because each checkpoint record shows all logged activity
data.
You will want to consider various billing methods based on your

business requirements. Consider one of these billing methods:
Number of users at the hosted organization site.
Number of users at the hosted organization site, plus disk space

usage.
Actual use. To collect activity data by database, use activity logging.

To collect the data by individual hosted organization, use the activity
logging API to write a custom application that sorts the data by
hosted organization. Then, you can bill each hosted organization
accordingly.
Deciding which applications to offer multiple hosted organizations

In addition to deciding which protocols and services to offer, you must
decide which applications to host. You can make a single application
available to multiple hosted organizations; you can offer individual
applications to each hosted organization; or, you can offer a combination
of the two.
Service Provider
Billing methods
Suggested criteria
Prior to choosing and installing applications for hosted organizations, do
the following:
1. Decide how to track the applications available to each hosted
organization. Lotus Notes/Domino 6 does not include an application
to track installed applications.
2. Evaluate applications. For example, if an application is Notes-based,
it may need to access external files, or, it may be a Java application.
3. Evaluate the reliability of the application. Is the application reliable
or does it cause the server to stop or crash? Determine the impact, if
any, that each application has on server performance.
4. Determine if the application presents any security risks. Ensure that
the application does not allow users to navigate the file system or
add or run their own executable programs.
5. Evaluate how well the new application integrates with the existing
configuration.
6. Test each application on a non-production server before installing it
on an xSP server. Make sure that each application is easy to install
for each hosted organization.
Note Domino does not support the use of servlets for xSP servers.
Example of planning a hosted environment

xSP International is a Domino service provider that plans to host Web
applications and offer services and protocols to many hosted
organizations. To configure the hosted environment, xSP international
plans to set up a Domino domain that includes clustered servers,
allowing them to define physical storage locations, other than the default,
for their hosted organizations.
xSP International plans to support SSL; therefore, they will use unique IP
addresses. They begin by installing two servers in their Domino domain:
Server1 and Server2. Although each server will contain data for multiple
hosted organizations, the data for each individual hosted organization
will reside on only one server. The data for a hosted organization will not
be distributed across multiple servers. Identical applications will run on
each server. If needed, xSP International can add additional servers to
this configuration.
The following figure illustrates this configuration.
Data for
CompanyA and
CompanyB
XSP Server1
All Applications
Data for for

CompanyC and
CompanyD
xSP International will initially register four hosted organizations in this

domain. To set up the first hosted organization, CompanyA, the service
provider administrator does the following:
1. Reads the topic Installing the first server or additional servers for
hosted environments prior to installation. After reading all of the
information in the chapters listed in Step 2, the service provider
completes the Installing the first server or additional server for
hosted environments procedure.
2. Reads the information in the chapter Deploying Domino and then
reads the chapter Installing and Setting Up Domino Servers. After
installing the initial xSP server, the service provider completes as
many procedures from these chapters as necessary.
3. Determines that a billing strategy based on actual usage suits the
requirements of CompanyA and xSP International.
4. Enables activity logging on all servers in the domain.
5. Uses the activity logging API to write a custom application to sort
data by hosted organization so that xSP International can bill each
hosted organization according to actual usage.
Service Provider
XSP Server2
All Applications
Chapter 13
Setting Up the Service Provider Environment
This chapter explains how to set up a hosted organization, lists and
explains the files and documents created when you register a hosted
organization, and provides other related information.
Setting up the service provider environment
Installing the first server or additional servers for hosted

environments
Setting up the Domino Certificate Authority for hosted
organizations
Using Policy Documents in a hosted environment
What happens during hosted organization registration?
Binding the IP addresses of the hosted organization to the xSP
server
Creating Loopback addresses in a hosted environment
Using Internet Site documents in a hosted environment
Configuring Internet sites with Web Site and Internet Site
documents
Using Global Web Settings documents
Configuring activity logging for billing hosted organizations
13-1
Service Provider
Setting up the service environment consists of understanding the

information presented in the topics below so that you can make decisions
based on the services you are providing to customers, as well as
completing the tasks in the topics listed below.
Installing the first server or additional servers for hosted environments

All servers in an xSP domain run as xSP servers; therefore, you only use
the -asp portion of the setup command when you install the first server
in an xSP domain. All servers subsequently installed into the domain are
automatically configured as xSP servers.
Configuring the first or an additional server for a hosted environment
does the following:
Creates an All Servers Configuration Settings document if there is no

Configuration Settings document.
Modifies the All Servers Configuration Settings document to set

proper defaults for service providers.
Sets up an extended ACL for the Domino Directory (NAMES.NSF)

and the Administration Requests database (ADMIN4.NSF) to limit
access to only users and/or administrators in the same hosted
organization.
Modifies the Server document to set proper defaults for service

providers.
Sets the ACL on databases in the data directory.

Modifies a server-specific Configuration Settings document (if one
exists) to set defaults for service providers.
Modifies the database ACL for Anonymous from NoAccess to

Reader.
The service provider configuration provides services to multiple hosted

organizations from a single Domino Directory.
Before performing this procedure, see the chapter Installing and Setting
Up Domino Servers.
1. To install the first xSP server, do one:
For Win32 systems, run this command from the directory in which
the SETUP.EXE file is located:
setup.exe -asp
For UNIX, run this command:

install -asp
For more information on installing Domino on UNIX, see the chapter

2. Start the server.
3. Choose the Domino Enterprise server setup.
4. As the Setup wizard runs, enter the information appropriate to your
configuration.
Setting up a hosted organization

To set up a hosted organization, complete these procedures:
1. (Optional) Set up a server-based certification authority (CA).
2. Create a policy document.
3. Create a registration policy settings document.
4. Register a hosted organization.
5. Bind the IP addresses of the hosted organization to the xSP server.
6. Create the necessary Internet Site documents and the Web Site
document.
Setting up the Domino certificate authority for hosted organizations
A CA vouches for the identity of both server and client by issuing

Internet certificates that are stamped with the CAs digital signature.
The digital signature ensures the client and server that both the client
certificate and the server certificate can be trusted. The CA also issues
trusted root certificates, which allow clients and servers with certificates
created by different CAs to communicate with each another.
Each hosted organization must have its own Domino CA. If the hosted
organization uses DOLS or if they require Notes IDs, the hosted
organization must use the Domino server-based CA. If the hosted
organization administrator plans to use the Web Administrator, that
hosted organization must use the Domino server-based CA to
register users.
As part of setting up a CA, create a Certificate Requests database.
Then, using the Certificate Requests database, you can submit Internet
certificate requests through a browser, pick up new or renewed
certificates, and receive notification regarding request status.
For more information on the Domino CA and the Certificate Requests
database, see the chapter Setting Up a Domino Server-Based
Certification Authority.
Setting Up the Service Provider Environment 13-3
Service Provider
When registering hosted organizations, you can use the Domino

server-based certification authority (CA). If you dont use the
server-based CA, you can use Dominos certifier ID and password
for security purposes.
Using policies in a hosted environment

Policies are required in a hosted environment. To establish the
registration settings that are required for hosted organizations, create
a policy document and a registration policy settings document.
Each hosted organization must have its own, unique registration policy
settings document. Multiple hosted organizations cannot share a
registration policy settings document.
To meet the requirements for creating policy and registration policy
settings documents, you can create the policy before registering the
hosted organization, or you can create the policy during the registration
of the hosted organization.
To create the policy before registering the hosted organization

Create an explicit policy prior to registering the hosted organization.
Create the registration policy settings document before creating the
hosted organization. Before attempting to use the explicit policy,
make sure that you have referenced the appropriate registration
policy settings document in that policy document.
To create the policy while registering the hosted organization

Create an organizational policy and a registration policy settings
document when prompted during hosted organization registration.
The Register Hosted Organization user interface displays the
documents that you need to create for hosted organizations during
the registration process. These documents are presented in the order
in which they need to be created.
Requirements for the registration settings document for hosted

organizations
For a hosted organization, the registration settings documents must
include the following settings:
The Policy Name field must contain a valid registration policy

settings document name.
The Password Quality field must have a value of at least Any

Password. Do not choose Password is optional.
Set Internet Password must be selected.
What happens when you register a hosted organization?

You must use the Register Hosted Organization user interface to register
each hosted organization. When you register a hosted organization, the
following files and documents are created:
The certificate for the hosted organization is created. If a
modification to the certificate is ever required, you can locate the
certificate as follows: From the Domino Administrator, click the
People & Groups tab. Click Certificates.
The hosted organization certificate is cross-certified with the service

providers certificate. A Cross Certification document is created. To
verify that cross certificates were created, from the Domino
Administrator, click the Configuration tab. Click Server Miscellaneous - Certificates. Click Notes Cross Certificates.
The service providers certificate is cross-certified with the hosted

organization certificate. A Cross Certification document is created.
A Global Domain document is created. The Global Domain

document stores the primary Internet domain name by which the
hosted organization is known and stores secondary Internet domain
names by which the hosted organization can receive Internet mail.
A data directory is created for the hosted organization. This directory

is assigned the name that is specified in the Directory field on the
Storage panel of the Register Hosted Organization interface. By
default, for Win32 systems, the hosted organizations data directory
is placed directly beneath Domino/data. On UNIX systems, the
default is /local/notesdata. You can specify another location in the
Physical Storage Location field on the Storage panel of the Register
Hosted Organization interface.
A mail subdirectory for the hosted organization is created beneath

the hosted organizations data directory.
A mail file is created for the hosted organizations administrator.

This is an NSF and resides in the mail subdirectory for the hosted
organization.
An ACL file is created for each hosted organization to provide

security for the hosted organizations directory. The ACL file prevents
users in one hosted organization from traversing a directory that
belongs to another hosted organization. If a hosted organizations
ACL file is deleted, users in other hosted organizations may be able to
review the content of the directories belonging to the hosted
organization that is no longer protected by an ACL file. Do not
confuse hosted organization ACL files with database ACLs, which
control server, user, and group access to databases that reside on a
Service Provider
Domino server. The actual databases may or may not be protected

according to how individual database ACLs are set.
The ACL file resides in the Domino data directory and is named
hosted organization name.ACL.
For more information on setting database ACLs, see the chapter
An extended ACL is applied to the Administration Requests

database (ADMIN4.NSF) and the Domino Directory (NAMES.NSF)
to restrict access to the data in those databases. The extended ACL is
enabled on the Domino Directory when the first hosted organization
is registered.
The database ACL entry for Anonymous is changed from

NoAccess to Reader access in NAMES.NSF when the first hosted
organization is registered.
Entries are made for the hosted organization administrator in the

database ACLs and the extended ACLs to allow the hosted
organization administrators to Browse, Read, Create, Delete, and
Write documents for their hosted organization.
Extended ACL entries are created for all users and groups in a
hosted organization (*/HostedOrganizationName) providing Browse
and Read access to that hosted organization only.
An extended ACL entry is created for Anonymous for each hosted

organization with all access disabled. Entries are also made in the
Form and Field Access in extended ACLs with Read Deny checked
for the following fields:
Schema: Domino, Form: Group, Attributes: InternetAddress,
MailDomain, Members, and Type. Form:Person, Attributes:
AltFullName, Certificate, FirstName, InternetAddress, LastName,
Location, MailAddress, MailDomain, o, OfficeCity, OfficeCountry,
OfficeState, OfficeStreetAddress, OU, ShortName, UserCertificate,
PublicKey, and Type. Schema: LDAP, Form:DominoPerson,
Attribute: cn.
If LDAP Anonymous access is allowed to a hosted organization, the
above fields match the default ACL for LDAP set in the Domain
Configuration document. This list can be modified. Plan and test
carefully before you modify ACLs and extended ACLs in an xSP
environment security is extremely important.
For more information on extended ACLs, see the chapter Setting up

Extended ACLs and for more information on modifying the default
extended ACL settings established during hosted organization
registration, see the topic Modifying the extended ACL settings

established during hosted organization registration in this chapter.
An Internet Site document is created for each Internet service for

which you provide an IP address or host name on the Internet panel
of the Register Hosted Organization interface. The documents that
are created contain default information for the protocol. You provide
additional, detailed information for these documents during hosted
organization registration. If you provide an address or host name for
multiple protocols, you are prompted to create the Internet Site
document for each Internet protocol. You must create the Internet
Site document in order to use the corresponding Internet protocol.
You are also prompted to create one Web Site document for each
hosted organization. The Web Site document is the Internet Site
document for the HTTP protocol. If a hosted organization has
multiple Web sites, create one additional Web Site document for each
additional Web site.
For more information on Web Site documents, see the chapter Setting
up the Domino Web Server. For more information on Internet Site
documents, see the chapter Installing and Setting Up Domino Servers.
If you are using clustered servers, you can use the Storage panel on the
Register Hosted Organization interface to create additional storage for
the hosted organization on one or more servers in the cluster.
Note The HostedOrganizationAdmin group is created by default
(when you set up the hosted environment) and administrators are
automatically added to that group. Administrator groups enable you
to administer groups of people with administrator rights at one time
instead of individually establishing rights and settings for each
hosted organization administrator.
Where to store data for hosted organizations

To decide where to store a hosted organizations data, evaluate whether
you are saving private data or shared data. Store a hosted organizations
private data in a directory belonging to the hosted organization. Store
shared data in a common data directory accessible to all.
Service Provider
Note The Basics tab on the Server document contains the field
Loads Internet configurations from Server/Internet Sites
documents, which is enabled by default and cannot be changed in a
hosted environment. When this field is enabled, settings on the
Internet Site document take precedence over settings on the Server
document. This field is set when the servers are installed.
Registering hosted organizations with names requiring a server in

UTF-8 locale
If you will be registering hosted organizations that have names
containing characters from more than one character set, the registration
server must be run in a UTF-8 locale. For example, if both Korean and
Japanese hosted organization names must be supported, the server must
be in a UTF-8 locale. If only the Japanese hosted organization names are
supported, the server can be run in Japanese locale.
Opening databases on an xSP server

When the service provider administrator uses the File - Database - Open
menu commands to open a database, the Open Database dialog box does
not list all of the databases on the server, but all of the databases are
available by typing the database name in the Filename field, and then
clicking Open. For convenience, create bookmarks for the most
frequently opened databases.
Example of registering a hosted organization

In this example, Acme Printing, a small business, subscribes to
messaging services and some transaction-processing services offered by
xSP International, a Domino service provider.
To register Acme Printing as a hosted organization, the service provider
administrator at xSP International answers these questions:
Does Acme Printing support DOLS users? Do they need Notes IDs?
If Acme Printing supports DOLS or needs Notes IDs for any purpose,
a Domino CA needs to be created for the hosted organization. If not,
they can use certifier IDs and passwords. Acme Printing does
support DOLS users.
Which mail protocol does Acme Printing use? If they use POP3 or
IMAP, they need SMTP on the same server. Acme uses POP3, so they
need SMTP.
Which registration settings are needed for the registration policy

settings document for Acme Printing? The service provider
administrator determines that Acme Printing needs the CA-related
settings and POP3-related mail settings. Other default settings can
also be used.
Does Acme Printing require storage locations in addition to the

default storage locations? If the service provider administrator set up
Acme Printing on a clustered server, theyll be able to use additional
storage on servers in the cluster. On what server and directory will
that storage be located?
Later, when an administrator is ready to register users for the hosted

organization, they can determine whether they can simplify user
registration by creating additional policy settings documents, such as
desktop policy settings documents and security policy settings
documents. An administrator can create these policy settings
documents as he would for any Lotus Domino enterprise. User
registration for Acme Printing employees is done by the service
provider administrator instead of by an Acme Printing administrator
using the Web Administrator.
The service provider administrator at the service provider site, does the
following from the Domino Administrator:
2. Creates an explicit policy named AcmePolicy and an associated

registration policy settings document.
3. Chooses Tools - Hosted Organization - Create to open the Register
Hosted Organization interface.
4. The service provider administrator begins completing the required
fields on each panel and enters information in these optional fields:
On the Basics panel, selects the option Organization supports
DOLS and chooses the explicit policy named AcmePolicy.
On the Internet panel, enters an IP address in the HTTP
Host/Address, SMTP Host/Address, POP3 Host/Address, and
Directory Host/Address fields because Acme requires these for its
Web site, for POP3 messaging with SMTP, and for LDAP services,
respectively.
On the ID Info panel, chooses CA Enabled and chooses the CA
Server on which the Acme CA was created because Acme
supports DOLS users.
On the Storage panel, because Acme will be hosted on a clustered
server at the service provider site he enters an additional physical
storage location in Physical Storage location for server name.
Service Provider
1. Creates a Domino server-based CA for Acme Printing because they

support DOLS. Each hosted organization that needs a server-based
CA requires its own Domino CA because the CA cannot be shared
across multiple hosted organizations.
5. After entering information in the Register Hosted Organization

interface, clicks the Register button.
6. Completes the Web Site document, the POP3 Site document, the
SMTP Site document, and the LDAP Site document. While
completing the Web Site document, the service provider
administrator follows the instructions for enabling the correct DSAPI
filter file name to support DOLS.
For more information on specifying the DSAPI filter file name in the
Web Site document, see the chapter Installing and Setting Up
Domino Servers.
7. Completes the procedure to bind the hosted organizations IP
address to the Network Interface Card on the xSP server because the
IP Address configuration includes individual IP addresses for each
hosted organization.
8. Checks the following views and directories to see the documents and
files that have been created for the hosted organization, Acme
Printing.
From the Domino Administrator, People & Groups tab, he clicks
Certificates to verify that Acme Printings certificate has been
created. He also verifies that Acme Printings certificate is
cross-certified with xSP Internationals certificate, and that xSP
Internationals certificate has been cross-certified with Acme
Printings certificate.
From the Domino Administrator, he opens the Domino Directory
and chooses Servers - Domains to see the Global Domain
document for the Acme Printing. On the Basics tab, the field
Local primary Internet domain contains the primary Internet
domain name by which the hosted organization is known. He also
enters a secondary Internet domain name in the Alternate
Internet domain aliases field by which Acme Printing can receive
Internet mail.
Verifies that the hosted organizations data directory was created,
as well as the hosted organizations mail directory. The service
provider administrator also verifies that the ACL file, Acme
Printing.acl was created and that the mail file for the hosted
organizations administrator has been created.
From the Domino Administrator, he opens the Domino Directory

and checks the Server - Internet Sites view. The service provider
administrator sees that these documents exist for Acme: Web Site
document, SMTP Site document, POP3 Site document and LDAP
Site document. This view also contains a Global Web Settings
document for xSP International and three Web Site Rule
documents.
From the Domino Administrator, opens the Policy view and
checks the explicit policy (AcmePolicy) and the associated
registration policy settings document (Acme).
Registering a hosted organization
For more information on the Web Site document, see the chapter Setting
Up the Domino Web Server and for more information on Internet Site
documents, see the chapter Installing and Setting Up Domino Servers.
1. Ensure that you are working with the xSP server you just installed. If
you need to change to another server, choose File - Open Server, or
File - Preferences - Administration Preferences to select the server.
3. From the Tools pane, click Hosted Org - Create.
4. Enter the certifiers password, and click OK.
Service Provider
The information that you enter in the fields on the Register Hosted
Organization interface is used to populate many of the documents that
define the hosted organization. For example, you select the policy that
applies to the hosted organization from a list of available policies.
Otherwise, the policy can be created during the hosted organization
registration process. Additionally, the Internet-related information
determines which Internet Site documents are created for the hosted
organization. The Internet Site documents contain the information
needed to run the Internet servers in a service provider configuration
and support all possible configurations of IP addresses and DNS host
names. In a hosted environment, a Site document is required for each
protocol that the hosted organization uses.
5. Complete these fields on the Basics panel of the Register Hosted

Organization interface:
Field
Action
Registration Server
Enter the name of the server to use during the

registration process. The Domino Administrator
contacts the registration server while performing
registration tasks.
Organization name
Enter a unique name for the hosted organization.

The name must be fewer than 28 characters and
cannot contain a period (.) because the hosted
organization name is also used as the hosted
organizations virtual Domino domain name for
routing purposes. For ease-of-administration, use
a short name with no spaces. Organization name
is a required entry that is also used in the Internet
Site documents.
Organization supports
DOLS
Choose this option if the hosted organization

supports Domino Off-Line Services (DOLS).
Password
Enter a case-sensitive password for the certifier.

The characters you use for this password depend
on the level set in the Password quality scale.
Password quality
Displays the Password Quality Scale that you can

use to define the complexity of the password. Do
not choose Password is optional.
Explicit Policy
Choose the explicit policy document that is the

ancestor of the registration policy settings
document you are assigning to the hosted
organization. Click None Available if you have
not yet created the necessary policies and/or
settings documents.
First Name, Middle

Name, Last Name
Enter the name of the hosted organization

administrator.
Password
Enter a password for the hosted organization

administrator.
6. Complete as many of these fields as needed to enable the

corresponding protocols for the hosted organization. When you enter
the host name or IP address for a protocol, that protocol is enabled
when the corresponding Site document is created. You are prompted
to complete the corresponding Site document later during this
Action
Internet Domain
Enter the name of the Internet domain. By

default, the exact Internet domain name that you
specified for this hosted organization on the
Mail tab of the registration policy settings
document is entered. For example,
enterprise.com.
HTTP Host/Address
Enter the host name or IP address of the HTTP

server for the hosted organization.
SMTP Host/Address
Enter the host name or IP address of the server

that receives SMTP transactions for the hosted
organization.
POP3 Host/Address
Enter the host name or IP address of the POP3

IMAP Host/Address
Enter the host name or IP address of the IMAP

Directory Host/Address Enter the host name or IP address of the LDAP

IIOP Host/Address
Enter the host name or IP address of the Domino

IIOP server for the hosted organization.
7. Complete these fields on the ID Info panel:

Field
Action
CA Enabled
Choose this option if the hosted organization

supports DOLS or uses Notes IDs.
CA Server
Enter the name of the server on which you

created the Domino CA. This is the server on
which the CA process will create Internet
Certificates. This button is active only if you
have created a Domino CA.
Set ID file
Specify the drive and directory in which the ID

file is to be stored. By default, the certifier ID
name matches the hosted organization name.
The certifier ID must be unique to the hosted
organization.
Service Provider
Field
8. Complete these fields on the Storage panel:

Field
Action
Mail Server
By default, this field contains the name of the mail

server for the hosted organization exactly as you
entered it in registration policy settings document for
the hosted organization. The hosted organization and
the administrators mail file will be stored on this
server. This field cannot be modified.
Directory
By default, this field contains the name of the

directory in which the hosted organizations data
resides. For ease-of-administration, the directory
name is created for you and is identical to the hosted
organization name. This field cannot be modified.
Host
Indicates whether the corresponding server hosts the

hosted organization. This field cannot be modified for
the first entry in this list. The first server entry in this
list has a check mark because that server is identified
in the registration policy settings document as the
mail server for the hosted organization.
For all other servers, a check mark in this box
identifies that server as a host server for the hosted
organization.
Server Name
Name of the server that is hosting the hosted

organization. If multiple server names appear in this
list, the first server in the list is the hosting server;
other servers are the cluster mates.
Physical Storage
location
The directory name that is displayed is an alternate

location where the hosted organizations data
directory will reside if you do not use the default
location.
Use this field to create a directory link to an

Physical Storage
location for <server additional storage location for the hosted
organization you are registering. This field is
name>
activated when you select a server in the Server Name
field. The check box for the server must be checked in
order to select it.
To add a directory link, enter the full path for the
storage location and then click the check box so that
the directory link displays in the Physical Storage
Location field.
To delete a directory link, select the link in the
ServerName/Physical Storage Location fields. When
the path displays in the modifiable Physical Storage
Location for <server> field, click the X.
9. (Optional) Complete these fields on the Other panel:

Field
Action
Location
Enter text to define the location of the hosted

organization.
Comment
Enter text to define the hosted organizations name

and other information.
10. If you have not selected an explicit policy for this hosted
organization, this message appears:
"You must configure the organizational registration
policy for the hosted organization. This policy must
contain the necessary hosted organization settings. Do
you want to configure that policy now?"
11. Click Yes. If you click No, the hosted organization is not created.
Note If the hosted organization supports DOLS, on the Web Site

document, specify a DSAPI filter file name according to the operating
system of the xSP server that hosts that hosted organization. Win32
requires the file ndolextn; and Linux, AIX, Solaris/Sparc, S390, and
iSeries require libdolextn.
For more information on Internet Site documents, see the chapter
Installing and Setting Up Domino Servers and for more information on
the Web Site document, see the chapter Setting Up the Domino Web
Server.
Modifying the extended ACL settings established during hosted

organization registration
Plan and test carefully before you modify ACLs and extended ACLs in
an xSP environment security is extremely important.
When hosted organization registration is complete, all actions that are
identified in the topic What happens when you register a hosted
organization? are complete. You may want to enable Read access on
some fields for a hosted organization. To allow Read access to fields for
the anonymous entry in a hosted organization, in the extended ACL
settings, change Browse from Deny to Allow. In the Forms and Fields
Access section, select Show Modified, and change the fields from Read
Deny to Read Allow.
Service Provider
12. Click Register. The Internet Site document for the first protocol you
specified appears. Modify the defaults, and add new information as
necessary.
Note The individual fields are listed in the topic What happens when
you register a hosted organization? in this chapter.
Extended ACLs.
Binding the IP addresses of the hosted organization to the xSP

server
If you assign an individual IP address to each hosted organization, use
one of the following procedures to bind the IP address of each hosted
organization to the network interface card in the xSP server. This
procedure applies only to configurations that include unique IP
addresses.
For more information on the IP configurations that you can use in a
hosted environment, see the chapter Planning the Service Provider
Environment.
SUN Solaris
Enter these commands as the root user, where <hme0> is the network
interface card.
ifconfig <hme0>:1 plumb
ifconfig <hme0>:1 <hosted_company1_ip> <server_ip> up
ifconfig <hme0>:2 plumb
ifconfig <hme0>:2 <hosted_company2_ip> <server_ip> up
.
.
.
ifconfig <hme0>:x plumb
ifconfig <hme0>:x <hosted_companyx_ip> <server_ip> up
IBM AIX
Enter the following command as the root user, where <en0> is the
network interface card.
ifconfig <en0> alias <IP address of hosted organization>
netmask 255.0.0.0
Microsoft Windows NT 4.0

1. From the Microsoft NT desktop, right-click the Network
Neighborhood desktop icon and choose Properties.
2. Choose Protocols, and then double-click TCP/IP Protocol.
3. From the TCP/IP Properties box, click Advanced.

4. Click Add to add additional hosted organization IP addresses.
Accept the default subnet mask of 255.0.0.0.
Microsoft Windows 2000
1. From the Windows 2000 desktop, right-click the Network
Neighborhood desktop icon and choose Properties.
2. Right-click the Ethernet adapter, and then select Properties.
3. From the Adapter Properties box, double-click Internet Protocol
(TCP/IP).
4. Click Advanced.
5. Click Add to add additional hosted organization IP addresses.
Accept the default subnet mask of 255.0.0.0.
Creating loopback addresses in a hosted environment
SUN Solaris
Enter these commands as the root user:
ifconfig <lo0>:1 plumb
ifconfig <lo0>:1 <hosted_company1_ip> <server_ip> up
ifconfig <lo0>:2 plumb
ifconfig <lo0>:2 <hosted_company2_ip> <server_ip> up
.
.
.
ifconfig <lo0>:x plumb
ifconfig <lo0>:x <hosted_companyx_ip> <server_ip> up
IBM AIX
Enter this command as the root user:
ifconfig <lo0> alias <IP address of hosted organization>
netmask 255.0.0.0
Service Provider
If you use a network router in the xSP configuration and you assigned a
unique IP address to each hosted organization, you must create a
loopback address for each hosted organization. The instructions vary by
platform.
Microsoft Windows NT 4.0

1. From the Windows NT desktop, right-click the Network
Neighborhood icon, and choose Properties.
2. Click Adapters, choose Add, and select MS Loopback Adapter.
3. When the adapter has been added, click Protocols and select TCP/IP
Protocol.
4. Select MS Loopback Adapter.
5. Click the Specify an IP Protocols tab, and enter the IP address for
the HTTP cluster 9.95.87.142.
6. Enter the subnet mask 255.255.255.128 and click OK.
7. Restart the system.
Microsoft Windows 2000
1. From the Windows 2000 desktop, right-click the Network
Neighborhood icon, and choose Properties.
2. Right-click the Ethernet adapter and choose Properties.
3. From the Adapter Properties box, double-click Internet Protocol
(TCP/IP).
4. Click Advanced.
5. Click Add to add an additional IP address. Accept the default subnet
mask of 255.0.0.0.
Using Internet and Web Site documents in a hosted environment

The Internet Site documents and the Web site document contain
configuration settings for the Internet protocols. A Site document is
created for each protocol for which you enter an IP address or a host
name on the Internet panel of the Register Hosted Organization interface.
The Site document is created containing default information; you must to
enter additional information in each Site document either during hosted
organization registration or later. The Internet protocol is not active until
the corresponding Internet Site or Web Site document is completed and
saved.
The Site documents contain the information needed to run the Internet
servers in a service provider configuration. They support all possible
configurations of IP addresses and DNS host names.
Internet Sites view

Using the Internet Sites view, you can view all Internet Site documents,
sorted according to hosted organization name. The Global Web Settings
documents and Web Site Rule documents also display in this view. The
following table describes each document shown in the view.
Internet Site document
Description
Web Site document
Web Site documents are generated for the HTTP

protocol. Each hosted organization has one Web site
document that can be created during hosted
organization registration. If a hosted organization has
multiple Web sites, you must create one Web Site
document for each additional Web site.
Note See the chapter Installing and Setting Up
Domino Servers, for information on configuring
Web Site documents.
These are the mail protocol Internet Site documents.
An individual Internet Site document is created for
each mail protocol for which you enter an IP address
on the Internet panel of the Register Hosted
Organization interface.
LDAP Site document
This document is generated for LDAP servers.
IIOP Site document
Domino IIOP (DIIOP) uses the information in the

IIOP Internet Site document to define the scope of the
Domino Directory used to validate users. DIIOP
enables you to use any Java code running on any
server on the network. DIIOP is not yet supported in
a shared IP address configuration.
Global Web Settings

document
The Global Web Settings document applies one or

more Web Site Rule documents to all servers in the
Domino domain or only to specified servers in the
Domino domain. The Global Web Settings document
is automatically created during setup of a hosted
organization.
Web Site Rule document The Web Site Rule document is created from within
the corresponding Web Site document. The three Web
Site Rule documents that are automatically created in
a hosted environment are DOLS, iNotes help files,
and iNotes.cab.
Service Provider
IMAP Site document

POP3 Site document
SMTP Inbound Site
document
Viewing Web Site and Internet Site documents for a hosted

organization
1. From the Domino Administrator, click Files and open the Domino
Directory (NAMES.NSF).
2. Choose Server - Internet Sites.
3. Select the name of the hosted organization whose Internet Site
documents you want to view.
4. Double-click a document name to open it.
For more information on creating an Internet Site document, see the
chapter Installing and Setting Up Domino Servers and for information
on creating a Web Site document, see the chapter Setting Up the
Domino Web Server.
Configuring Internet sites with Web Site and Internet Site

documents
In a hosted environment, each Internet Site document defines the
configuration settings for an Internet protocol for a hosted organization.
When you register a hosted organization, you are prompted to create one
or more Internet Site documents as part of the hosted organization
Note You have the option of not creating the Internet Site document
during hosted organization registration. You must then create the
Internet Site document in order to use the protocol.
For more information on Internet Site documents, see the topic Using
Internet and Web Site documents in a hosted environment in this
chapter.
A Web Site document is required for the HTTP protocol. You are
prompted to create one during the hosted organization registration
process. If multiple Web sites are assigned to one IP address that is,
multiple DNS names are registered to one IP address create a Web site
document for each Web site.
Note If the hosted organization supports DOLS, on the Web Site
document, specify a DSAPI filter file name according to the operating
system of the xSP server that hosts that hosted organization. Win32
requires the file ndolextn; and Linux, AIX, Solaris/Sparc, S390, and
iSeries require libdolextn.
For more information on specifying the DSAPI filter file name in the Web
Site document, see the chapter Installing and Setting Up Domino
Servers.
For security purposes, you can create a File Protection document for each
server. A File Protection document controls the access that Web browser
clients have to the files on a servers hard drive. Create the File Protection
document after creating any Web Site document(s) and/or Internet Site
documents that you need.
For more information on File Protection documents, see the chapter
Global Web Settings documents and the service provider environment
By default, the Global Web Settings document applies to all servers in a

Domino domain. If you do not want the Global Web Settings to apply to
all servers in a Domino domain, edit the document and specify the
servers to which the document applies.
The directories that are created via the Global Web Settings document
reside in the hosted organization\domino\ directory path.
Three associated Web Site Rule documents that contain the following
settings are created when the Global Web Setting document is created in
a hosted environment:
Web Site Rule
document
Type of rule
Incoming rule
pattern
Target server directory
DOLS
Directory
/download/*
domino\html\download
iNotes help files
Directory
/inotes5/help/* domino\html\inotes5\help
iNotes.cab
Redirection
/iNotes.cab
domino\html\iNotes.cab
The Web Site Rule document for DOLS-enabled hosted organizations

downloads to a central location files that are required when the hosted
organization tries to access a DOLS-enabled database.
Service Provider
Domino automatically creates a Global Web Settings document when

you install the Lotus Domino service provider software. The Global Web
Settings document is associated with three Web Site Rule documents that
automatically create several directories that may be required by
numerous users at any hosted organization. The Web Site Rule
documents make files accessible from one central location on the server,
so that these files do not need to be individually downloaded for each
hosted organization. The benefit is a substantial savings in disk space
because the service provider can provide the files to all users that need
them without having to duplicate them for each individual hosted
organization.
The iNotes.cab file is an archive file that contains controls that are
installed into a browser and make iNotes features available to browsers.
The iNotes help files are downloaded to a central location on the server
so that they do not have to be individually downloaded for each hosted
organization.
The Global Web Settings document and the Web Site Rule documents
appear in the Internet Sites view. You can be review, edit, or delete them
from this view.
Editing a Global Web Settings document

Edit the Global Web Settings document to apply one or more Web Site
Rules to one or more servers in a Domino domain.
2. Open the Domino Directory (NAMES.NSF).
3. Choose Server - Internet Sites.
4. Select the Global Web Settings document that you want to modify,
and click Edit Global Web Settings.
5. On the Basics tab, edit these fields as necessary:
Field
Action
Descriptive name for

this site
Enter a name that describes the Web Site Rules that

will be associated with this document.
Domino servers that

host this site
Enter one:
An asterisk (*) if the document is to apply to all
servers in the Domino domain.
One or more names of servers to which this
document applies.
Configuring activity logging for billing hosted organizations

You can configure activity logging to collect transaction information that
is stored in the log file (LOG.NSF) and can be used for billing purposes.
Set up the Configuration Settings document to enable activity logging on
specific servers that you designate. You can enable activity logging on
one server, or more than one server, or on all servers in your domain.
1. From the Domino Administrator, click Configuration - Server Configurations.
2. Do one of these:
To enable activity logging on all servers in the domain, open the
existing All Servers Configuration Settings document.
To enable activity logging for one server, create a Configuration

Settings document.
3. On the Activity Logging tab, complete these fields:
Field
Action
Activity logging is
enabled
Select this check box to enable activity logging on

each server that you designate.
Enabled Logging
Types
Select all logging types for which you want to

collect billing information.
Checkpoint interval
Enter the number of minutes that transpire

between activity logging updates to LOG.NSF.
The checkpoint interval applies to the logging
types that you selected and that have open, active
sessions.
Log checkpoint at
midnight
(Optional) Select this check box to create Notes

session and Notes database checkpoint records
every day at midnight.
Log checkpoints for

prime shift
(Optional) Select this check box to create Notes

session and Notes database checkpoint records at
the beginning and end of a specific time period.
Specify the start and end times for the time period.

Service Provider
To enable activity logging on all servers except one (or a small

number of servers), open the existing All Servers Configuration
Settings document and complete the fields on the Activity
Logging tab as shown below. Click Add Configuration to create a
new Configuration Settings document for each server that is an
exception to the settings in the All Servers Configuration Settings
document. Disable activity logging for the servers on which you
are not running activity logging.
Viewing logged activity data in a hosted environment

By default, logged activity data is stored in binary format in the log file,
LOG.NSF. A service provider administrator can create a Results database
to view the logged data for a hosted organization.
1. From the Domino Administrator, click the Server - Analysis tab.
2. From the Tools panel, click Analyze - Activity.
3. On the Server Activity Analysis dialog box, complete these fields:
Field
Action
Select server activity

types to search for
Click the check box to and then do one of these:

Select an activity type to view, and then click
Add. Repeat to continue adding types.
Click Select All to view all activity types.
Start Date
End Date
Select the start date and end date of the time

period for which you want to analyze logged
activity data. Activity data for the time period you
specify is stored in the Results database.
Start Time
End Time
Select the start time and end time of the logged

activity data you want to analyze. Activity data
for the specified time period is stored in the
Results database.
Results Database
Do the following:
1. Click this button to open the Results Database
dialog box.
2. Specify the server on which the Results
database will reside, the title (name) of the
database, and the file name.
3. Click OK.
4. Choose one:
Append to this database To append the data to the existing
Results database.
Overwrite this database To overwrite the data in the existing
Results database with new data.
5. Click OK. When the message box displays Analysis Completed,
click OK. The Log Analysis - Log Events view opens.
Chapter 14
Managing a Hosted Environment
This chapter contains instructions for moving a hosted organization from
one server to another, modifying the Server document, adding a hosted
organization to a server to provide new Web applications, viewing
hosted organizations, using the Web Administrator to manage users and
groups at a hosted organization site, and performing other actions
required to maintain a hosted environment.
Maintaining hosted organizations
The majority of the administration activities that are performed in a

hosted environment are exactly the same as the same activities in a
non-hosted environment. The following topics explain how to complete
activities that are unique to or different in a hosted environment. Where
necessary, there is also explanatory information.
Adding a hosted organization to an additional server to provide new

Web applications
Disabling services temporarily for a hosted organization
Enabling anonymous access to a hosted organizations database
Managing Users at a hosted organization
Moving a hosted organization from one server to another server
Removing a hosted organization from a backup or load-balancing

server
Restoring a hosted environment after a server crash
14-1
Service Provider
As a service provider administrator, maintaining the hosted

organizations in your hosted environment is of primary importance.
Responsibilities include maintaining the servers that host your
organizations, maintaining the hosted organizations and their data, as
well as the users at those sites.
Temporarily disabling services for a hosted organization
Using a browser to access a hosted organizations Web site
Using the Resource Reservations database in a hosted environment
Viewing a hosted organization
Web Administration from the hosted organization site
Adding a hosted organization to an additional server to provide new

Web applications
A hosted server environment can be configured to allow multiple servers
to provide Web applications to one or more hosted organizations. Part of
managing a hosted environment is enabling additional servers to serve
Web applications to a hosted organization. Web applications can be
distributed across multiple servers, while serving as many hosted
organizations as you designate.
You can enable a hosted organization that is currently being served
applications by one or more servers to be served a Web application by an
additional server.
To add a hosted organization to an additional server to provide new

Web applications
1. Create a data directory for the hosted organization on the target
server.
2. Create an ACL file for the hosted organization in the data directory
of the target server.
3. Create a Web Site document for the hosted organization, where the
new Web Site documents DNS name resolves to the target servers
IP address or name. This new Web Site document allows servers and
routers to distinguish between servers. Use the Basics tab on the new
Web Site document to enter the host names or addresses that map to
the site and the Domino servers that host the site.
4. To support the hosted organization, make other Web
application-specific modifications for example, configure the
Welcome page.
5. For Web applications only, create the DNS names that direct users to
this server and to this hosted organizations Web site.
For more information on setting up a Web Site document, see the chapter
Setting Up a Domino Web Server.

The service provider administrator is responsible for deleting a hosted
organization when the hosted organization stops subscribing to a service
providers services. When you delete a hosted organization, the
following documents, files, and directories for the hosted organization
are deleted:
Data directory
Cross certificates
ACL file
Extended ACL entries in the Domino Directorys ACL file
HostedOrganizationAdmins group
Global Domain document
Policy document
To delete a hosted organization

2. Click Tools - Hosted Organization - Delete.
3. Select the name of the hosted organization to delete.
4. Choose one of these Processing types:
Immediately clean up Domino Directory To remove all
references to the hosted organization from the Domino Directory
immediately
Use Administration Process only To remove all references to
the hosted organization from the Domino Directory when the
Delete hosted organization administration request runs
Note Both processing types generate administration requests and
both require that you open the Administration Requests
(ADMIN4.NSF) database and approve the deletion of hosted
organization storage.
5. Click OK. You are prompted to confirm the deletion. Click Yes, and
then click OK.
To approve the deletion request
1. Click the Server - Analyses tabs.
2. Click Administration Requests (6).
3. Open the All Requests by Name view.
Managing a Hosted Environment 14-3
Service Provider
4. Open the Approve Deletion of Hosted Organization Storage

request.
5. Click Edit Document. Click Approve Hosted Organization Storage
Deletion to approve the request.
6. Click Yes, and then click OK.
Temporarily disabling services for a hosted organization

To disable all Internet services for a hosted organization, use the Internet
Site documents to set all authentication options to No for all Internet
protocols for a hosted organization. To enable Internet service for that
hosted organization at a later time, set the authentication options to Yes.
1. From the Domino Administrator, choose Files and open the Domino
Directory (NAMES.NSF).
2. Choose Servers - Internet Sites.
3. Select the Internet Site document that contains the settings you want
to modify, and click Edit Document.
4. Click Security. Set the Anonymous and Name and Password
fields to No to disable the service for the hosted organization. To
enable the service at a later time, reset these same fields to Yes.
For more information on the Authentication fields on the Security tab of
the Site documents, see the chapter Installing and Setting Up Domino
Servers.
Enabling anonymous access to a hosted organizations database

To make a hosted organizations database available to anonymous Web
site users, add Anonymous to the ACL file. Adding Anonymous to the
ACL file does not expose all of the hosted organizations data to
anonymous users. For example, anonymous Web users cannot browse a
hosted organizations directory because browsing is disabled.
Do not confuse an ACL file, which provides security for the hosted
organization itself, with a database ACL, which controls the access that
server, users, and groups have to a database.
Sample ACL file

The content of a sample ACL file for a hosted organization named
company1 with Anonymous access is shown below.
.
ASP Admin/ASP
*/company1
Anonymous
LocalDomainServers
LocalDomainAdmins
[owner=company1]
In addition to modifying the ACL file, modify the hosted organizations

database ACL to allow anonymous access to the database.
Moving a hosted organization to another server

You may need to modify some of the procedures in this section to better
fit your individual configuration. For example, you may need to modify
your network router configuration if your configuration includes a
network router.
Moving a hosted organization that has a unique IP address varies
somewhat from moving a hosted organization that has a shared IP
address.
Moving a hosted organization that has a unique IP address

To move a hosted organization that has a unique IP address, complete
these procedures:
1. Re-create the hosted organization infrastructure on the destination
server.
2. Open the registration policy settings document for the hosted
organization that you are moving and change the original mail
server name to the name of the destination server that is, the new
mail server.
Service Provider
For more information on modifying a database ACL, see the chapter

Controlling User Access to Domino Databases and for more
information on modifying the Web Site document security settings, see
the chapter Installing and Setting Up Domino Servers.
3. Use the Domino Administrator to move databases and move users

that have mail files from the source server to the destination server.
4. Prohibit access to the source server.
5. Move non-database files from the source to the destination server.
6. Enable access to the destination server.
7. From the source server, remove the infrastructure for the relocated
Moving a hosted organization that has a shared IP address

To move a hosted organization that shares an IP address with other
hosted organizations, you must change the IP address of the hosted
organization that you are moving. In addition, you must modify the
server information in the documents, as well as the DNS entries for the
hosted organization you are moving. DNS entries are often cached and
may require a substantial amount of time to process a change.
Complete these procedures:
1. Prohibit access to the source server.
2. Enter the destination server name in the Domino servers that host
this site field in all of the Site documents for the hosted
organization.
3. Create a hosted organization infrastructure on the destination server.
4. Open the registration policy settings document and change the
original mail server name to the name of the destination server
that is, the new mail server.
5. For users who have mail files, use the Domino Administrator to
move the users from the source server to the destination server.
6. Move nondatabase files from the source server to the destination
server.
7. Enable access to the destination server.
8. Remove the infrastructure from the source server.
To create the hosted organization's infrastructure on the destination

server
1. On the destination server, do one of these:
Create a subdirectory of the data directory. The new subdirectory
name must be identical to the subdirectory name on the source
server.
Create a new data directory and a directory link.
2. If any directory links, database links, or Web site directory references

are located outside of the hosted organizations subdirectory, create
new directories for those links.
3. Copy the hosted organizations ACL file from the source servers
data directory to the destination servers data directory.
4. If any Web application requires a per hosted organization
infrastructure, create that infrastructure.
To edit the hosted organization's registration policy settings

document
1. From the Domino Administrator, open the Domino Directory.
2. Choose Policies - Settings.
3. Select the registration policy settings document you want to edit.
4. Click Edit Settings.
To move the mail file and other databases

Caution During this procedure, do not approve the mail file deletion in
the Administration Requests database (ADMIN4.NSF) If you approve
the deletion too soon, the user will not have access to the mail file on the
source server. Approve the mail file deletion later, when doing so will
not impact user access to the mail file.
1. Make sure that you and the source server have Create Replica access
to the destination server.
2. From the Domino Administrator, click People & Groups.
3. Select the person whose mail file you are moving.
4. From the Tools panel, click People - Move.
5. Enter the destination mail server name in the Destination field.
Include the hosted organization subdirectory.
6. Select the server and paths on which you want to create mail files.
Replicas will be created at the location you select.
7. Click OK.
For more information on moving mail files, see the chapter Setting Up
Service Provider
5. On the Mail tab, choose the name of the destination mail server from
the list displayed in the Choose the mail server field.
To enable access to the destination server

1. Associate the hosted organizations IP address with the destination
server according to your particular setup. You may need to update
host files, DNS server settings, and the IP address assigned to the
TCP/IP stack.
2. You may need to stop and restart the server depending on your
TCP/IP stack. Whether or not you can modify the IP addresses that
are served without restarting the server depends on your individual
configuration.
To prevent access to the source server

Complete this procedure after you have successfully initiated as many
Move mail file actions as necessary. This procedure applies only to
moving a hosted organization that has a unique IP address.
1. Shut down the Domino server on the source server.
2. Disassociate the hosted organizations IP address from the source
server. You may need to modify host files or DNS server settings, as
well as the IP address assigned to the TCP/IP stack.
To move non-database files from the source server to the

destination server
1. Copy all database files from the source server to the destination
server.
2. From the source server, recursively delete the non-database files that
you copied to the destination server.
3. Copy all non-database files in directories that are not within the
hosted organizations data directory. Copy the files from the source
server to the destination server.
4. Determine whether any Web application requires
per-hosted-organization data that has not already been copied. Copy
that data to the destination server, and then delete it from the source
server.
5. (Optional) Replicate the data from the source server to the
destination server to ensure that all changes made to the source
server appear on the destination server.
6. Change the IP addresses hosted by the destination server to include
the new addresses that is, those formerly hosted by the source
server. Modify all Internet Site documents as necessary.
7. Restart the Domino server on the destination server.
For more information on the Internet Site documents, see the chapters
Setting Up the Service Provider Environment and Installing and
Setting Up Domino Servers. For more information on the Web Site
document, see the chapter Setting Up a Domino Web Server.
To remove the infrastructure from the source server

1. Open the Administration Requests database (ADMIN4.NSF) and
approve the requests to delete the source databases. When all
requests have been successfully processed that is, when the
databases have been deleted proceed to the Step 2.
For more information on approving administration requests, see the
chapter Setting Up the Administration Process.
2. Delete the hosted organizations subdirectory from the source server.
3. Delete any directories that are specific to the hosted organization and
that reside outside of the hosted organizations data directory.
To prevent access to the source server

1. Shut down the Domino server on the source server.
2. Disassociate the hosted organizations DNS names from the source
servers IP address. Associate those DNS names with the destination
servers IP address.
3. If SSL was used for encryption, do not copy the old key ring file to
the destination server. Use the destination servers key ring file.
4. Open each Internet Site document to modify the IP address for the
hosted organization on the destination server. Make sure that Web
site names are correct.
For more information on Internet Site documents, see the topics
Internet Site documents and Using Internet Site documents in a
hosted environment.
5. Restart the Domino server on the source server.
Service Provider
4. Delete the hosted organizations ACL file from the data directory on
the source server.
Removing a hosted organization from a backup or load-balancing

server
Use this procedure to remove a hosted organization and all of its services
from a server that provides hot-backup or load-balancing capability. In
this configuration, one unique IP address is used for each hosted
organization. You do not need to modify the Internet Site documents
because the network router controls redirection connections for
load-balancing and for hot-backups.
To remove a hosted organization from a backup or load-balancing

server
1. Perform the necessary steps to do one of these:
Prevent the network router from distributing the data from this
hosted organization to the destination server
Deconfigure the hot-backup server
2. Delete files and databases from the hosted organizations data
directories and from any other directories in which hosted
organization files reside.
3. Delete the hosted organizations data directory.
4. Delete the hosted organizations ACL file from the Domino data
directory.
To remove a hosted organization from a server that provides

Web-application support
1. Remove the DNS name for the Web application.
2. Delete the Web Site document for the Web application.
3. Modify common data for the application to remove support for the
4. Delete the content of the hosted organizations data directory.
5. Delete the hosted organizations ACL file.
Restoring a hosted environment after a server crash

To recover quickly from various system failures and server crashes,
implement transaction logging in the hosted environment. Also, create a
daily backup so that you can restore current data if necessary.
Restoring the Domino Directory and extended ACLs

If the Domino Directory in a hosted environment becomes corrupted,
you also lose the extended ACLs for NAMES.NSF and for
ADMIN4.NSF.Restart the servers so that transaction logging will restore
the data, including the content of the Domino Directory. You cannot
recreate the Domino Directory from the template. You must use
transaction logging and/or a recent backup of NAMES.NSF in order to
restore the Domino Directory and the extended ACLs.
If you are not using transaction logging, restore the Domino Directory
from the most recent daily backup.
For more information on transaction logging, see the chapter

Transaction Logging.
How the Domino service provider software responds to a DNS

outage
The Domino service provider software can withstand DNS outages. After
the Internet Site documents have been loaded into the Domino ASP
cache, on subsequent loading of the cache, if there are any DNS-lookup
errors, cache entries are not immediately removed but are instead
removed slowly over time. DNS-lookup errors occur when DNS is
unavailable or host names cannot be resolved into IP addresses. If there
are any invalid host names in your Internet Site documents or if DNS is
unavailable, then the DNS recovery code is activated. Cache deletions
then require more time up to two hours.
For example, a cache deletion results when you remove an IP address or
host name from an Internet Site document or remove a server from the
list of Domino servers that host the site.
The Domino service provider software recognizes Internet Site
documents during the resulting time-out period. To minimize this
recovery time-out, ensure that there are no invalid host names in your
Internet Site documents. If there are no invalid host names and DNS is
available, then cache deletions occur within five minutes.
Service Provider
For more information on transaction logging, see the topics Transaction

logging and How transaction logging works.
The following console message is logged if there are invalid host names
in the Internet Site documents (excluding the Web Site document):
Lookup of IP address for host hostname.com failed
Using a browser to access a hosted organizations Web site

Use a browser to access a hosted organizations Web site; include the
name of the hosted organizations directory in the URL. Use this syntax:
http://Web_site_name/hosted_organization/database_name
For example, to access the home page for the hosted organization Acme
Printing, enter:
www.acmeprinting.com/acme_printing/homepage.nsf
For example, to access your own mail file named JSMITH.NSF, at the
hosted organization named Acme Printing, enter:
www.acmeprinting.com/acme_printing/mail/jsmith.nsf
Note You can use a Web Site document to redirect users to other Web
sites.
For more information on redirecting users to other Web sites, see the
chapters Setting Up the Domino Web Server and Installing and
Setting Up Domino Servers.
Using the Resource Reservations database in a hosted environment

You can create a Resource Reservations database that can be used for the
service provider site and for all hosted organizations. This Resource
Reservations database is created in the Domino data directory.
To create the Resource Reservations database

1. Use the template RESRC60.NTF to create the Resource Reservations
database.
For information on creating a database, see the topic Creating a
Database[[ if you have installed Lotus Notes 6 Help. Or, go to
http://www.notes.net/doc to download or view Lotus Notes 6
Help.
2. After creating the database, open the new database.
3. Edit the database ACL as follows:

a. To the service provider administrator, assign the Create
Resource role which allows the administrator to create new
entries in the database.
b. To default users, assign the NoAccess role to prevent users
outside of the hosted organization from accessing the database.
4. Close the database.
Caution Do not assign access rights and roles directly to a hosted
organization. Because the Resource Reservations database is not
automatically protected by an extended ACL, if you assign access rights
and roles to a hosted organization, users in the hosted organization will
be able to open the Resource Reservations database for other hosted
organizations.
To create a Site Profile document to support a hosted organization
1. From the Domino Administrator, open the new Resource

Reservations database.
2. To add a new hosted organization, click Add Site.
3. Enter the hosted organization name in the Site name field. Using the
hosted organization name sets the extended ACLs on the
Resource/Reservations database for the site, thereby preventing
unauthorized users from accessing this database.
4. Enter the name of the hosted organization in the Domain name field.
6. Add resources and reservations to the database.
For more information on the Resource Reservations database, see the
chapter Setting Up Calendars and Scheduling.
Service Provider
In the Resource Reservations database, each hosted organization is

treated as a site. Create a Site Profile document for each individual
Viewing hosted organizations

The People and Groups views in the Domino Administrator are
categorized by organization name or by non-hierarchical (flat) name. The
non-hierarchical view is the default. To use the organization view, click
People or click Groups and then click by Organization.
You can view a list of the hosted organizations and corresponding Site
documents in the Domino Directory.
For more information on viewing Web Site and Internet Site documents,
see the chapter Setting Up the Service Provider Environment
Managing users at a hosted organization

As a service provider administrator, you have varying levels of
responsibilities for user management, according to the agreements you
have with your various hosted organizations. To perform user
management actions from the service provider site, use the Domino
Administrator to register, delete, or perform any user or group
management action.
If you will be performing all user management actions from the service
provider site, see specific areas of the documentation that explain the
actions you want to perform. For example, you would most likely want
to access these areas of the documentation:
Registering users
Managing users
Creating and modifying groups
Managing groups
Administrator
User management from the hosted organization site
To enable hosted organizations to use the Web Administrator to add and
delete users and groups, see the topic Web Administration from the
hosted organization in this chapter.
Using the Web Administrator to manage users at a hosted organization

The hosted organization administrator can use the Domino Web
Administrator to maintain users and groups. Before using the Web
Administrator, the hosted organization administrator must be familiar
with the Web Administrator.
For more information on the Web Administrator, see the chapter Setting
Up and Using Domino Administration Tools.
To use the Web Administrator, you must also use the server-based
certification authority (CA). Set up and load the CA before attempting to
access and use the Web Administrator.
For more information on the server-based CA, see the chapter Setting
Up a Domino Server-Based Certification Authority.
To set up access to the Web Administrator at a hosted organization

site
Before using the Web Administrator, the hosted organization
administrator must have rights in the ACL for WEBADMIN.NSF,
NAMES.NSF, and ADMIN4.NSF. The service provider administrator
must assign these rights to the hosted organization administrators who
are responsible for managing users and groups with the Web
Administrator.
Add the hosted organization administrator to the

HostedOrganizationAdmins group and assign Author access with
the People&Groups role in the ACL.

LocalDomainAdmins group and assign Manager access and All roles
in the ACL.
Service Provider
Note If a hosted organizations users are registered at the service

provider site, they can be registered with certifier IDs and passwords or
with the Domino server-based CA. To register a user for a particular
hosted organization, ensure that the service provider administrator is
using a certifier created for that hosted organization. Users registered by
the hosted organization administrator at the hosted organization site
must be registered using the Domino server-based CA.
The hosted organization administrator needs special access in

NAMES.NSF. The service provider administrator assigns these rights to
the hosted organization administrators:

HostedOrganizationAdmins group and assign Editor access with
default roles that is, Create documents, Delete documents, Read
public documents, Write public documents, and Replicate or copy
documents. Also assign the GroupCreator, GroupModifier,
UserCreator, UserModifier roles.
Give the hosted organization administrator the following access to the

Administration Request Database (ADMIN4.NSF):
Author access with the Create documents and Read public

documents roles.
To use the Web Administrator to manage users and groups

To maintain users and groups with the Web Administrator, the hosted
organization administrator performs these tasks:
Registering users with the Web Administrator
Creating a group with the Web Administrator
Deleting a group with the Web Administrator
Addressing messages to users at a hosted organization

To send mail to users and administrators at a hosted organization, the
user names and group names in the senders address book must contain
full name references that include the Internet domain name in the
address or that use a Notes address that includes the domain name. For
example:
An address that includes the Internet name:

Robert_Owens@Acme.com
Where Acme is the Internet domain name
A Notes address that includes the domain name: Robert

Owens/hosted_organization@Acme
Where hosted_organization is the hosted organization name and
Acme is the Internet domain name
Chapter 15
Setting Up the Administration Process
This chapter describes how to set up the Administration Process, a
program that simplifies administrative tasks, such as deleting users,
creating replicas, and editing ACLs.

The Administration Process is a program that automates many routine
administrative tasks. For example, if you delete a user, the
Administration Process locates that users name in the Domino Directory
and removes it, locates and removes the users name from ACLs, and
makes any other necessary deletions for that user. If you want to delete
all replicas of a database, the Administration Process finds the replicas on
servers in the domain and provides an interface for deleting them.
The Administration Process automates these tasks:
Name management tasks, such as rename person, rename group,
delete person, delete group, delete server name, recertify users, and
store Internet certificate.
Mail file management tasks, such as delete mail file and move mail
file.
Server document-management tasks, such as store CPU count, store

platform, and place network protocol information in Server
document.
Roaming user management, such as roaming user setup, move

roaming users to other servers, upgrade a nonroaming user to
roaming status, and downgrade roaming user to nonroaming status.
User mail file management tasks, such as performing Access Control

List (ACL) changes and enabling agents. For example, the Out of
Office agent is enabled and disabled by Notes client users.
Person document management tasks, such as storing the users Notes

version and client platform information.
Replica management tasks, such as create replica, move replica, or

delete all replicas of a database.
15-1
Administration
Administration servers
Administration servers control how the Administration Process does its
work. You specify an administration server for the Domino Directory
and for specific databases. By default, the first Lotus Domino server you
set up in a domain is the administration server for the Domino Directory.
The administration server for the Domino Directory maintains the
Domino Directorys ACL, performs deletion and name change operations
in that Domino Directory, and these changes are replicated to other
servers in the domain. If you have multiple directories in your domain
not replicas of other domains directories, but more than one of your own
you can specify an administration server for each of the directories in
your domain. Do not specify an administration server in your domain for
a replica of another domains Domino Directory.
All databases need an administration server to manage name changes
and deletions that apply to the database for example, changes to the
ACL, Readers and Authors fields, or Names fields. If a database has
replicas, you assign an administration server to only one replica. Then
the Administration Process makes all changes to that replica, and
replication for that database carries out the changes in all other replicas.
You can also set up one or more extended administration servers to
distribute across multiple servers the processing of administration
requests that modify the Domino Directory.
For more information on extended administration servers, see the topic
Using an extended administration server later in this chapter.
The Administration Requests database

The Administration Requests database (ADMIN4.NSF) is created on the
administration server for the Domino Directory when that server starts
for the first time. Requests for work to be done by the Administration
Process are stored in the Administration Requests database. The status of
work done by the Administration Process is also stored there as response
Log documents to the requests, in the form of Administration Request
documents. To complete tasks, the Administration Process posts and
responds to requests in the Administration Requests database. Domino
servers use replicas of this database to distribute requests made on one
server to other servers in the domain.
When other servers start, if the Administration Requests database does
not exist, the server creates a replica stub of the Administration Requests
database and waits for it to be initialized from another server in the
domain. Every server in the domain stores a replica of the
Administration Requests database and the Domino Directory.
The Administration Requests database also acts as the interface to the

Domino Certificate Authority requests. It is the responsibility of the
Registration Authority to monitor the status of the Certification
Authority (CA) Requests. The CA requests can be removed from the
view or resubmitted for processing in the same manner as the
For more information on working with requests see the topics The
Administration Requests database and Managing Administration
Process requests in this chapter.
For more information on the Registration Authority (RA), see the chapter
Setting Up a Domino Server-Based Certification Authority.
The Certification Log

To use the Administration Process to perform name changes and
recertifications, the Certification Log (CERTLOG.NSF) must reside on the
server that stores the Domino Directory in which you will initiate the
name change or recertification. If the Certification Log exists on another
server, move the Certification Log to the server containing the Domino
Directory on which you are initiating the name change or recertification.
The Certification Log contains a permanent record of how you register
servers and users, including information about the certifier ID. The
Certification Log also contains messages that describe the results of
recertification requests that the Administration Process is processing.
Specifying the administration server for the Domino Directory

Choosing the administration server for the Domino Directory depends on
your network setup, the available equipment, and the anticipated
changes that will be made to the Domino Directory via the
Administration Process. Large numbers of name-management operations
rename and delete requests for example result in many changes to
the Domino Directory with the subsequent view rebuilding and thereby
affecting performance. Making a heavilly-accessed server the
administration server of the Domino Directory results in slow server
performance from a users perspective. Giving only one, or a few servers
the responsibility of being the administration server of many databases
may result in that server continually processing delete and name change
requests. Choosing the administration server also involves planning how
to assign administration servers for other databases in the domain
because all name management operations require extensive searching of
databases to determine which server is the administration server for the
Setting Up the Administration Process 15-3
Administration
For more information on the Certification Log, see the chapter Installing
and Setting Up Domino Servers.
ACLs, Reader and Author fields, Name fields and unread lists. When
choosing the administration server for databases in a domain, your
choices include:
Using a hub server as the administration server for the Domino

Directory and for other databases.
Using a dedicated registration server as the administration server for

the Domino Directory and using one or more separate hub servers as
administration servers for other databases.
Using a multifunction server as the administration server for the

Domino Directory and distributing administration responsibilities
for the other databases to other servers.
Setting multiple administration servers, called extended

administration servers, for the Domino Directory to provide for less
centralized, more regional, directory management.
If the domain has only a few servers, consider using one administration
server for both the Domino Directory and for other databases. The
majority of the administration server resources are used for updating the
Domino Directory and replicating to keep the Domino Directory
consistent across the domain. The responsibility of the administration
server of other databases is to maintain ACLs, Reader, Authors, and
Names fields; and unread lists during name management operations.
While this option centralizes administration, it may result in slower
server performance as the domain grows and the use of the
Administration Process to update the Domino Directory and maintain
databases increases.
A second option involves using a dedicated registration server as the
administration server for the Domino Directory. You limit this servers
responsibility to the processing of Domino Directory changes. You can
then use other servers, such as database hubs, for processing ACL
changes to other databases. To do so, specify the database hub as the
administration server for those databases. You can divide the
responsibility for database ACL changes among several administration
servers; but, you must make sure that when there are multiple replicas of
a database in the domain, you assign an administration server for only
one replica.
A third option involves using multiple servers to maintain the Domino
Directory. If your domain is geographically dispersed, having a single
administration server for the Domino Directory means all administration
requests for Domino Directory changes have to replicate to this one
server and the resultant changes have to replicate back. If your company
is organized hierarchically, that is, it is composed of multiple
organizations and organizational units, extended administration servers
can be assigned to maintain the directory documents associated with

people, groups, and servers whose names have that organization or
organizational unit component.
Using a server that contains mail and other databases as the
administration server for the Domino Directory is possible, but is not
recommended for performance reasons.
Always run the most recent version of Lotus Domino 6 on the
administration server of the Domino Directory and the extended
administration servers, so that you can use all of the newest
Administration Process features.
Note If you use an LDAP client to administer the Domino Directory, the
Administration Process is not aware of these changes and does not
extend the changes to other databases. For example, if you delete a
Person document, you must manually remove references to that persons
name in other places that it occurs because the Administration Process
does not do this for you.
For more information on extended administration servers, see the topic
Using an extended administration server later in this chapter.
Setting up the Administration Process

To set up the Administration Process, you must complete these tasks:
For more information on installing a server, see Installing and Setting

Up Domino Servers.
2. Specify an administration server for databases in the domain.
3. (Optional) Set up cross-domain processing to enable an
administration server in one domain to export requests to and/or
import requests from an administration server in another domain.
4. Verify that the administration process is set up correctly.
5. Set up ACLs for the Administration Process.
Administration
1. Specify the administration server for the Domino Directory in the

domain. This is done during installation.
Specifying an administration server for databases

The Administration Process uses administration servers to manage
administrative changes that apply to databases. Either the administrator
or the database manager can specify the administration server for a
database. Perform this procedure on an as-needed basis.
Note To change the administration server for a database, you must have
Manager access to the database or be designated as a Full access
administrator on the Security tab of the Server document.
1. From the Domino Administrator, open the domain containing the
server with the database for which you are setting an administration
server.
2. From the Servers pane, select the server containing the database you
are setting as an administration server.
3. Click the Files tab and then select the database to which you are
assigning an administration server.
4. From the Tools pane, click Tools - Database - Manage ACL.
5. Click Advanced.
6. Complete these fields and then click OK:
Field
Enter
Administration Server Choose one of these:

None - If you do not want an administration
server assigned for the database.
Server - Select a server from the list.
Choose one of these according to whether you
want modifications to the indicated fields to occur
during a rename group, rename user, or rename
server action; or during a delete server, delete
group, or delete user action:
Do not modify Names fields - Names fields are
not updated during any of the above rename
and delete actions.
Modify all Readers and Authors fields - Reader
and Author fields are updated during the
rename and delete actions listed above.
Modify all Names fields - All names fields are
updated during any of the rename or delete
actions listed above.
7. If you will be processing administration requests across domains,

complete the procedure Creating a Cross-domain Configuration
document.
Verifying that the Administration Process is set up correctly

After you set up the administration server and the Administration
Process, verify that both are running correctly.
1. From the Domino Administrator, click Server - Analyses Administration Requests(6).
2. Open the All Requests by Action view.
3. Verify that the request Put servers Notes build number into Server
record appears in the view.
4. Sixty minutes after the Administration Process begins running, open
the Administration Requests database again and open the response
Log document for the request.
Note Log documents are listed directly beneath the request that the
document pertains to. The heading Administration Request - Log
appears at the top of each Log document.
5. Review the information in the response Log document to ensure that
the request has run.
6. Complete the procedure, Setting up ACLs for the Administration
Process.
Administration Process support of secondary Domino Directories
A secondary Domino Directory can use the same administration server

as your primary Domino Directory, NAMES.NSF, or you can designate
another server as the administration server for the secondary directory.
When you initiate a name-management or group-management action
from a secondary Domino Directory, the administration process records,
in the Administration Request document, the replica ID of the secondary
directory. When a server locates and then attempts to process a
name-management or group-management administration request, the
server checks for the replica ID. If there is no replica ID stored in the
Administration Request document, the administration server for
NAMES.NSF processes the request.
If a replica ID is located, the server attempts to open the database. If it is
successful, the server checks the ACL to determine whether it is the
Administration
Domino supports the use of secondary Domino Directories for

maintaining user names and groups that you want to store in a directory
other than your primary Domino Directory, NAMES.NSF. For example,
you may want to maintain Notes users with Notes IDs in NAMES.NSF,
but maintain Web-only users in a secondary Domino Directory.
administration server for that directory. If so, the server processes the
request. If it is not the administration server for that directory, the server
leaves the request to be processed by the appropriate administration
server. If the server is unable to open the database, it ignores the request.
For more information on secondary Domino Directories, see the chapter
Setting up Directory Assistance.
For more information on designating a server as an administration
server, see the topic Specifying an administration server for databases
Processing administration requests across domains

You set up Cross-domain Configuration documents to enable a server in
one domain to mail administration requests to a server in another
domain. Set up the Cross-domain Configuration document after you
specify an administration server for the Domino Directory in each
domain. The Administration Process for the Domino Directory must be
set up on a server in each domain. Cross-domain processing works only
when the administration server of the Domino Directory is a Lotus
Domino Release 5 or more recent server.
These tasks can be processed across domains:
Delete person in Domino Directory
Delete server in Domino Directory
Rename server in Domino Directory that is, upgrade the server

name from flat to hierarchical
Rename person in Domino Directory
Create replica
Get replica information for deletion This request is generated

when you delete a database and its replicas
Note During cross-domain processing, any requests imported from

another domain and any subsequent requests created by the imported
requests are processed by Lotus Domino Release 5 and more recent
servers only.
Setting up cross-domain processing of administration requests

To set up cross-domain processing of administration requests, you need
to do the following:
Create the necessary cross-certificate documents in the Domino

Directory. Requests going to another domain require cross
certificates between the two domains.
Create a Connection document in the Domino Directory allowing a

server in one domain to connect to a server in another domain. Each
domain must have a Connection document.
Create one or more Cross-domain Configuration documents in the

administration requests database for each domain from which you
will import administration requests and to which you will export
administration requests.
Edit the Directory Profile document for the Domino Directory to include
the names of anyone allowed to create a Cross-domain Configuration
document. On the Directory Profile document, add the administrators
names to the List of administrators who are allowed to create
Cross-domain Configuration documents in the administration requests
database field. If a Cross-domain configuration document is created by
someone whose name is not in that field or who is not a manager of the
Domino Directory, that configuration will be ignored.
For more information on setting up trusted directories via Directory

Assistance, see the chapter Setting Up Directory Assistance.
For more information on Certifier documents, see the chapter Installing
and Setting Up Domino Servers. For more information on
cross-certificates, see the chapter Protecting and Managing Notes IDs.
Administration
The Administration Requests database contains Cross-domain

Configuration documents that specify how domains exchange and
process administration requests. When you configure a Cross-domain
Configuration document, you designate the trusted entities, which are
persons, servers, or certifiers. All requests received from the domain
must be signed by one of its trusted entities. Rename requests are the
exception; they are signed by certifiers so their validity is determined by
the certificates and the cross-certificate in the destination domains
Domino Directory. For Rename requests going to another domain, there
must be appropriate cross-certificates between the two domains.
Additionally, the Domino Directory of the destination domain must
either have all Certifier documents, with the certifiers public key, for the
organizational structure represented in the name change request, or it
must be able to access those Certifier documents from a trusted Directory
specified via Directory Assistance.
Benefits of cross-domain processing

Cross-domain processing offers these benefits:
1. Processing administration requests across domains can protect the
integrity of the data in databases. For example, if a person is deleted
from the directory in one domain, corresponding deletions occur in
the other domains.
2. Access to information is enhanced because a name change is
propagated to other domains. For example, people and servers
registered in one domain can also be listed in the directory
documents and database ACLs in another domain. Cross-domain
processing allows users and servers to have access to databases and
servers in both domains.
3. Applications are easily distributed because databases are easily
replicated from servers in one domain to servers in other domains.
Administrators do not have to install and update applications
individually on all servers.
Creating a Cross-domain Configuration document

1. Make sure that you have already set up the necessary Connection
documents and cross certificates to allow communication between
the servers.
2. From the Domino Administrator, choose Server - Analysis Administration Requests(6).
3. Choose the Cross Domain Configuration view and click Add
Configuration.
4. On the Configuration Type tab, choose one of these:
Inbound to create an inbound request configuration
Outbound to create an outbound request configuration
5. If you chose Inbound in Step 4, click Inbound Request Configuration

and then complete these fields:
Field
Enter
Receive AdminP requests from

domains
The name of one or more domains

from which this server will receive
requests.
List of AdminP requests allowed

from other domains
Select any of these requests that this

server will accept from other domains
and then click OK.
Create Replica
Delete Person in Address Book
Delete Server in Address Book
Get Replica Information for
Deletion
Rename Person in Address Book

Rename Server in Address Book
Only allow Create Replica requests Server names in your current domain
if intended for one of the following that will accept Create Replica
servers
requests from other domains.
This field displays if the Create
Replica request is selected.
List of approved signers
Administration
Names of approved signers that is,

a trusted signer for the request type
for the destination domain. An
inbound request is rejected if it is
signed by someone who is not a
trusted signer.
If you selected Create Replica requests
from the list above, the requests
author is required to have Create
Replica access to the destination
server. Create Replica requests must
be signed by the source server.
6. If you chose Outbound in Step 4, click Outbound Request

Configuration and then complete these fields:
Field
Enter
Domains to submit AdminP

requests to
The name of one or more domains to

which this server will send requests.
List of AdminP requests to

submit
Select the type of requests that this server

will send and then click OK.
Create Replica
Delete Person in Address Book
Delete Server in Address Book
Get Replica Information for Deletion
Rename Person in Address Book
Rename Server in Address Book
Only submit Create Replica

requests to the domains listed
above if the destination server
is one of the following
Server names to which you will send

Create Replica requests. Also enter the
domain names in which the servers reside.
This field displays if the Create Replica
request is selected.
List of approved signers
Names of approved signers that is, a

trusted signer for the request type from
the creation domain. An outbound request
will not be sent if it signed by someone
who is not a trusted signer.
If you selected the Create Replica request
from the list above, the requests author is
required to have Create Replica access to
the destination server. Create Replica
requests must be signed by the source
server.

8. Complete the procedure Verifying that the Administration Process
is set up correctly.
Setting up ACLs for the Administration Process

Each administrator who uses the Administration Process to perform
tasks must have the appropriate access rights and roles in the Domino
Directory (NAMES.NSF), secondary directories if applicable,
Administration Requests database (ADMIN4.NSF), and the Certification
Log database (CERTLOG.NSF).
The quickest way to provide administrators with the access they need is
to give them the minimum levels of access:
For the Domino Directory, create an administrator group of type

Person Group with Editor access, and list the administrators in the
group.
For the Administration Requests database, give administrators

Author access. If an administrator will be approving requests, give
Editor access.
For the Certification Log database, give administrators Author with

Create documents access.
For more information on setting up and modifying an ACL, see the

chapter Controlling User Access to Domino Databases.
Note If extended ACLs are enabled and you have specified who can
modify documents for an organization, administration requests will fail
if they are initiated by anyone not specified in the extended ACL.
Administration
To assign access to administrators so they can perform only specific

tasks, see the table below which specifies the access that administrators
need in the ACLs of the Domino Directory, secondary directories if
applicable, Administration Requests database, and Certification Log
database. If an error occurs during any administrative task, the
administrator must have Editor access in the ACL of the Administration
Requests database to perform the task again.
Task
Administrator needs
this access in the
Domino Directory
Administrator
Administrator
needs this access needs this access in
in ADMIN4.NSF other databases
Add a resource to
or delete a
resource from the
Resource
Reservations
database
None. However, the

Administration
Process updates the
Domino Directory to
reflect the change
Author with
Create
documents
access
Add group
Author with Create

documents and the
ServerModifier role
Author with
Create
documents
access and
GroupModifier
role
Add users to
group
Author with
GroupModifier role.
If administrator has
access greater than
Author, that access is
sufficient
Add servers to and One of these:

remove servers
Author access and
from a cluster
ServerModifier
role
Author with
Create
documents
access
CreateResource
role in the
Resource
Reservations
database
None
Editor access
Editor access
Approve a request One of these:
to move a user
Author with Create
name to another
documents access
hierarchy
and UserModifier/
Server Modifier
role
Author with
Create documents
access to the
Certification Log
Editor access
Approve the
deletion of a
resource from the
Resource
Reservations
database
Delete documents
access
Editor access
Create mail files

automatically
during user
registration
Author access and the Author with

UserCreator role
Create
documents
access
None
Create new
database access
on the registration
server
continued
Task
Administrator needs
this access in the
Domino Directory
Administrator
Administrator
Create replicas of
databases
No requirement
Author with
Create
documents
access
All of these:
Create replica
access to the
destination
server
Reader access
to the database
on the source
server
In addition, the
source server
must have
Create replica
access to the
destination
server, and the
destination
server must
have Reader
access to one
replica of the
database.
Delete group
None
Administration
Author with
Author with Delete Create
documents access documents
access
and the
GroupModifier role
One of these:
Editor access
Delete servers
One of these:
Author with
documents and the documents
ServerModifier role access
None
Editor access
Delete users*
One of these:
Author with
access
and the
UserModifier role
None
Editor access
continued
Task
Administrator needs
this access in the
Domino Directory
Administrator
Administrator
Delete users and

their mail files*
Delete users and
their private
design elements
One of these:
Editor
None
Enable
Editor access
password-checking
during
authentication
Author with
Create
documents
access
None
Find name
Editor access with

UserModifier role
None
None
Move replicas
from a cluster
server
None
Author with
Create
documents
access
Both of these:
Author with Delete

documents and the
UserModifier role
Editor with Delete
documents access
Same access as
Create
replicas of
databases
Manager access
to the original
database
Move replicas
from a
non-clustered
server
None
Editor
Both of these:
Same access as
Create
replicas of
databases
Manager access
to the original
database
continued
Task
Administrator needs
this access in the
Domino Directory
Administrator
Administrator
Move user to
another server
One of these:
Editor
Author access and

UserModifier role
Editor access
Recertify user IDs

and server IDs
One of these:
Author with
Author with Create Create
and UserModifier/ access
Server Modifier
role
Create replica
access on the new
mail server
In addition, the
old mail server
must have Create
replica access to
the new mail
server, and the
person whose
mail file is being
moved must be
running a Notes
Release 5 or
higher client.
Author with
Create documents
access to the
Certification Log
Editor access
Register user
If creating mail
files/roaming
files, Create
database access on
the mail server
and/or roaming
server,
accordingly.
If creating
replicas, Create
Replica access on
the replica servers.
If CERTLOG.NSF
resides on the
registration server,
Create document
access to
CERTLOG.NSF is
required.
continued
Administration
Author with
Author with Create
documents access and Create
documents
User/Creater role
access if using
Administration
Process for
background
processing
Task
Administrator needs
this access in the
Domino Directory
Administrator
Administrator
Remove all
replicas of a
database
None
None
None
Author with
Create
documents
access
Author with
Create documents
access to the
Certification Log
None
None
Author with
Create
documents
access
None
Rename users and One of these:

convert users and Author with Create
servers to
documents access
hierarchical
and UserModifier/
naming
Server Modifier
role
Editor access
Sign database
None
Specify the Master One of these:

Address Book
Author access with
name in Server
ServerModifier
documents
role
Editor access
Add Internet
certificate
Editor
Author with
Create
documents
access
None
Update client
information in
Person record
None
None
None
*To delete a users Windows NT account or from an Active Directory, when

deleting a user, the Delete Person request must be made from a computer
running Windows NT or Active Directory, respectively, and the initiator must be
a Windows NT Domain or Active Directory administrator with rights to delete
user accounts.
For more information on Windows NT and Active Directory procedures,

see the chapter, Using Domino With Windows Synchronization Tools.
The Administration Requests database

Information about each administrative task that you want the
Administration Process to handle is stored in the Administration
Requests database (ADMIN4.NSF). This database lists both the specific
task and also the requests and responses that the Administration Process
posts and processes to complete the task. At least once each day, check
the views described in the table below for requests that require
administrator attention or approval; also check for errors.
For more information on how the Administration Process completes
specific administrative tasks, see the appendix Administration Process
Requests.
View
Displays
Administrative
Attention
Required
Requests that warrant attention and may require action on

the part of the administrator.
Pending
Administrator
Approval
Requests that require administrator approval before

processing can be completed.
All Activity by
Server
Responses to requests, sorted by server.
All Errors by Date Responses with errors encountered, sorted by date.

Responses with errors encountered, sorted by server.
All Requests by
Action
Requests and responses, sorted by action.
All Requests by
Name
Requests and responses, sorted by name.
All Requests by
Server
Requests and responses, sorted by server.
Name Move
Requests
Requests to move a users name in the name hierarchy.
Administration
All Errors by
Server
continued
View
Displays
Cross Domain Configuration
Cross-domain configurations sorted by domain and then by

inbound requests that are accepted and outbound requests
that are accepted.
Cross Domain Delivery Failures
Requests that cannot be delivered to the inbound domain.
Certificate
Requests
Requests to create an Internet certificate and requests to

create a Notes certificate. This view is typically monitored
by the administrator who has been designated Certification
Authority and Registration Authority.
Revocation
Requests
Requests to revoke an Internet certificate. This view is

typically monitored by the administrator who has been
designated Certification Authority and Registration
Authority.
Configuration
Updates
Requests that have generated updates to the Certifier

document in the Domino Directory and the Certificate
Authority Configuration document in the Issued Certificate
List (ICL) database.
Recovery
Information
Updates
Requests to update the recovery information for a certifier.

This view is typically monitored by the administrator who
has been designated Certification Authority and
Registration Authority.
For more information on ID recovery, see the topics ID
recovery and Recovering an ID in the chapter
To view documents in the Administration Requests database, you can

use either the Domino Administrator or the Web Administrator.
For information about messages that appear in the Administration
Requests database, see the chapter Troubleshooting.
Administration Process requests that require the administrators

approval
When administration requests that cannot be processed without the
administrators approval are received, they are stored in the
Administration Requests database and are flagged as requiring approval.
Administrator actions that
Result of approving the administration request
generate Administration Process
requests requiring approval
Approving an Approve Replica Deletion
administration request posts the Request
Replica Deletion administration request to
begin the process of removing all replicas of the
database that is being deleted.
Delete mail file during a

delete person in Domino
Directory
Approving an Approve file deletion request

during a Delete person in Domino Directory
action posts the Request file deletion
administration request so that a users mail file
can be deleted.
Delete roaming user
Approving the Approve mail file deletion

administration request posts the Request mail
file deletion administration request to begin
the process of deleting the mail files from the
mail server.
Approving the Approve replica deletion
administration request posts the Request
begin the process of deleting the roaming file
replicas from the roaming server.
Delete user in Domino

Directory
Approving the Approve deletion of private

design elements administration request posts
the Request to delete private design elements
request so that private design elements can be
deleted. Private design elements are private
agents, views, and folders signed by the person
who has been deleted.
Move a database from a

non-clustered server
Approving the Approve deletion of moved

replica request posts a Request to delete
non-cluster move replica so that the original
database can be removed from the source
server.
continued
Administration
Delete database (with Delete

all replicas of this database
selected on the Delete File
dialog box).

Move persons name in
hierarchy
(From the Name Move
Requests view)
Approving the Move persons name in

hierarchy is done by the administrator of the
target organization. This approval allows for
the posting of the Initiate rename in Domino
Directory request to begin the moving of the
users name to a new hierarchy.
Moving a mail file from one

server to another
Approving the Approve file deletion

administration request posts the Request file
deletion administration request to begin the
process of deleting the old mail file from the old
home mail server after the mail file is moved to
the new mail server.
Moving roaming files from

one server to another
Approving the Approve replica deletion

administration request post the Request
begin the process of deleting the roaming file
replicas from the old roaming server.
Approving the Approve mail file deletion
administration request posts the Request mail
file deletion administration request to begin
the process of deleting the old mail files from
the old mail server after the mail files have been
moved to the new mail server.
Remove resource
Approving the Approve resource delete

administration request posts the Remove
resource administration request so that a
resource, such as a conference room name, can
be deleted from the Domino Directory.
Rename user
Approving the Approve Retract Name

Change administration request cancels a user
name change request and causes the users
previous name to remain in effect.
Request a Notes certificate or An Approve Certificate Request

request an Internet certificate. administration request is generated when you
use the CA to issue a new Notes or Internet
certificate, and the request needs to be
approved by a registration authority.
Approving the Approve Certificate Request
allows the process to continue to the next step.
continued

These actions initiated for
An Approval request is generated in the
nonhierarchical names, across destination domain when an identical,
domains:
nonhierarchical user name or server name is
located. The Approval request allows the
Delete person in Domino
administrator to determine whether the user
Directory
name or server name is the one that should be
Delete server in Domino
deleted or renamed. Approving the request
Directory
allows the rename or delete process to occur.
Rename person in Domino
Directory
Rename server in Domino
Directory
For more information on the administration requests and how they are
processed, see the appendix Administration Process Requests.
Request status icons in the Administration Request database

The Administration Request database contains icons that indicate the
current status of each administration request that is in the
Administration Requests database. Use these icons to just glance at a
request to determine its status.
Adminstration Request Documents
Icon displays for all immediate requests. Immediate requests are

usually processed within one minute.
Icon displays for these requests:
All new and modified daily requests to update Person
Any outstanding Rename Person in Unread List requests.
Icon displays for all new and modified requests to delete
unlinked mail files.
Icon displays for all new and modified delayed requests. These
are requests that are usually carried out according to the Start
executing on and Start executing at settings in the Server
document.
continued
Administration
Icon and
Description
corresponding
timing
Icon and
Description
corresponding
timing
Icon displays for all Administration Process Request documents
that are marked as Approved by an administrator taking
action from within the Pending Administrator Attention view.
Icon displays for all Administration Process Request documents
that are marked as Rejected by an administrator taking action
from within the Pending Administrator Attention view.
Icon displays for all interval requests. These requests are
processed according to the Interval setting in the Server
document.
Icon displays for all requests that are posted for an
Administration Approval. These requests show up in the
Pending Administrator Approval view until acted upon.
Administration Request - Response (Log) documents

Icon and
schedule
Description
Icon displays when Administration Process Log documents have
been selected for reprocessing. When errors occur, the Log
documents appear in the All Errors by Server or All Errors by
Date views and can be reprocessed by selecting one or more
documents and clicking the Reprocess Selected Requests
button. The Log documents can also be reprocessed individually
by editing the Log document and checking Perform request
again.
Icon displays for all Administration Process Log documents that
report non-error type conditions. These requests show up in the
Administrative Attention Required view for easy access.
Icon displays when Administration Process Log documents have
been marked as processed. Processed means an Administrator
has reviewed the log and wishes to remove it from the view.
Mark one or more Log documents as processed by clicking the
Remove From View button in the Administrative Attention
Required, All Errors by Server or All Errors by Date views.
represent requests that have successfully completed work on
specific databases.
continued
Icon and
schedule
Description
report error type conditions. These requests appear in the All
Errors by Server and All Errors by Date views for easy
viewing.
Icon displays for all Administration Process Log documents to
indicate a potential blocking condition. A blocking condition can
occur when a request is waiting for some other event to occur in
order to process through.
Managing Administration Process requests

Managing the Administration Process involves approving requests,
forcing requests when they must be processed immediately, and
checking the Administration Requests database for errors.
To approve a request
Check the Administration Requests database daily for requests that
require approval.
1. From the Domino Administrator, choose Server - Analyses Administration Requests(6).
2. Select the server and then open the Administration Requests
(ADMIN4.NSF) database.
4. Open the request and click Edit Document.
5. Click Approve request type. For example, if you are deleting a users
mail file, click Approve Mail File Deletion.
To force a request
Follow this procedure to force a request to occur immediately instead of
waiting for the Administration Process to initiate the request based on
the timing schedule.
1. From the Domino Administrator, select the remote server.
2. Choose Server - Status - Server Console.
3. Enter this command in the Domino Command field and click Send:
Tell adminp p all
or
Tell adminp p a
Administration
3. Open the Pending Administrator Approval view.
To check for errors

Check the Administration Requests database daily for errors which
appear in response Log documents marked with a red X.
2. Open the All Errors by Date or All Errors by Server view to
review errors.
3. Select any errors that you want to delete and click Remove from
view.
4. To reprocess one or more failed requests, select the requests and click
Reprocess Selected Requests. The error is removed from this view
and can be viewed in another view showing requests to be
processed, such as All Activity by Server.
To reprocess a failed request
1. From the All Errors by Date or All Errors by Server view, review
the reason that the request failed.
2. Make the appropriate corrections so that the request does not fail
again.
3. Choose the request and click Reprocess Selected Requests.
4. Check the Administration Requests database later to verify that the
request was processed without error.
Controlling the size of the Administration Requests Database

When administrators make full use of the Administration Process, a large
number of request documents and the resulting response Log documents
are generated in the administration requests database (ADMIN4.NSF),
and the database can become quite large. Access Control List (ACL)
management; Readers, Authors and Names fields management; and mail
file management requests are processed by all servers in the domain with
resulting response Log documents created with the status This name
did not appear anywhere or This file is not on this server.
To prevent these types of documents from being saved, set the Store
Admin Process log entries when status of no change is recorded to No
on the All Servers document for your domain.
For more information on the Administration Process and the settings in
the All Servers document, see the topic Scheduling administration
request processing later in this chapter.
Using Space Saver settings

Check the Space Saver settings of ADMIN4.NSF on all servers because
these settings do not replicate in the domain and ensure that the
Remove documents not modified in the last # days is checked. Be sure
the value entered for this setting is a reasonable number depending on
how long you want to keep the history of the activity of the
administration requests for example, less than 90 days. This
information is stored in Catalog documents. If you run the catalog, you
can create a view that displays this information.
1. From the Domino Administrator, choose Files and then right-click
Administration Requests database.
2. Choose Properties and click Replication Settings - Space Savers.
3. Click Remove documents not modified in the last # days and
choose a number of days from the list. Click OK.
Using a Program document to compact the Administration
Requests database
Create a Program document that will compact ADMIN4.NSF on the
servers in your domain on a regular basis.
For more information on using Program documents to compact a
database, see the chapter Improving Database Performance.
For more information on setting up and using replication formulas, see

Limiting the contents of a replica[[ if you have installed Lotus Domino
Designer 6 Help. Or, go to http://www.notes.net/doc to download or
view Lotus Domino Designer 6 Help.
Administration
Using Selective Replication formulas

Use a selective replication formula to prevent the response Log
documents in ADMIN4.NSF from replicating. Information in Log
documents is a record of the status of the work a server does in response
to an administration request. This response Log is interesting to you, the
administrator, and to the server that created it, but not to every server in
the domain. As a result, you may want to go to the Space Saver section
of the database replicator settings of ADMIN4.NSF and create a selective
replication formula that prevents Log documents from replicating.
Response Log documents have the type Type=AdminLog. Change the
type to Type!=AdminLog. Another option is to use a type that only
replicates the documents to one server in the domain, therefore, you have
only one server on which to check status. After you create this formula,
check the box that allows replication formulas to replicate.
Suspending administration request processing

As previously mentioned, name management administration requests
that are processed on the administration server of the Domino Directory
can result in modifications to the Domino Directory, causing re-indexing
and replication of the Domino Directory. For some domains, the impact of
these changes on this server is burdensome during normal working hours.
Therefore, controls are present in the Server document for suspending the
operation of the Administration Process over a daily interval.
To suspend administration request processing

2. Choose Server - All Server Documents.
3. Select the server whose Server document you are editing.
4. Click the Server Tasks - Administration Process tab.
5. Complete these fields, and then click Save and Close.
Field
Action
Suspend Admin Process at
Enter the time at which administration

processing of administration requests stops.
Restart Admin Process at
Enter the time at which administration

processing of administration requests
resumes.

For more information on scheduling processing of administration
requests, see the topic Scheduling Administration Request processing
Controlling user access to the Administration Requests database

Some administration requests are created by Notes client users during
specific phases of an administrative operation, such as while moving a
roaming users mail file. If a user has multiple clients, for example, one at
home and one at work, before the client creates one of these
administration requests, it checks whether an identical request has been
created either by itself or by the user running on another client. To
perform this check, and to avoid creating possible redundant
administration requests, the user needs Author access to the
Administration Requests database because of the detailed administration
information that appears in that database. Some administrators prefer
that their users not see the information in the Administration Requests
database. If you want to run in a manner that prevents users from seeing
the content of the Administration Requests database, the default access
on ADMIN4.NSF can be set to Depositor. Setting this type of access can

result in multiple requests for users appearing from the same operation
because the client cannot determine whether a request that it is about to
create already exists.
Once you have upgraded all of your clients to Lotus Notes 6, the default
access to ADMIN4.NSF can be set to None because the client will just
mail requests to the Administration Requests database if the user does
not have access.
Customizing the Administration Process

To customize the Administration Process, you can do any of these tasks:
Change the number of threads used to process a request
Control the size of the Administration Requests database
Create a customized view
Create a third-party administration request
Enhance the core Administration Process through the Extension
Manager
Schedule administration request processing
Set up an extended administration server
Suspend the processing of administration requests
By default, the Administration Process uses three threads to process

requests. To improve Administration Process performance, increase the
number of threads.
1. From the Domino Administrator, click Configuration - Server Current Server Document.
Note If you want to edit a Server document for another server, click
Configuration - Server - All Server Documents and then select the
document you want to edit.
2. Click Edit Document and then click Server Tasks.
3. Enter a value greater than 3 in the Maximum number of threads
field in the Basics section of the tab.
Administration
Changing the number of threads used by the Administration

Process
5. To allow the change to take effect, stop the Administration Process

and then restart it. Enter these commands from the server console:
tell adminp q
load adminp
Creating an $AdminP view

By default, the Administration Process scans all documents in a database
looking for matches in the Readers and Authors fields or Names fields,
when an Administration Request for a particular value in that field is
received. You can create a view that restricts the scanning for matches in
Readers and Authors fields, or Names fields, to the documents appearing
in that view. The view must be assigned the name $AdminP.
For information on creating a view, see Application Development with
Domino Designer.
Enhancing the Administration Process through the Extension

Manager
You can extend the Administration Process to enhance its current core
functionality that is, processing all administration requests created
through the Notes user interface or by a Domino server. Using the
Extension Manager to extend the Administration Process, you can use
the core Administration Process functionality and develop additional
tasks based on Administration Process actions.
For more information on creating and using an Extension Manager
program, see the Lotus C API User Guide. For more information on
creating an Extension Manager for the Administration Process, see the
ProcessRequestEMCallback function entry in the Lotus C API Reference.
Creating a third-party Administration Request

You can extend the Administration Process by creating an administration
request directed to a third-party server add-in task that interprets the
request and acts on it. When creating a third-party administration
request, specify:
The Message Queue name in the ProxyProcess field of the request.

The Administration Process uses this data to pass the requests and
responses note IDs.
The Server name in the ProxyServer field of the request to identify

the Domino server on which the server add-in task is running.
A Text version of an identifier, greater than 5000, in the

ProxyAction field.
The Administration Process acts on third-party requests by opening the

message queue and placing a message with the IDs of the administration
request and log notes in it. The add-in task monitors the message queue
and then performs the required processing.
For information on creating a server add-in task that processes
third-party administration requests, see the Lotus C API User Guide.
To verify which task is processing a request
To verify whether AdminP or another task is processing an
administration request:
2. Open the All Requests by Action view.
3. Select the request, right-click the mouse button and choose
Document Properties.
4. Click the Field tab, and then locate the ProxyProcess field which
contains the name of the task that is processing the administration
request.
The ProxyProcess field is set by the program that created the request.
Scheduling Administration Request processing
To adjust the default timing of when administration requests are carried

out, edit the Server document. You may want to force a request to occur
immediately if the administration request is critical.
For more information on using server console commands to force
administration request processing, see the topic Managing
Administration Process requests earlier in this chapter.
Administration
Each setting in the Administration Process section of the Server

document controls the timing of specific types of requests. Interval
settings and replication schedules for each server determine how quickly
the administrative settings replicate throughout the domain. As these
requests are carried out, the speed with which they are replicated to the
appropriate databases in the domain depends on the replication schedule
for those servers. If necessary, you can schedule separate replication
events for more immediate updates.
To schedule Administration Process requests

2. Choose Server - All Server Documents.
3. Select the server whose server document you are editing.
4. Click the Server Tasks - Administration Process tab.
5. Complete these fields, and then click Save and Close.
Field
Enter
Interval
The number of minutes that pass between the

processing of name-management requests rename,
delete, and recertify. The default is 60 minutes.
Execute once a day

requests at
The time when updates to Person documents occur

and Rename person in unread lists requests run.
The default is 12 AM.
Interval between
purging mail file
and deleting when
using object store
The number of days that pass between running the

Object Collect task against a mail file that uses shared
mail and deleting the mail file. The default is 14 days.
Start executing on
The day on which Updates to Authors and Readers

fields in a database and discovery of shared and
private design elements for a deleted person occur.
The default is Sunday.
Start executing at
The time when the updates to Authors and Readers

fields in a database and discovery of shared and
private design elements for a deleted person occur.
The default is 12 AM.
Mail file moves

expire after
The number of days during which the Notes client

will update mail-related changes. The default is 21
days. Valid values are 7 to 60, inclusive.
Store Admin
Process log entries
when status of no
change is recorded
Logs a No change status entry in the

Administration Process log each time a database is
scanned to determine whether an administration
request requires a change to that database and no
change is made. The default is No. Keeping this field
set to No may greatly reduce the size of the
Administration Request database.
For more information controlling the size of the
Administration Requests database, see the topic
Controlling the size of the Administration Requests
database.
continued
Field
Enter
Suspend Admin
Process at
(Optional) Time when the Administration Process

stops processing requests. To conserve server
resources, suspend the Administration Process
during peak computer hours.
For more information on suspending the
Administration Process, see the topic Suspending
administration request processing.
Restart Admin
Process at
(Optional) Time when the Administration Process

starts processing requests again. To conserve server
resources, set the Administration Process to restart
during non-peak computer usage hours. For more
information on suspending the Administration
Process, see the topic Suspending administration
request processing.
Using an extended administration server
You can designate extended administration servers for one Domino

Directory by selecting a namespace in the Domino Directorys extended
access interface and designating a particular server as an administrator
for that namespace. The new interface allows you to specify the exact
namespace that an individual administration server is responsible for.
The extended administration server distributes the administration
responsibilities across multiple servers which is especially useful for
remote administration of servers that are geographically dispersed. The
concept of the extended administration server was developed in order to
make remote administration available to administrators.
All of the Domino servers in the domain must Lotus Domino 6 servers or
newer to use the extended administration server feature.
Administration
An extended administration server is an administration server that

processes Domino Directory administration requests. The target
documents in the Domino Directory are added to, modified, or deleted
only if they belong to a particular namespace within the Domino
Directory. A namespace is defined by a certification hierarchy, for
example, OU=Sales/O=Acme, where the organization is Acme and the
organizational unit is Sales. You can specify the organization or one or
more organizational units as a namespace for which an extended
administration server is used to process administration requests. The
traditional administration server modifies all of the target documents in a
Domino Directory which either do not belong to any namespace or to
which an extended administration server has not been assigned.
Setting up an extended administration server

Complete these instructions to set up an extended administration server.
1. From the Domino Administrator, click the Files tab and then open
the Domino Directory (NAMES.NSF).
2. Choose Files - Database - Access Control.
3. Click Advanced and select Enable Extended Access.
4. Click Basics and click Extended Access.
5. In the Names list, select the namespace (an organization or one or
more organizational units) for which you are assigning an
6. Select the server that you are designating as an administration server.
7. Choose one of these Access applies to settings:
This entry only to assign the selected administration server to
the selected namespace only. Namespaces that are subordinate to
the selected namespace are not affected by this selection.
This entry and all descendants to assign the selected
administration server to the selected namespace and to all
subordinate namespaces.
8. In the Access field, in the Allow column, click Administer.
9. Click OK.
10. Click Yes.
Removing an extended administration server

Complete these instructions to remove an extended administration server.
1. From the Domino Administrator, click the Files tab and then open
the Domino Directory (NAMES.NSF).
2. Choose Files - Database - Access Control.
3. Click Extended Access.
4. In the Names list, select the namespace (an organization or one or
more organizational units) from which you are removing an
5. Select the server that will no longer be an administration server for
the selected namespace.
6. Click Remove.
7. Click OK.
8. Click Yes.
Adminstration Process Statistics

Use the Administration Process statistics to monitor and review the
administration process activity on the servers in your Domino domains.
Administration Process statistics and their descriptions are listed in this
table.
Reason for update to statistic
ACLsModified
Statistic is updated when the Administration

Process modifies a database ACL.
ReaderAuthorModified

Process modifies a database due to a user
name change, resulting in a change to Reader
and/or Author fields for that database.
ReplicasDeleted

Process deletes a mail file due to a mail
database move, or when user, the users mail
file and replica are deleted. This statistic is also
updated when replicas are removed due to a
Delete Database request.
ReplicasCreated

Process creates a mail file due to a mail file
move.
AppointmentsModified

Process updates an appointment due to a name
change.
ProfilesModified

Process updates the calendar profiles due to a
users name change.
DesignElementsDeleted

Process removes a design element from a
database. In most cases this occurs when a user
is deleted and the agents that were created by
the user are removed from a database.
DirectoryDocumentsDeleted

Process deletes entries from the Domino
Directory, for example, deletions due to
deleting a user or a server.
continued
Administration
Administration Process Statistic
Administration Process Statistic
Reason for update to statistic
DirectoryDocumentsModified Statistic is updated when the Administration

Process modifies entries in the Domino
Directory, for example, when a user is
renamed.
DirectoryDocumentsAdded

Process updates entries in the Domino
Directory, for example, when Mail-In database
entries are added for future processing.
Cross Domain Request Sent

Process sends requests from one domain to
another domain. This occurs when
cross-domain processing is enabled.
Cross Domain Request

Rejected

Process receives or rejects requests from
Cross Domain Request

Accepted

Process receives or accepts requests from
Administration request messages

The response Log documents in the Administration Requests database
contain error messages that describe any errors that occur during the
processing of an administration request. Error messages also appear on
the console of the administration server. Administrators who want to be
notified when one of these events occurs on a server, can create an Event
Handler document in EVENTS4.NSF to define how they want to be
notified.
For more information on Event Handlers, see the chapter Monitoring
the Domino Server.
For details on what the particular messages mean and for information on
the corrective actions that can be taken, see the documentation in
EVENTS4.NSF for that message.
This table describes the messages and, in some cases, the causes of
messages that appear in the Administration Requests database. In addition,
the table indicates the corrective action to take, where appropriate.
Message
Occurs during
Corrective action to take
The time after which this

Renaming
request can be processed
Recertification
has not been reached. This
request cannot be processed
until time; check the
Perform request again? box
after time.
When the time arrives, select

Perform request again in
the response Log document.
The date after which this

request is no longer valid
has passed. This request
could only be processed
until time; the current date
and time is time.
Resubmit the request from

Renaming
Recertification
None
The mail file was previously

deleted on server by a Delete
Mail File administration
request.
Delete all replicas

of a mail file when
deleting a user
name
None
The mail file specified for

this person in the Address
Book does not exist on this
server.
Delete all replicas

of a mail file when
deleting a user
name
None
A replica of this persons

mail file does not exist on
this server.
Delete all replicas

of a mail file when
deleting a user
name
None
The signature on this

request has expired.
Renaming

The issuer of this request

does not have the proper
authority.
Renaming

the Domino Directory. Be
sure to use a certifier ID that
is an ancestor of the user ID.
continued
Administration
This name does not appear Renaming

in the ACLs of any
Deletion
databases designating server
as their Administration
Server.
Message
Occurs during
All of the required fields in

the request have not been
signed.
Cause of error - An
unauthorized person or a
non-Domino program
edited a posted request.
This indicates a failed
security attack.
Any request

The requests new public

Copy Servers
key does not match the
Certified Public Key
designated server.
Cause of error - The key in
the request doesnt match
that in the Server document.
Delete the request, and then

shut down and restart the
appropriate server to issue a
new request.
Delete the public key from
the Server document.
The existing public key is

newer than the public key
in the request.
Cause of error - The server
was recertified before this
request could be carried
out.
Copy Servers
None
The requests signer and the

designated server are not
the same.
Cause of error - The server
specified in the request did
not sign the request. This
may indicate a failed
security attack from a
forged request or a request
generated by a non-Domino
program.
Place Servers
Notes Build
number into Server
Record
Delete the original request

and then restart the server.
Click Perform request
again in the response Log
document.
The selected certifier is not

the target certifier in the
move request.
Cause of error - The target
certifier is not the one you
specified when you issued
the original request.
Request Move to
New Certifier
Reissue the request and

specify the correct certifier.
continued
Message
Occurs during
A required certifier was not

found in the Address Book.
If you see the error when
the administrator is
performing an action, the
Certifier or Cross-Certifier
document is identified in
the Notes Log on the
administrators client.
If the Administration
Process reports the error, the
Certifier or Cross-domain
Certifier document is
identified in the log
(LOG.NSF) of the server
that reported the error.
Initiate Rename in
Domino Directory
Recertify Server in
Domino Directory
Recertify Person in
Domino Directory
Rename Person in
Domino Directory
Rename Server in
Domino Directory
Do the following:
1. Create the necessary
Certifier document(s) in
2. For each Certifier document, copy the certified
public key from the
certifier ID to the
Certifier document in
3. At the server console,
enter load updall
names.nsf -t
$certifiers.
4.
Click Perform request

again in the response
Log document.

The Administration Process Delete Unlinked

cannot set the target time
Mail File
for processing requests.
Restart the server, and then

click Perform request again
in the response Log document.
This type of Administration

Request cannot be
performed on a
non-hierarchical server.
All requests except

Copy Servers
and Place Servers
Notes Build
Number Into Server
Record
Upgrade the server to

hierarchical naming so you
can complete all
requests on it.
continued
Administration
The change request was not Rename

for a server or person.
Cause of error - An
unauthorized person or a
non-Domino program
edited a posted request.
This can indicate a failed
security attack.
Message
Occurs during

is not designed to support
this type of Administration
Request.
When a server
Upgrade the server to the
running an older
current release.
version of Notes
encounters a
Domino 5.0
Administration
Request. An older
server is unable to
process the request.
The name to act on was not Renaming

found in the Address Book. Recertification
Cause of error - The public
key is corrupt in the Person
or Server document.
Delete the corrupted public

key from the Server or
Person document.
From a Server document:
1. From the Domino
Administrator, select a
server and click the
Configuration tab.
2. Click Edit document.
3. Click the Miscellaneous
tab.
4. Delete the public key
from the Certified Public
Key field, or if you are
adding one, enter a
public key.
From a Person document:
1. From the Domino
Administrator, click the
2. Select the person whose
Person document you
are modifying.
3. Click Edit Person.
4. Click the Public Keys tab.
5. Delete the public key
from the Certified Public
Key field, or if you are
adding one, enter a
public key.
continued
Message
Occurs during

Give the person making the
request the appropriate
access to the Domino
Directory, and then select
Perform request again in
the response Log document.
The person requesting the Delete users,

delete action cannot delete servers, groups, or
documents in the Address resources
Book.
Cause of error - This can
indicate a failed attempt by
an unauthorized person to
delete documents from the
Domino Directory.
The person submitting the

request doesnt have
appropriate access to the
replica of the Domino
Directory.
request the appropriate
access to the Domino
Directory.
The Administration Process Delete Mail file

cannot set the execution
time for a spawned request.
Restart the server and then

click Perform request
document.
This server is not currently Remove Server

a member of a cluster. This from Cluster
database cannot be marked
for deletion.
Manually delete the

database.
The Author of the

Administration Request is
not allowed to create
databases on this server.

request Create Database
access to the destination
server. Then click Perform
request again in the
response Log document.
Create Replica
Move Replica
continued
Administration
The administrator or
Delete user, server,
database manager
or group
requesting the delete action
needs Author access (or
greater) to the Address
Book.
The requests require at least
Author (with Delete
documents) access with the
appropriate role
(UserModifier,
ServerModifier, or
GroupModifier). The
person must have access to
the replica of the Domino
Directory used to submit
the request and to the
replica on the
administration server for
Message
Occurs during
Mail file already exists.

New mail file not created.
Create Mail File
None
The person requesting this

move action needs at least
Manager access to the
database.
Move Replica
Non-cluster move
replica

request Manager with Delete
documents access. Then
select Perform request
document.
Server name not found in

Public Address book.
Rename in Access
Control List
Wait for the name change to

replicate to the Domino
Directory on this server.
Then select Perform request
document.
Chapter 16
Setting Up and Using Domino Administration Tools
This chapter explains how to install and navigate the Domino
Administrator. It also includes information on setting up and using the
Web Administrator, which allows you to administer a Domino server
using a browser.
The Domino Administrator

The Domino Administrator is the administration client for Notes and
Domino. You can use the Domino Administrator to perform most
administration tasks. You can administer the Domino system using the
local Domino Administrator or using the Web Administrator.
Information about the Domino Administrator in this section includes:
Domino Administrator installation
Setting up and starting the Domino Administrator
Selecting a server to administer in the Domino Administrator
Setting Domino Administrator preferences
Navigating Domino Administrator
How administrative tasks are organized on the Domino

Administrator tabs.
Administration
Installing the Domino Administrator

When you install and set up a Domino server, the Server Setup program
does not install the Domino Administrator, which is the administration
client. You must run the Domino Administrator client setup to install the
Domino Administrator client. There are many ways to set up your
Administrator client installation.
Do not install the Domino Administrator on the same system on which
you installed the Domino server. Doing so compromises Dominos
security and impairs server performance.
16-1
For more information on installing the Domino clients, including the

Domino Administrator, see the chapter, Setting Up and Managing
Notes Users.
Setting up the Domino Administrator

1. Make sure the Domino server is running.
2. Start the Domino Administrator.
3. The first time you start the Domino Administrator, a setup wizard
starts. After you answer the questions displayed by the setup wizard,
the Domino Administrator client opens automatically.
Starting the Domino Administrator

There are several ways to start Domino Administrator.
1. Make sure the Domino server is running.
2. Do one:
From the Windows control panel, click Start - Programs - Lotus
Applications - Lotus Domino Administrator.
Click the Domino Administrator icon on the desktop.
From the Notes client, click the Domino Administrator bookmark
button or choose File - Tools - Server Administration.
Navigating Domino Administrator

The user interface for the Domino Administrator is divided into four
panes. Clicking in one pane dynamically updates information in other
panes. The following figure shows the user interface for the Domino
Administrator.
Window tab
Tabs
Domain
Current server name
Bookmark bar
Server pane
Task pane
Results pane
Tools pane
Task pane
The tasks pane provides a logical grouping of administration tasks
organized by tabs. Each tab includes all the tasks associated with a
specific area of administration. For example, to manage the files located
on a particular server, select a server and click the Files tab.
Results pane
The appearance of the results pane changes, based on the task you are
performing. For example, the results pane may display a list of files, as
on the Files tab, or an active display of real-time processes and statistics,
as on the Server - Monitoring tab.
Setting Up and Using Domino Administration Tools 16-3
Administration
Server pane
The server pane displays the servers in the domain, grouped in different
views. For example, you can view all servers in the domain or view them
by clusters or networks. To pin the server pane open, click the pin icon
at the top of the server pane.
Tools pane
The tools pane provides additional functions associated with a selected
tab. For example, from the Files tab you can check disk space and
perform tasks associated with files.
Window tabs
Use window tabs to switch from one open window to another in the
Domino Administrator. Every time you open a database or a document,
a new window tab appears beneath the main menu bar.
Domains
You can access the servers in each domain that you administer. Click a
domain to open the server pane.
Bookmark bar
The Bookmark bar organizes bookmarks. Each icon on the Bookmark bar
(running down the left edge of the Domino Administrator window)
opens a bookmark or a list of bookmarks, which can include Web
browser bookmarks.
Selecting a server to administer in the Domino Administrator

To administer a server, you select the server from a server list. You can
have multiple server lists, each of which is represented by a button. After
you select a server, information about that server appears in all the tabs.
Button
Description
Favorites
Lists your favorite servers that is, those you administer most
frequently. To add a server to Favorites, choose Administration Add Server to Favorites, and then specify the name of the server to
add.
Domain
Lists all servers in a domain. You can also view servers by

hierarchy or by network.
For more information on adding domains, see the topic Setting Basics
Preferences, later in this chapter.
To update a server list

The first time you start the Domino Administrator, the system
automatically creates a server list, based on the domains listed in
Administration Preferences. If you add new servers to the list, choose
Administration - Refresh Server List.
Setting Domino Administration preferences

To customize the Domino Administrator work environment, set any of
these administration preferences.
Preference
Description
Basics
Files
Customize which columns appear on the Files tab

Change the order in which columns appear
Limit the types of files that the Domino Administrator
retrieves
Monitoring
Configure global settings used to monitor the server

Enable server health statistics and reports
Registration
Select global settings to use to register users, servers, and

certifiers
Statistics
Select global settings for statistic reporting and charting

Enable statistic alarms while monitoring statistics
Select domains to administer

Add, edit, or delete domains
Set domain location setting
Select domain directory server
Specify Domino Administrator startup settings
Setting Basics preferences

1. From the Domino Administrator, choose File - Preferences Administration Preferences.
2. In the Basics section, under Manage these Domino Domains do
one:
Click New to add a domain, and then continue with Step 3.
Click Edit to edit an existing domain, and then continue with
Step 3.
Click Delete to delete an existing domain
Administration
To manage Domino domains, set Basics preferences.

Field
Action
Domain name
Enter the name of the domain to add,

or edit an existing name.
Domino directory servers for this

domain
Enter one or more directory servers,

separated by commas, or edit the list.
For example:
Mail-E/East/Acme
Mail-W/West/Acme
What location settings do you

want to use for this domain?
Choose one:
Do not change location
Change to this location. Specify the
location from which you want to
manage this domain.
4. Under Domino Administrator Startup Settings, complete these fields:

Field
Action
On startup
Do one:
Choose Dont connect to any
server
Choose Connect to last used
server
Choose Connect to specific server
and then specify the startup domain
and startup server.
Show Administrator Welcome

Page
Do one:
Check this box to see the Welcome
page each time you start the
Uncheck this box if you do not want
to see the Welcome page.
5. Click OK, or click Files to continue setting Administration

Preferences.
Setting Files preferences

Setting Files preferences, you can customize which columns appear on
the Files tab, change the order in which columns display, and limit the
types files the Domino Administrator retrieves.
By default, the Files tab displays columns in this order:
Title
File Name
Physical Path
Files Format
Size
Max Size
Quota
Warning
Created
Last Fixup
Is Logged
Template
To set Files preferences

3. Do one:
To add a column, select a column from the Available Columns list
and click the right arrow to add it to the Use these Columns list.
To remove a column, select a column from the Use these
Columns list and click the left arrow to remove it from the list.
4. Click the up or down arrows to change the order of the columns in
the Use these Columns list.
5. Check Retrieve only (NSF, NTF, BOX) Domino file types (faster) to
limit the types of files retrieved. Uncheck this box to retrieve all file
types.
6. Click OK or click Monitoring to continue setting Administration
Preferences.
For more information on setting Files preferences in the Web
Administrator, see the topic Setting Files Preferences for the Web
Administrator later in this chapter.
Administration
2. Click the Files section.
Setting Monitoring preferences

You can use the default Monitoring preferences or customize them.
1. Choose File - Preferences - Administration Preferences.
2. Click Monitoring, and then complete the Global settings for
Monitoring:
Field
Action
Do not keep more than <n> MB of Enter the maximum amount of virtual
monitoring data in memory
memory, in MB, used to store
(4 - 99MB)
monitoring data. Default is 4.
Not responding status displayed
after <n> minutes of inactivity
Enter the amount of time after which

the not responding status displays.
The default is 10 minutes.
Generate server health statistics

and reporting
Select this option to include health

statistics in charts and reports.
Note You must enable this option to
use the Server Health Monitor, which
is part of the IBM Tivoli Analyzer for
Lotus Domino.
3. In the Location section, complete these fields:

Field
Action
When using this location
Choose the Location document.
Monitor servers
Do one:
Choose From this computer to
monitor servers from the local
Domino administration client.
Choose From server and then
click Collection Server. Select the
Domino server running the
Collector task for the servers being
monitored by the location you
selected.
Poll server every <n> minutes

(1-60 minutes)
Enter the servers polling interval, in

minutes.
If From this computer is selected,
the default is 1 minute.
If From server is selected, the
Automatically monitor servers at

startup
Select this option to start the Domino

Server Monitor when you start the
Setting Registration preferences

Within the Domino Administrator, you can set default registration
preferences that apply whenever you register new certifiers, servers, and
users.
2. Click Registration.
3. Complete any of these fields:
Field
Action
Registration
Domain
Select a domain from the list. The registration domain

is the domain into which users and servers are
registered.
Create Notes IDs

for new users
Click to create a Notes ID for each new user during the

Certifier name list Choose a certifier ID to use when creating the user
name during user registration when a Notes user ID is
not being created for the user.
for this person is not selected.
organization.
Do one:
Choose Certifier ID to use the certifier ID and
password. Then click Certifier ID, select the certifier
ID file, and click OK to select the certifier ID used to
register new certifiers, servers, and users.
Choose Use CA Process to use the Domino
server-based certification authority.
Registration
Server
Click Registration Server to change the registration

server, which is the server that initially stores the
Person document until the Domino Directory
replicates. Select the server that registers all new users,
and then click OK. If you do not explicitly define a
registration server, it is, by default:
The local server if it contains a Domino Directory
The server specified in NewUserServer setting in the
NOTES.INI file
continued
Administration
Certifier ID
Field
Action
Explicit policy
If you already created explicit policies, select the policy

from the list. If you have not created explicit policies,
this field displays None Available.
User Setup Profile Select a profile. The default is none. You can assign
either a policy or a user setup profile, but you cannot
assign both to the same users.
Mail Options
Click Mail Options to display the Mail Registration

Options dialog box.
Choose one of the following and complete any
required associated fields:
Lotus Notes (default) The Internet address is
automatically generated.
Other Internet The Internet password is set by
default during registration. Enter a forwarding
e-mail address.
POP The Internet address is automatically
generated during registration, and the Internet
password is set by default during registration.
IMAP The Internet address is automatically
generated during registration, and the Internet
password is set by default during registration.
Other Enter a forwarding e-mail address.
None
Note If you select Other or Other Internet, you will
need to enter a forwarding address for the user during
user registration. The forwarding address is the e-mail
address to which the user wants their mail sent.
User
ID/Password
Options
Click User ID/Password Options Settings to open the

Person ID File Settings dialog box. Do any of these:
Person ID folder Choose a folder or enter a
directory path in which to store the ID files
generated for this user during registration.
Person password quality Set a new password
quality for the ID files that are generated for this user
during registration. The default for a user ID is 8.
continued
Field
Action
Advanced
Options
Click Advanced Options to open the Advanced Person

Registration Options dialog box on which you can
specify the following:
Whether to keep registered users in the registration
queue
Whether to attempt to register users with an error
status from a previous registration attempt
Whether to prompt for duplicate files
Whether to search all directories for duplicate names
Other registration settings
Server/Certifier
Registration
Click to open the Server Certifier ID File Settings dialog

box on which you can define the directories in which to
store certifier IDs and server IDs and specify the
default password quality setting for each.
4. Click OK.
For more information on explicit policies, see the chapter Using
Policies. For more information on Advanced Options, see Domino
Administrator 6 Help.
Setting Statistics preferences
You also enable statistic alarms for use with statistic event generators. If
you create statistics event generators to report alarms, you must enable
statistics alarms.
To set statistics preferences
2. Click Statistics.
Administration
You set statistics preferences to enable statistics reporting and statistics

charting. The Statistics section in Administration preferences is also
where you specify the polling and reporting time interval used for
gathering and reporting statistics.

Field
Action
Generate statistic reports while

monitoring or charting statistics
Do one:
Enable the field and then specify, in
minutes, how often to create
statistics reports in the Monitoring
Results database (STATREP.NSF).
Default is 45 minutes. The value
must be greater than the monitoring
poll interval specified in the
Monitoring preferences.
Disable the field if you do not want
to create statistics reports or charts.
Check statistic alarms while

monitoring or charting statistics
Do one:
Enable the field to report an alarm
when a statistic exceeds a threshold.
You must enable this field to
generate a statistic events. Alarms
are reported to the Monitoring
Results database (STATREP.NSF).
Disable the field if you do not want
to generate alarms.
Chart statistic using same poll

interval as monitoring
Do one:
Enable the field to use the poll
interval specified in the Monitoring
preferences.
Disable the field to set a charting
interval that is different than the
poll interval. Then specify a time
interval in which to chart statistics.
The default is 20 seconds.
4. Click OK.
Domino Administrator tabs

General administration tasks are organized by the tabs described in the
following table. Click a tab to display its contents, or use the
Administration menu to navigate among the tabs. For example, to move
from the Files tab to the Replication tab, choose Administration Replication.
Tab
Use to administer
People & Groups People-related Domino Directory items such as, Person
documents, groups, mail-in databases, and policies
Files
Databases, templates, database links, and all other files in

the servers data directory
The Server tabs
Current server activity and tasks. This tab has five sub-tabs:
Status, Analysis, Monitoring, Statistics, and Performance.
Messaging
Mail-related information. This tab has two sub-tabs: Mail

and Tracking Center.
Replication
Replication schedule, topology, and events
Configuration
All server configuration documents such as, the Server,

Messaging Settings, Configuration Settings, and Server
Connections documents.
People and Groups tab in the Domino Administrator
Register new users and groups
Manage existing users, groups, mail-in databases, and other

resources
Assign policies to users and groups
Assign roaming options and Internet settings to users
Files tab in the Domino Administrator

From the Files tab, you perform these tasks to manage database folders
and links:
Access a folder and one or more files inside the folder
Select the type of files to display for example, display only

databases or only templates
Move or copy a database by dragging it onto a Domino server on the

bookmark bar
Administration
From the People and Groups tab, you perform these tasks to manage the
Domino Directory:
Manage databases for example, compact databases and manage

ACLs
View disk size and free space on the C drive
Server tabs in the Domino Administrator

There are five Server tabs: Status, Analysis, Monitoring, Statistics, and
Performance.
Status
From the Status tab, you can:
See which server tasks are running, stop or restart them, or start new
tasks
See who is connected to the server, including Notes users, browser

and e-mail clients
See which Notes databases are currently in use
Access the live remote console of the server
Monitor the schedule of programs, agents, mail routing and

replication
Analysis
From the Analysis tab, you can:
View, search, and analyze the log file (LOG.NSF)
Access the database catalog on the server
Access the Monitoring Results database (STATREP.NSF)
Manage Administration Process requests
Monitoring
From the Monitoring tab, you can:
Check the status of Domino servers
Check server availability and sort servers by state or timeline
View the current status of tasks running on each server and view
selected statistics
Monitor server health status and access server health reports
Statistics
From the Statistics tab, you can see the real-time statistics for the current
status of the Domino system.
Performance
From the Performance tab, you can:
View statistic charts for server performance in real time
Chart historical server performance over a selected period of time
Manage server activity trends
Perform resource load-balancing among servers
Messaging tabs in the Domino Administrator

There are two messaging tabs.
Mail
From the Mail tab, you can:
Manage the mailboxes on the server
Check mail
Manage shared mail
Monitor the log file for routing-related events
Run reports on messaging use
Tracking Center
From the Tracking Center tab, you can issue tracking requests to track
messages. You must enable the Tracking Center tab in the Web
Administrator.
Replication tab in the Domino Administrator

From the Replication tab, you can:
View the server replication schedule
Check the log file for replication events
View replication topology maps related to the server
Configuration tab in the Domino Administrator

From the Configuration tab, you can configure all server options,
settings, and configurations for various subsystem including:
Security
Monitoring
Messaging
Administration
For more information on enabling the Tracking Center for the Web
Administration, see the topic Message-tracking in the Web
Administrator later in this chapter.
Policies
Replication
Directory services
Off-line services
Domino Administrator tools

Most tabs on the Domino Administrator include a set of tools that change
based on the selected tab. For example, the People and Groups tab
includes two tools: one for managing people and one for managing
groups.
To hide or show the Tools panel, click the triangle. To choose a specific
tool, click the triangle to expand or collapse the tools options. Hiding
tools on one tab does not hide tools on other tabs.
You can also access tools using:
Right click Select an object that has an associated tool and right
click. For example, on the People & Groups tab, right-click a Person
document to access the People tools.
Menus For each tab that has tools, the appropriate tools menu
appears in the menu bar. For example, when you click the Files tab,
the Files menu appears.
The following table describes the tools that are on each tab.
Tab
Tools
People & Groups
People
Groups
Files
Disk Space
Folder
Database
Server - Status
Server - Analysis
Analyze
Messaging
Messaging
Task
User
Ports
Server
continued
Tab
Tools
Configuration
Certification
Registration
Policies
Hosted Org
Server
Miscellaneous
Web Administrator
If you have a browser and want to manage and view settings for a
Domino server, you can use the Web Administrator to perform most of
the tasks that are available through the Domino Administrator. This
section includes the following information about the Domino Web
Administrator:
Setting up the Web Administrator
Setting up access to the Web Administrator database

(WEBADMIN.NSF)
Giving additional administrators access to the Web Administrator

and assigning roles
Starting the Web Administrator
Using the Web Administrator
Setting up the Web Administrator

The Web Administrator uses the Web Administrator database
(WEBADMIN.NSF). The first time the HTTP task starts on a Web server,
Domino automatically creates this database in the Domino data
directory. However, you need to make sure that the Web browser and
server meet these requirements for the Web Administrator to run.
Web browser requirement
You must use one of these browsers with the Web Administrator:
Microsoft Explorer 5.5 on Windows 98, Windows NT 4, Windows

2000 or Windows XP
Netscape 4.7x on Windows 98, Windows NT 4, Windows 2000,

Windows XP or on Linux 7.x
Administration
For the most current information about supported browsers, see the
Release Notes.
Domino server tasks required
You must have the following Domino server tasks running:
The Administration Process (AdminP) server task must be running

on the Web Administrator server.
The Certificate Authority (CA) process must be running on the

Domino 6 server that has the Issued Certificate List database on it to
register users or servers.
The HTTP task must be running on the Web server so that you can
use a browser to access it.
To set up the Web Administrator

1. Make sure that the server you want to administer is set up as a
Domino Web server and that it is running the HTTP task. The
Domino Web server does not have to be a dedicated server, you can
use it for other server tasks, such as mail routing and directory
services. You can administer only the servers you set up as Domino
Web servers.
2. Set up administrator access to the Web Administrator database
(WEBADMIN.NSF).
For more information on setting up the Domino Web server, see the
chapter Setting Up the Domino Web Server.
Windows integration
To take advantage of certain Windows OS integration features, you must
install the Microsoft Windows Management Instrumentation Software
Development Kit (WMI SDK) if you are running NT 4. Windows 2000
automatically includes WMI.
Setting up access to the Web Administrator database

Domino automatically sets up default database security when the Web
Administrator database (WEBADMIN.NSF) is created for the first time.
At that time, all names listed in either the Full Access Administrators or
Administrators fields of the Server document are given Manager access
with all roles to the Web Administrator database. In addition, the HTTP
server task periodically (about every 20 minutes) updates the Web
Administrator database ACL with names that have been added to the
Server document in either the Full Access Administrators or
Administrators fields, but only if the names are not already on the ACL
list.
For more information on how the HTTP server task synchronizes names
in the Server document with those on the Web Administrator database
ACL, see Giving additional administrators access to the Web
Administrator, later in this chapter.
Default database security
The default ACL settings for the Web Administrator database are listed
below. You do not need to change these settings if the administrators
name appears in the Administrators field of the Server document.
Access control list
Default name
Access level
User and group names listed either of these fields on

the Server document:
Full Access Administrators
Administrators
Manager with all roles
The name of the server
Manager
-Default-
No access
Anonymous
No access
OtherDomainServers
No access
To access the Web Administrator database, you must have

name-and-password authentication or SSL client authentication set up on
the server. Name-and-password authentication is enabled for the HTTP
protocol by default.
To use name-and-password authentication, you must have an Internet
password in your Person document. To use SSL client authentication,
you must have a client certificate, and SSL must be set up on the server.
For more information, see the chapters Setting up Name-and-Password
and Anonymous Access to Domino Servers, Setting up Clients for
S/MIME and SSL, and Setting up SSL on a Domino Server.
Administration
Authenticating administrators
You can use either an Internet password or an SSL client certificate to
access the Web Administrator. The Web Administrator uses either
name-and-password or SSL authentication to verify your identity. The
method the Web Administrator uses depends on whether you set up the
server or the Domino Web Administrator database (WEBADMIN.NSF),
or both to require name-and-password or SSL authentication.
Giving additional administrators access to the Web Administrator

You can use the Server document as a convenient way to give additional
administrators access to the Web Administrator. To add an administrator
to the Web Administrator database (WEBADMIN.NSF) ACL, simply add
the name to either the Full Access Administrators or Administrators
field of the Server document. The HTTP server task routinely
synchronizes the names listed in those fields of the Web Server document
with those listed on the Web Administration database ACL. Names that
are not already listed in the ACL are added with Manager access and all
roles. Names that are already listed in the ACL, keep the access granted
to them in the ACL. This preserves custom ACL settings, such as limiting
the ACL roles of a particular administrator, from being overwritten. It
also allows you to restrict administrators from using the Web
Administrator, even though they are listed as administrator in the server
document. If you delete an administrators name from the Server
document, the name is also deleted from the Web Administrator
database ACL automatically at the next synchronization.
You can also give administrators access to the Web Administrator
manually by adding them directly to the Domino Web Administrator
database ACL. You can give an administrator full or partial access by
restricting the roles assigned. The role assigned to an administrator
determines which commands are available to the administrator, and
which tabs appear in the Web Administrator client. You cannot restrict
roles when you add administrator access to the Web Administrator using
the Server document. If you add a name using the server document, you
must manually restrict access to the web Administrator through the
Domino Web Administrator database ACL. To prevent an administrator
from access, assign No access in the ACL.
For more information on Web Administrator roles, see the topic
Administrator Roles in the Web Administrator later in this chapter.
To update access to the Web Administrator database automatically
2. Select the Server view, and open the Current Server Document for
the Web Administration server.
3. Select the Security tab.
4. In one of these fields, enter the name of the administrator to whom
you want to give access to the Web Administrator:
Full Access Administrators
Administrators
5. Click Save & Close
To update the Web Administrator database ACL list manually

You can manually add an administrator to the Web Administrator
database ACL list.
1. From the browser using the Web Administrator, click the Files tab.
2. Select the Web Administrator database (WEBADMIN.NSF).
3. From the Tools menu, select Database - Manage ACL.
4. Click Add and add the administrator or group name to the ACL of
the Web Administrator database.
5. In the Access field, select Manager.
6. Assign the roles. Assigned roles determine which commands and
tabs appear in the Web Administrator.
Tip To select more than one role, hold down the Shift or Control
key while selecting roles. Selected roles appear highlighted.
If the server requires name-and-password authentication, edit
each administrators Person document and enter an Internet
password.
If the server requires SSL client authentication, set up the browser
for SSL.
Administrator roles in the Web Administrator

By default, the ACL gives Manager access and all roles to users named in
the Administrators and Full Access Administrators fields on the Server
document. However, you can restrict a Web administrators access to
parts of the Domino Administrator by limiting the assigned roles. Each
role has a corresponding tab and associated commands. When you
restrict access, you also restrict which tabs appear in the Web
Administrator.
Administration
For more information on Managing ACL roles, see the chapter

Controlling User Access to Domino Databases. For more information
on SSL authentication, see the chapter Setting Up Clients for S/MIME
and SSL.
For example, if you assign only the People&Groups role to a Web

Administrator, the People & Groups tab is the only tab that appears when
that administrator uses the Web Administrator. The following table shows
the roles that have been predefined for the Domino Web Administrator.
Role
Tab
Files
Files
People&Groups
People & Groups
Replication
Replication
Configuration
Configuration
Mail
Messaging - Mail
MsgTracking
Messaging - Tracking Center
ServerStatus
Server - Status
ServerAnalysis
Server - Analysis
ServerStatistic
Server - Statistic
To restrict a Web administrators access, use the Manage ACL tool on the
Files tab. For more information on managing ACL roles, see the chapter
Starting the Web Administrator

When you start the Web Administrator, it displays the servers
administration homepage (information about the server and the
administrator using the server). It does not automatically open to a tab,
you must choose a tab to begin using the Web Administrator. To return
to the server administration homepage at any time, click the top left
server icon in the Web Administrator bookmark bar.
To start the Web Administrator
1. Start the HTTP task on the server if it is not already running.
2. From the browser, enter the URL for the Web Administrator
database on the server you want to administer. For example, enter:
http://yourserver.domain.com/webadmin.nsf
Or for SSL, enter:

http://yourserver.domain.com/webadmin.nsf
3. Enter your hierarchical, common name, or short name and your

Internet password.
4. Click one of the tabs to being using the Web Administrator.
Using the Web Administrator

The Web Administrator is almost identical to the Domino Administrator
with very few exceptions. The user interface looks the same, and most
menu options, dialog and information boxes are identical, although the
Web Administrator may occasionally display additional information. For
example, the Mail tab in the Web Administrator offers additional mail
specific statistics for example, Mail Routing Schedule, Mail Routing
Statistics, and Mail Retrieval Statistics. This information is available in
the Domino Administrator; however, it is not displayed the same way.
In addition, there is a new Task tool on the Replication and Mail Messaging tabs. You can use this tool to issue Tell commands, and to
stop, start, and restart replication, router, and messaging tasks.
The Web Administrator includes most of the Domino Administrator
functionality. However, the Domino Server Monitor and performance
charting are not available in the Web Administrator. And you can restrict
further which commands and tabs are available by restricting the roles
assigned to an administrator. Information on the availability of specific
Web Administrator features and minor changes to how you access a
feature are documented throughout the Domino Administrator help
documentation.
Accessing online help

To access online documentation, use the Help button.
Differences using Netscape 4.x
You may notice some minor differences in the appearance or behavior of
the Web Administrator in Netscape 4.x:
Bookmarks display in a separate window, not in the same browser

window.
If a button is disabled, the button name shows a line of stars (****)

instead of the name of the button, dimmed.
The Tools panel cannot be collapsed. It is always visible.
Frames cannot be resized. If you resize the main window, the entire
Web Administrator reloads.
Administration
For the most recent information on using the new Domino Web
Administrator, see the Release Notes that shipped with this product or
download the Domino Administrator online help from the Lotus Domino
Administrator Release 6 download page on the Lotus Developer Domain
at http://www.lotus.com/ldd.
Additional buttons
The Domino Web Administrator includes these buttons that appear at to
the right of the tabs. These do not appear in the Domino Administrator:
Sign out Use this to log out when you cannot or do not want to
close the browser.
Preferences Use this to set Administration preferences.
Help Use this to access on-line help documents for the Domino
Administrator.
The mail bookmark displays in the bookmark area only if you have
browsed to your home mail server.
Setting Files preferences for the Web Administrator

You can use the Web Administrator to set Files preferences:
Files preferences
By default, the Files tab in the Domino Administrator displays
information about database files in the following order; however, you
can customize which columns display in the Web Administrator. The
fewer columns you display, the faster the Files panel performs.
Title
File Name
Physical Path
File Format
Size
Space Used
Max Size
Quota
Warning
Created
Last Fixup
Is Logged
Template Name
Inherit From
Type
Replica ID
To set Files preferences

By default, the Web Administrator displays all columns. You can add or
delete columns from the display. Select a column name from the Use
these Columns list and then click Add or Remove.
Registering users and servers with the Web Administrator

To use the Web Administrator to register new Notes users, you must use
the Domino server-based certification authority. Any request or task that
requires a certifier ID file for example, migrate or modify ID is not
available.
To use the Web Administrator to register users or servers, you must have
Registration Authority (RA) access in the server-based certification
authority (CA). The server that is running the Web Administrator should
also be listed as an RA but that role is not required for the server. If,
however, the server is not listed as an RA, the administrator that is an RA
must open the Administration Requests database and approve the
administration request to register the user. You must assign the RA role
in the Domino Administrator, not in the Web Administrator. To assign
the RA role, use the Modify Certifier tool on the Configuration panel.
You cannot set registration preferences in the Web Administrator. You
must use the registration settings in the CA and in the Registration policy
settings document.
For more information about modifying certifiers, see the chapter Setting
up a Domino Server-Based Certification Authority. For more
information about user registration in the Web Administrator, and about
creating and modifying groups, see the chapter Setting Up and
Managing Notes Users. For more information about registering a server,
see the chapter Installing and Setting Up Domino Servers.
Managing policies with the Web Administrator

The Policy tools on the Configuration and People & Groups tabs in the
Domino Administrator are not available in the Web Administrator.
Therefore, from the Web Administrator, you cannot use the Policy
Assign tool or the Policy Synopsis tool.
If you create policies before you register users, you can assign them to
users and groups during user registration. You can also edit a Notes
users Person document and manually assign an explicit policy by
specifying the name of the policy.
Administration
In the Web Administrator, you cannot configure a server for SSL during
the server registration process.
Working with policy documents

From the Web Administrator, you can use the Policies view in either the
People & Groups or the Configuration tab to add, edit, or delete policy
documents. To add or delete policy documents, use the buttons that
display in the Results pane. In this view, the names of policy documents
are links. To edit one of these documents, click the link for the document
you want to edit.
Using the Web Administrator to delete policy documents is not
recommended because doing so does not initiate the Administration
Process requests required to remove all references to the deleted
document from other policy documents.
If you use the Web Administrator to create Setup or Desktop policy
settings documents, you cannot add the database links used to set up
bookmarks or custom Welcome pages.
For more information about managing policies and policy documents,
see the chapter Using Policies.
Using the Web Administrator consoles

The Web Administrator includes two consoles, the Quick Console and
the Live Console, which you access from the Server - Status tab. These
consoles mirror the server console on the Server Status tab of the Domino
Administrator.
Use the Live Console to send commands to a Web server running under
a Server Controller. You can send Controller and shell commands, as
well as Domino server commands. To use the Live Console, you must
install Java Plug-in 1.4 or higher and enable it in your Web browser.
Use the Quick Console to send commands to a Web server that does not
run under a Server Controller. Or use it if you are unable to install or use
the Java Plug-in in your browser.
For more information on using the console in the Web Administrator to
send commands, see the topic The Server Controller and the Domino
Console, later in this chapter and the appendix Server Commands.
Using the Web Administrator with service providers

Service providers may allow administrators at hosted organizations to
manage users and groups by allowing remote access through the Web
Administrator, with restricted roles. In some cases, the administrator at
the service provider site will assume all responsibilities for managing
users and groups.
For more information on service providers, see the chapter Managing a

Hosted Environment.
Message tracking in the Web Administrator

To use the Web Administrator to trace messages, you must first enable
message tracking.
To enable message tracking
1. From the Web Administrator, click the Configuration tab.
2. Open the Messaging view, and select Settings.
3. Click Edit Message Settings.
4. Select the Message Tracking tab.
5. Under Basics, in the Message tracking field, select Enabled. The
default is Disabled.
6. Under Access Settings, complete these fields:
Field
Action
Allowed to track messages
Select both of these:

Your name
LocalDomainServers
Allowed to track subjects
Select your name from the list
You must be a Full Access Administrator to edit the NOTES.INI file. You
must have Administrator access or higher to view the NOTES.INI file, or
to edit or view the cleanup script.
For more information on editing the NOTES.INI file, see the appendix
NOTES.INI File.
Signing out of the Web Administrator

When you finish using the Web Administrator, close the browser to end
the session or click Sign out to end the session and clear your user name
and password credentials so that unauthorized users cannot access the
browser while the Web Administrator is still running.
Administration
Editing the NOTES.INI file and cleanup script in the Web

Administrator
The Server Controller and the Domino Console

The Server Controller is a Java based program that controls a Domino
server. Starting the Server Controller starts the Domino server it controls.
When a server runs under a Server Controller, you can send operating
system commands (shell commands), Controller commands, and Domino
server commands to the Server Controller. For example, from a remote
console, you can use Controller commands to kill Domino processes on a
server that is hung or to start a Domino server that is down.
You can use the Domino Console, a Java-based console, to communicate
with a Server Controller. You can run the Domino Console on any
platform except Apple Macintosh. Using the Domino Console, you can
send commands to multiple servers. The Domino Console doesnt
require a Notes ID, only a Domino Internet name and password, so you
can connect to servers certified by different certifiers without having
multiple Notes IDs or cross-certificates. You can customize output to the
Domino Console for example, use local event filters to specify the
types of events the Console displays. You can also log server output to
log files and customize the appearance of the Console.
The Domino Console functions strictly as a server console. Consequently,
the Domino Console doesnt include the full set of Domino
administration features that are available through the Domino
Administrator and the Web Administrator, and you cant use it to open
and manage Notes databases.
The files needed to run the Server Controller and to run the Domino
Console are provided with Domino and Notes.
You can also use remote consoles in the Domino Administrator and Web
Administrator to communicate with a Server Controller.
For information on the available Controller commands and on using the
Domino Administrator or Web Administrator to communicate with a
Controller, see the appendix Server Commands.
Starting and stopping the Server Controller

Do the following to start the Server Controller, the Domino server, and
the Domino Console:
1. Shut down the Domino server, if it is running.
2. Start the Server Controller using the same command you normally
use to start the Domino server but append the argument jc. For
example, if you run a server on Windows NT from the directory
c:\lotus\domino using a shortcut icon on the Desktop, use the
following target for the shortcut:
c:\lotus\domin\nserver.exe -jc
The Server Controller runs in its own window. You can minimize a
Server Controller window, but do not close or kill the window to stop the
Server Controller. Instead, use the Controller Quit command from a
console to stop a Server Controller and the server it controls.
When you run a Server Controller, you no longer have access to the
traditional console at the server. You can communicate only through the
Domino Console or a console in the Domino Administrator or Web
Administrator.
Note You can run the Server Controller as a Windows NT service.
Use -c to prevent the Domino Console from running when you start the
Server Controller. You might prevent the Console from running on a
slow machine or a machine that is low on memory. If you use this
argument and the Domino server ID requires a password, the Domino
server starts without running its server tasks. To run the server tasks,
you must connect to the Server Controller from a console and specify the
server password when prompted.
Use -s to prevent the server from running when you start the Server
Controller. Use this argument along with -c so that someone who is
directly at the server can start only the Server Controller, and then a
remote administrator can start the server and specify a required server
password remotely from a console.
Administration
Optional arguments to use when running the Server Controller

Starting the Server Controller using only the argument -jc starts the
Domino Server and the Domino Console along with the Server
Controller. There are two optional arguments you can specify to change
this default behavior: -c and -s.
Example (Windows NT)
Result
nserver -jc
Runs the Server Controller, the server, and the

Domino Console
nserver -jc -c
Runs the Server Controller and the server
nserver -jc -s
Runs the Server Controller and the Domino Console
nserver -jc -c -s
Runs only the Server Controller
Starting and stopping the Domino Console

You can run the Domino Console from any machine on which a Domino
server or the Domino Administrator is installed. To use the Domino
Console to communicate with a Domino server, the server must be
running under a Server Controller.
To start the Domino Console
1. Make sure that the Domino server or the Domino Administrator is
installed on the machine.
2. Run the following command directly from the program directory, or
from a directory path that points to the program directory:
jconsole
Note The Domino Console also starts by default when you start a
Server Controller.
For information on using the Domino Console, choose Help - Help
Topics from the Domino Console menu.
To stop the Domino Console
1. From the Domino Console, choose File - Exit.
2. If the Console is currently connected to a Server Controller, when
you see the prompt Exiting the Console by disconnecting all active
connections. Do you want to continue? do the following:
a. (Optional) To also stop a Domino server and Domino Server
Controller running locally, select the option Also, bring down
Domino (if running) and quit the local Server Controller - local
server name.
b. Click Yes.
Chapter 17
Using Domino with Windows Synchronization Tools
This chapter explains how to synchronize user and group information in
Windows NT User Manager for Domains, the Windows 2000 Active
Directory, and in Notes.
Setting up Windows NT User Manager

When you create a new user or group account in Windows NT User
Manager for Domains, you can simultaneously register the user or group
in Notes. For users, this includes creating a Person document, Notes ID,
password, and mail file for the user. For groups, this includes creating a
Group document and, optionally, registering individual group members
as Notes users. You can also register existing Windows NT users or
groups in Notes. In addition, you can delete Notes users or groups when
you remove their user/group accounts. Further, you can synchronize
existing Windows NT users with Notes users for future synchronization
operations such as deleting users.
When you use Domino to register or delete a Notes user or delete a Notes
group, you can automatically update User Manager for Domains
(USRMGR.EXE). Conversely, special menu options and dialog boxes
added to Windows NT allow you to specify that additions and deletions
(and name changes for users) made to User Manager user or group
accounts are reflected in the Domino Directory. You can also add existing
Windows NT user or group accounts to the Domino Directory.
17-1
Administration
If you are running a Domino server on Windows NT, you can

synchronize user and group information in Domino and Windows NT.
Then, you can perform many administrative tasks in either Domino or
Windows NT User Manager for Domains, and the effects occur in both
products.
For example, if you run Notes on Windows NT, you can open User
Manager for Domains and specify that all changes to user accounts
during the session are also recorded in the Domino Directory on a
selected Domino server. You then display the list of existing user or
group accounts and select ones to be added to the Domino Directory.
Then you add, delete, or modify other user accounts while working in
Windows NT. All these changes are automatically made to the Domino
Directory. Plus, a mail file, Notes ID, and common password (shared by
the users Notes ID, Notes Internet password, and Windows NT account)
can be created for each new user.
These directory synchronization features let you keep both the Domino
Directory and User Manager current, without having to update both
when either changes. Also, you can manage user and group information
in the Domino Directory and User manager from either Notes or
Windows NT.
To set up Windows NT User Manager, you must complete these
procedures:
1. Enable Notes synchronization features.
2. Synchronize Windows NT and Notes users.
Examples of synchronizing data in Notes and User Manager

Example 1
You have an existing Windows NT network and are deploying Notes for
the first time in your organization. You want to register a large group of
Windows NT users in Domino.
In this example, you change the registration options to be sure users are
registered exactly as you want them to be. When you register the users,
you choose Register users at once without additional prompts. This
generates random passwords for the users and stores them in a database
titled New User Passwords (NTSYNC45.NSF). You then distribute these
passwords to users so they can install their Notes workstations. After
installation, users can create new passwords.
Example 2
You have users who are registered in both Windows NT and Domino.
You want to synchronize their accounts to make administration easier.
To accomplish this, you choose the User synching option in User
Manager. This copies the user account name from Windows NT to the
Network account name field in the users Person document. Now that
the products have a common entry, the Notes User Manager Extension
(NUME) program can communicate between them and keep them
synchronized.
Example 3
You already deployed Domino and synchronized Domino with Windows
NT. You want to add users as necessary. Use the Windows NT User
Manager to create a new Windows NT account and simultaneously
register the user in Domino. Use Domino to register a person and
simultaneously create the Windows NT account. You can also
accomplish this task when registering multiple users from a text file. The
default account name in Windows NT is the same as the name in the
Short name field of the Person document.
Enabling Notes synchronization operations in Windows NT User

Manager
You must enable Notes synchronization features to make Notes
commands available to you on the Notes menu in Windows NT User
Manager.
1. From the User Manager, choose Notes - Notes Synchronization
Options.
Using Domino with Windows Synchronization Tools 17-3
Administration
Note By default, all synchronization operations are enabled.
2. Complete these fields and then click OK:

Field
Enter
Enable all
To enable all Notes synchronization operations listed
synchronization under the Select synchronization operations to enable
operations
field. Whenever you perform one of the synchronization
operations in User Manager for Domains, you are
prompted to decide whether or not to perform the same
operation in Notes.
Choose one of these to enable and disable selected Notes
Select
synchronization synchronization operations:
operations to
User / Group registration to register new or existing
enable
Windows NT users and groups in Notes. This option
enables the Add Selected NT User / Group to Notes,
Registration Setup, and Mail / ID Registration Options
on the Notes menu.
User / Group deletion to delete a user or group
from Windows NT and have that user or group
deleted from the Domino Directory. Enables the
Delete / User Synch Options command on the Notes
menu.
User synching to change a user account name in
User Manager and duplicate that name change in the
Network account name field of the Person document
in the Domino Directory, allow changes to the users
full name and copy the new name to the User name
field in the Person document, enable the Notes menu
command Synch Selected NT Users with Notes, and
activate the Set common password on user synching
field.
Set common
password on
user synching
To synchronize the Windows NT password and the

Notes Internet password when you synchronize users.
(Available only if you selected User synching.)
Prompt to
Choose one:
confirm/cancel Prompt for all operations (default)
synchronization
Prompt only for user / group deletions
operations
Do NOT prompt for any operations
Name format
for full name
parsing
Choose a parsing format that is the most compatible with

the name format of the Windows NT domain list.
Full-name parsing is used to parse Windows NT full
names into Notes name components. The default is
Firstname Lastname.
Use
Policy-based
registration
Click to enable registration settings specified in policies

to extend to Windows NT user registration as well.
3. To save and re-apply the settings in the next User Manager session,
choose Options - Save Settings on Exit.
4. Complete the procedure Synchronizing Windows NT and Notes
users.
Synchronizing Windows NT and Notes users

If your system includes Windows NT user accounts that correspond to
Person documents in the Domino Directory, you can keep the
information synchronized between the products. When you synchronize
Windows NT and Person documents, these changes occur:
The Network account name field on the users Person document is

updated with the account name of the Windows NT user.
The full name of the Windows NT user is added to the User name
field on the Person document if that name does not already exist in
the names list. Existing full names in the Person document are not
modified.
(Optional) The Windows NT password and the Internet password on

the Person document are replaced with a common password that
works for both Windows NT and Domino Web server access. The
Internet password is encrypted when entered in the Person
document.
User synching does not register a Notes user that is, a Person
document, Notes ID, and mail file are not created. User synching can
only modify information in an existing Person document.
Note If an error occurs during user synchronization for example, a
Person document cannot be found for the NT server an error message
appears. Details on errors/status are also entered in the NT Event
Viewer application log.
If you change the Windows NT user account name or the full name, run
synchronization again. You should also run synchronization if you want
to synchronize the Windows NT password with the Notes password.
User synching is successful if these conditions exist:
The NT user account name matches the name in the Short name
field in the Person document.
The Windows NT full name matches an entry in the User name

Administration
User synching also takes place when a Windows NT user is renamed in

User Manager and Notes user synching is enabled. In this case, the
Network account name field and the User name field in the Person
document are updated, but passwords are not synchronized.
The Windows NT last name matches the name in the Last name
The name in the Network account name field if there is one in

the Person document matches the Windows NT user account
name.
To synchronize Windows NT and Notes users

Synchronizing Windows NT users and Notes users may result in changes
to Person documents and to the Domino Directory.
1. Make sure that you already enabled user synching in Windows NT
User Manager.
2. In the User Manager Username window, select the users you want to
synchronize.
3. Choose Notes - Synch Selected NT Users with Notes.
4. When prompted to continue, click Yes.
5. If you enabled password synching, enter and confirm the password
for the first user you are synchronizing, and then click OK.
6. Enter and confirm passwords for additional users you are
synchronizing, and then click OK.
Setting policy-based registration options for use with Notes

synchronization
Use policy-based registration options to apply registration settings to
multiple users, instead of specifying individual settings for each user,
and use the new registration options available with Lotus Domino 6. The
registration settings are applied to all users registered during the
registration session, thereby making the registration process fast and
simple. Prior to completing this procedure, do one of the following:
Create an explicit policy with an associated Registration settings

document
Create an organizational policy with an associated Registration

settings document
Note If you have not created the appropriate policy documents prior to
setting the policy-based registration options, you are prompted to do so
during this procedure.
For more information on using policies, see the chapter Using Policies.
For more information on the Notes Synchronization Options, see the

topic Enabling Notes synchronization operations in Windows NT User
Manager earlier in this chapter.
To enable this option, select the Use Policy-based registration option
on the Notes Synchronization Options dialog box.
1. From the User Manager, choose Notes - Policy-based Registration
Options.
Note If there are no registration policies, you are prompted to create
one now. Choose Yes and create the policy, or choose No.
Field
Action
Registration server A registration server for this session, that is, the
Domino server on which to create Person documents
in the Domino Directory. Users are automatically
assigned the same Domino domain as that of the
selected server. You must have a properly certified
Notes ID and sufficient access to the specified server
to register Notes users.
Default - Local
Enter the new Administration ID of the administrator
registering Notes users, and then enter a password.
Click OK.
Use common
password
Supplies a single password for both Windows NT and

Notes (and the Notes Internet password, if
applicable). You can override this option for
individual users at registration time. Causes the
existing NT password for an NT user to be replaced
with the common NT/Notes password when users
are registered. This field is not visible when the
existing users are registered with randomly generated
passwords.
Default - Selected
Set Internet
Sets an Internet password for authenticated access to
Password in Notes the Domino Web server. The Internet password is
encrypted and set into the Internet password field in
the Person document. This password is mandatory if
the Internet registration only option is selected or if
the mail type is Other Internet, POP, or IMAP.
Default - Not selected
continued
Administration
Administration ID
Field
Action
Certifier name
Choose the certifier name to use to certify users with a

Notes certifier ID.
Default - No certifier chosen.
Organizational
policy
Choose the name of the organizational policy if one

exists. An organizational policy automatically applies
to all users registered in a particular organizational
unit. If there is no organizational policy, this field
displays None. Non-modifiable field.
Explicit policy
Choose an explicit policy to apply to the users in this

registration session. An explicit policy assigns default
settings to individual users or groups.
3. Click OK.
Customizing Notes registration for Windows NT users

Each time you register users, you can change the default Windows NT
user registration options or use the default values. If you change the
options, User Manager saves the settings only until you exit the program.
Each time you start User Manager, the settings revert to the defaults.
The Internet registration only and Use common password settings
affect the fields that display on this dialog box as follows:
If Use common password is selected and Internet registration

only is not selected, the Internet address components fields and the
Certifier ID Information fields display.
If Use common password and Internet registration only are both

selected, the Certifier ID Information fields do not display.
If Use common password is not selected and Internet registration

only is selected, the Certifier ID Information fields do not display.
The Registration Setup menu item is active only if you have not enabled
the Use policy-based registration setting in the Notes Synchronization
Options.
To change default Registration Setup options
1. Before changing the default registration options, you must enable
user and group registration.
For more information, see the topic Enabling Notes synchronization
operations in Windows NT User Manager earlier in this chapter.
2. From the User Manager, choose Notes - Registration Setup.
3. Complete any of these fields, and then click OK.

Field
Enter
Internet registration Creates Person documents in the Domino Directory

only (No Notes ID with an Internet password, but user IDs and mail files
or mail file created) are not created. Allows Web or LDAP users to gain
authenticated access to the Domino Web server
without running Notes workstation software. Hides
dialog controls related to the Notes ID (Certified ID,
Security Type, Certificate expiration date) and
mail-related dialog controls, such as the Internet
address fields.
Default - Not selected
Supplies a single password for both Windows NT
and Notes (and the Notes Internet password, if
applicable). You can override this option for
individual users at registration time. Causes the
existing NT password for an NT user to be replaced
with the common NT/Notes password when users
are registered. This field is not visible when the
existing users are registered with random generated
passwords.
Default - Selected
Set Internet
password in Notes
Sets an Internet password for authenticated access to

the Domino Web server. The Internet password is
encrypted and set into the Internet password field in
the Person document. This password is mandatory if
the Internet registration only option is selected or if
the mail type is Other Internet, POP, or IMAP.
Default - Not set
Registration server
A registration server for this session, that is, the

Domino server on which to create Person documents
in the Domino Directory. Users are automatically
assigned the same Notes domain as that of the
selected server. You must have a properly certified
Notes ID and sufficient access to the specified server
to register Notes users.
Default - Local
Administration ID
Enter the new Administration ID of the administrator

registering Notes users, and then enter a password.
Click OK.
Profile name
Name of the User Setup Profile to be used when the

user is created in Notes.
Default - None specified
continued
Administration
Use common
password
Field
Enter
Assign new users

to Notes group
The Notes group to which new Notes users will be

added from User Manager. Enabled only if Notes
groups exist.
Default - Not assigned
Internet domain
The last part of the Internet address for each user

registered. This field displays if the Mail Type
selected on the Notes Mail / ID Registration Options
dialog box is Notes, POP, or IMAP.
Default - Current host domain (example: @acme.com)
Address name
format
Choose the address name format that you want to use

for Internet mail.
This field displays if the mail type is Notes, POP, or
IMAP.
Separator
Choose one:
None
Underscore
Percent
Equal
This field displays if the mail type is Notes, POP, or
IMAP.
Certifier ID
To certify users with a different Notes certifier ID.

Click Certifier ID and then enter another certifier ID
and password. Click OK. This field does not display
if Internet registration only is selected.
Default - Current certifier ID specified in the local
NOTES.INI file ( if one exists)
Security type
Choose one:
North American
International
This field does not display if Internet registration
only is selected.
Certificate
expiration date
Date on which the users certification expires. This

field does not display if Internet registration only is
selected.
Default - two years from the current date
Alternate name
language
An alternate language in which to specify a user

name. If Certifier ID was enabled for alternate naming
and includes alternate language specifiers, this field
displays the languages you can use for this user name.
If an alternate name has not been added, this field
displays None.
For more information on the User Setup Profile and the alternate name
language, see the chapter Setting Up and Managing Notes Users.
To change default Mail / ID Registration options
Mail / ID Registration options are not available if you selected
Internet-only registration in the Registration Setup dialog box.
1. Before changing the default Mail/ID Registration options, enable
user and group registration.
For more information on synchronizing user and group registration,
see the topic Enabling Notes synchronization operations in
Windows NT User Manager earlier in this chapter.
2. From the User Manager, choose Notes - Mail/ID Registration
Options.
3. (Optional) To create user mail files on a server other than the local
server, click Mail Server, select another server, and then click OK.
4. Change these settings, and then click OK:
Field
Enter
Mail Server
Click to select a mail server to be used as the default mail

server, and then click OK.
Mail Type
Choose one:
POP to use POP3 mail to access the mail file on a

Domino server.
IMAP to use IMAP mail to access the mail file on a
Domino server.
Other to have mail forwarded to a non-Notes mail
address. No mail file is created.
None for no mail.
Default - Notes
Mail file
directory
Create a mail file in a directory other than the default Mail

directory by entering the full path name for a mail file.
This file name applies to the next user you register. For
subsequent users, only the directory portion of the path is
used. You can specify a directory other than the default.
Default - Mail file in the Notes/data directory
Create mail
files now
Create a mail file during Notes user registration

Default - Selected
continued
Administration
Notes to use Notes mail.

Other Internet Mail to use Internet mail on a server that
is not part of your organization. If you choose this
option, Domino does not create a mail file for the user.
Field
Enter
Create mail
files in
background
Use the Administration Process to create a mail file after

Notes user registration. An administration request is
generated and stored in the Administration Requests
database, then processed as usual.
To limit the size of the mail database. Enter the database

Set mail
database quota size, up to 9999MB, in the field that becomes activated
when you select this option.
Set warning
threshold
To notify the administrator when a users mailbox is

almost at its maximum size. Enter the threshold size, up
to 9999MB, in the field that becomes active when you
select this option.
Create full text Select to create a full-text index of the entire mail
index
database.
Store User IDs
Choose one, both, or neither:

In Address Book to store the mail users ID in the
Domino Directory
In file to store the mail users ID in a file
Choosing neither option results in no ID file being
created.
Set ID path
The path and file name in which to store user IDs. If you
chose Store User IDs in file, you can select a file other than
the one that is displayed.
This button is activated only if you chose In file in the
Store User IDs field. The default is <Data
directory>\ids\people
Using Windows NT to create user accounts and register Notes users

When you create a user account in Windows NT User Manager for
Domains, you can register the new user in Notes at the same time. You
can also register existing Windows NT users in Notes. Registration
typically includes creating a person document, Notes ID, mail file, and a
password. However, users can be registered without mail and Notes ID
files (to gain authenticated access to a Domino Web server without using
the Notes client, for example).
You can register NT users into Notes by using the registration defaults or
by using registration options that you define. If you are using defaults,
the computer on which you are making changes to Windows NT user
accounts must also be a Domino server. This server functions as the
registration server (the server on which the Domino Directory entry is
created) and the mail server (the server that stores the users mail file).
To create new Windows NT user accounts and register Notes users

simultaneously
1. Before creating Windows NT user accounts and registering Notes
users, you must:
Make sure that Notes User registration is enabled in Windows NT
User Manager.
Customize default Notes registration for Windows NT users.
Make sure you are a member of the local Administrator Group or
local Account Operator Group in Windows NT.
2. To create new Windows NT user accounts, from the User Manager
select User and proceed as instructed in your Windows NT user
documentation.
3. After you finish creating the Windows NT user accounts, select one
or more users and then click Notes - Add Selected NT Users/Group
to Notes.
4. Click OK to confirm that you are adding your selections to Notes.
5. Complete these fields, and then click OK:
Field
Enter
First name, middle Accept the default names derived from the users full
name and last
name in Windows NT.
name
The name of the organizational unit the user is
included in. For example, if user John Smith is part of
engineering, the organizational unit could be Eng. The
user name would be John Smith/Eng.
Organizational units are useful for differentiating
between users of the same name. For example, John
Smith/Eng/Acme and John Smith/Doc/Acme, where
one employee is a member of Engineering and the
other is a member of Documentation. Each is assigned
a different organizational unit name.
Use common
password
Assigns to the user the same password for Notes,

Windows NT, and Notes Internet. Activates the Notes
password for user name and the Confirm password
fields.
To preserve the existing Windows NT password,
enter that password as the common password.
If Use common password is not selected, activates the
Notes password for user name and the Confirm
password fields.
continued
Administration
Org unit
Field
Enter
Notes/Common
password for user
name
The password you are assigning to this user when

using Notes.
Confirm password Enter the new Notes password for this user again.
Set Internet
Enters the Internet address in the users Person
password in Notes document in the Domino Directory. This field applies
only if the user is registered for Notes mail. Activates
the following fields:
Internet address
Internet password for user name
Confirm Internet password
Internet address
Accept the default Internet address as derived from

the Windows NT user name and the current host
domain for example, KCarter@domain.com
This field displays if POP, IMAP, or Notes mail type is
selected.
Internet password
Enter an Internet password for this user.
Confirm Internet
password
Enter the Internet password for this user again.
6. When prompted, do one of the following:

Click Begin Registration to register new users immediately. After
registration has begun, click Stop Registration at any time to stop
registration after the current user registration is complete. Any
users not registered remain pending.
Click Cancel to register new users later. User information that you
entered is stored until you exit User Manager.
7. To complete the process, click OK.
Note You can also register pending accounts in Notes at any time by
choosing Notes - Register Notes Users Now.
Domino errors have no effect on User Manager. If a Domino or Notes
error prevents a user from being registered in Notes, the user is still
added to User Manager.
Registering existing Windows NT user accounts in Notes

1. Before registering existing Windows NT user accounts in Notes, you
must:
User Manager.
2. In the User Manager Username window, select the user accounts that
you want to register in Notes.
3. Choose Notes - Add selected NT Users/Groups to Notes.
4. If you are registering multiple users, choose one of the following, and
then click OK:
Prompt for the name and password of each user to enter
information manually for each user.
Register users at once without additional prompts to use
Windows NT full names as Notes user names and to generate
random Notes passwords in a database titled New User
Passwords (NTSYNC45.NSF). If you choose this option, continue
to Step 6.
5. If you are registering only one user or if you chose to enter user
information manually, complete these fields:
Enter
First Name, Middle

Name, Last Name
The default name as derived from the Windows

NT full name. You can accept this name or change
it.
Use common
password

Windows NT, and Notes Internet. If you are
registering this user as an Internet Only user, this
password field supplies the Internet or common
NT/Internet password.
Notes/Common
Password for user
name
The password you want to use, or leave blank to

use a blank password. This field displays if you
selected Use common password.
Confirm password
Enter the Notes password for this user again.
Set Internet password Enters the Internet address in the users Person
in Notes
document in the Domino Directory. This field
applies only if the user is registered for Notes mail.
Activates the following fields:
Internet address
continued
Administration
Field
Field
Enter
Internet address

This field displays if POP, IMAP, or Notes mail
type is selected. The Internet address is required
for Notes mail routing in Domino 5.0.
Internet password
Confirm Internet
password
6. When User Manager asks if you want to register the new Windows
NT users in Notes, do one of the following:
Click Begin Registration to register new users immediately.
Click Cancel to register new users later.
7. If you chose Register users at once without additional prompts in
Step 4, distribute the passwords to users so they can install their
Notes workstations. After installation, users can create new
passwords.
Note Automatically generated passwords apply only to Notes user IDs
and not to Windows NT or Notes Internet passwords.
To register new users later
If you choose not to register users immediately or if you click Stop
Registration to pause registration, use this method to register the users
later.
1. From User Manager, choose Notes - Register Notes Users Now.
2. Click Begin Registration.
3. Click OK.
Adding Windows NT groups to Notes

When you add an NT group to Notes, you can also create a Group
document in Notes and register individual group members. If the NT
group is a local group and contains global groups as group members,
you can add these global groups to Notes and register individual
members as Notes users. You can modify group membership (based on
the Windows NT group) before adding it to Notes without affecting the
NT group.
To create a new Windows NT group and simultaneously add it to

Notes
1. Before you create a Windows NT group and add it to Notes, you
must:
Make sure that Notes user registration is enabled in Windows NT
User Manager.
2. Create a new Windows NT group as instructed in the Windows NT
documentation.
3. If prompted, enter the password for your Notes user ID.
4. Select Create Notes group with the following settings, complete
these fields, and then click OK:
Field
Enter
Notes Group Name
Name of the corresponding Windows NT group.
Group Type
Choose one:
Multi-purpose (default)
Mail only
Access Control List only
Deny List only
A description of the corresponding Windows

NT group.
Register the users in the

NT group into Notes
Group members are registered as Notes users.

The Person documents, user IDs, and mail files
are created for the users.
Deselect if you do not want to register group
members as Notes users. Person documents,
user IDs, and mail files are not created. You can
create a Notes document without registering the
group as Notes users by selecting Create Notes
group based on the NT group and deselecting
this option.
Administration
Description
5. Click Members if you want to add or remove individual group

members from the NT group, and then complete these fields:
Field
Enter
Members
Remove from this list those users who are no longer

members of the group, or add to this list the names of
new users. User names removed from this list display in
the Not members list.
Not members
Add to this list those users who are not members of the
group, or remove from this list user names that you
want to include in the Members list.
Note If there are global groups in the members list and you want to
add those groups to the Domino Directory, select Synchronize
groups in Members list with Notes also.
6. If you are registering group members in Notes, User Manager
prompts you for registration options. Choose one of the following:
Prompt for the name and password for each user to enter user
random passwords. If you choose this option, go on to Step 7.
7. If you chose to manually enter user information in Step 6, complete
these fields, and then click OK:
Field
Enter
First name, middle name

and last name
Accept the default names derived from the

users full name in Windows NT.
Org unit
The name of the organizational unit the user

is included in. For example, if user John
Smith is part of engineering, the
organizational unit may be Eng. The user
name would be John Smith/Eng.
Organizational units are useful for
differentiating between users of the same
name. For example, John Smith/Eng/Acme
and John Smith/Doc/Acme, where one
employee is a member of Engineering and the
other is a member of Documentation. Each is
assigned a different organizational unit
name.
continued
Field
Enter
Use common password
Assigns to the user the same password for

Notes, Windows NT, and Notes Internet.
Activates the Notes password for user name
and the Confirm password fields.
To preserve the existing Windows NT
password, enter that password as the
common password.
If Use common password is not selected,
activates the Notes password for user name
and the Confirm password fields.
Notes/Common password
for user name
The password you are assigning to this user.
Confirm password
Enter the new Notes password for this user

again.
Set Internet password in

Notes
Enters the Internet address in the users

Person document in the Domino Directory.
This field applies only if the user is registered
for Notes mail. Activates the following fields:
Internet address
Accept the default Internet address as
derived from the Windows NT user name
and the current Notes domain, for example,
KCarter@domain.com
This field displays if POP, IMAP, or Notes
mail type is selected. The Internet address is
required for Notes mail routing.
Internet password
Confirm Internet password Enter the Internet password for this user
again.
8. If User Manager asks if you want to register the new Windows NT

users in Notes, do one of the following:
the preceding Step 6, distribute the passwords to users so they can
install their Notes workstations. After installation, users can create
new passwords.
Administration
Internet address
To add existing Windows NT groups to Notes

1. Before adding existing Windows NT groups to Notes, you must:
User Manager.
2. In the User Manager Groups window, select the group account you
want to add to Notes.
3. Choose Notes - Add selected NT Users / Group to Notes.
4. Select Create Notes group with the following settings and then
complete these fields and click OK:
Field
Enter
Notes Group Name
Name of the corresponding Windows NT group.
Group Type
Choose one:
Multi-purpose (default)
Mail only
Access Control List only
Deny List only
Description
A description of the corresponding Windows NT

group.
Register the users in

the NT group into
Notes
Group members are registered as Notes users. The

Person documents, user IDs, and mail files are
created for the users.
Deselect if you do not want to register group
members as Notes users. Person documents, user
IDs, and mail files are not created. You can create a
Notes document without registering the group as
Notes users by selecting Create Notes group
based on the NT group and deselecting this
option.
5. Click Members if you want to add or remove individual group

members from the NT group, and then complete these fields:
Field
Enter
Members
Remove from this list those users who are no

longer members of the group, or add to this list the
names of new users. User names removed from
this list display in the Not members list.
Not members
Add to this list those users who are not members

of the group, or remove from this list user names
that you want to include in the Members list.
Note If there are global groups in the members list and you want to
add those groups to the Domino Directory, select Synchronize
groups in Members list with Notes.
6. If you are registering group members in Notes, User Manager
prompts you for registration options. Select one of the following:
Prompt for the name and password for each user to enter user
random passwords. If you choose this option, continue with Step 7.
7. If you chose to manually enter user information in Step 6, complete
these fields and then click OK:
Field
Enter
First name, middle Accept the default names derived from the users
name and last name full name in Windows NT.
The name of the organizational unit the user is
included in. For example, if user John Smith is part
of engineering, the organizational unit may be Eng.
The user name would be John Smith/Eng.
Smith/Eng/Acme and John Smith/Doc/Acme,
where one employee is a member of Engineering
and the other is a member of Documentation. Each is
assigned a different organizational unit name.
Use common
password

Windows NT, and Internet. Activates the Notes
password for user name and Confirm password
fields.
If Use common password is not selected, activates
the Notes password for user name and Confirm
password fields.
Notes password for

user name
The password you are assigning to this user when

using Notes.
Confirm password
Enter the new Notes password for this user again.

continued
Administration
Org unit
Field
Enter
Set Internet
password
Enters the Internet address in the users Person

document in the Domino Directory. This field
applies only if the user is registered for Notes mail.
Activates these fields:
Internet address
Internet Address

Internet password
Confirm Internet
password
8. If User Manager asks if you want to register the new Windows NT

users in Notes, do one of the following:
the prceding Step 6, distribute the passwords to users so they can
install their Notes workstations. After installation, users can create
new passwords.
Using Windows NT User Manager to delete a user or group

When you delete a Person document, the Administration Process on the
Domino server removes all references to the user name.
If you delete a users mail file, the Administration Process generates an
Approve File Deletion request in the Pending Administrator Approval
view of the Administration Requests database. To delete the mail file, you
must open the request and, in edit mode, click Approve File Deletion.
The entries in the Full name and Short name fields of the Person document
must match the Windows NT full name and user name, respectively.
Notes users will not be deleted if the users name is not unique.
To delete a user or group account
You can delete a user or group account from User Manager and
automatically delete the corresponding Person or Group document in the
Domino Directory. You can also automatically delete the users mail file.
1. Before you delete a user account, you must:

Make sure that Notes user / group deletion is enabled.
2. From the User Manager, choose Notes - Delete / User Synch
Options.
3. Complete these fields, and then click OK.
Field
Enter
Select a Notes server

for deleting
users/groups
The name of the server containing the Domino

Directory from which the user or group is being
deleted. If you are deleting a group, continue with
Step 4 without specifying User deletion options.
User deletion options Choose one:

Dont delete the mail file
Delete just the mail file specified in the Person
record
Delete mail file specified in Person record and all
replicas
Select a Notes server
for synching users
The name of a local or remote Notes server on

which synchronization operations are performed.
4. Delete the user or group account as instructed by the Windows NT

documentation.
Using the Windows NT Performance Monitor to view Domino

You can install the Domino server as a counter within the Windows NT
Performance Monitor. The Performance Monitor lists all numerical
Domino server statistics, including those generated by add-in programs.
You can choose specific statistics to appear in a report or a chart for
analysis. You can also use the Performance Monitor to view the statistics
of a remote server.
For complete information on using the Performance Monitor, see the
Windows NT documentation.
Administration
5. If prompted to delete the user or group from the Domino Directory,

click OK.
To install Domino as a Performance Monitor counter

1. If you installed the Domino server without selecting the option to
install Performance Monitor, complete the following steps:
a. Run the Domino setup program again and click the Customize
button.
b. Make sure that the install paths are the same as for the original
server installation.
c. Deselect all installation options except for Notes Performance
Monitor. This allows you to install only Performance Monitor.
d. After the Install program completes, restart the server.
2. Enter this command at the NT command prompt in the program
directory:
notesreg.bat directory
where directory is the full path to the program directory.

Note If the server or an add-in program running on the server
terminates, stop the Performance Monitor before restarting the server or
add-in program.
To view Domino using the Performance Monitor

1. Click the Performance Monitor icon, or enter this command at the
NT command prompt:
start perfmon
2. Choose Edit - Add To Chart or Edit - Add to Report.

3. In the Object box, select Lotus Notes.
4. In the Instances box, select a Domino statistic you want to include in
a chart or report, then click Add. Repeat for each statistic you want to
add.
Note Domino statistics do not appear as instances in the Performance
Monitor until Domino or an add-in program assigns or updates a
statistic. To force this to happen, initialize statistics on the server for
example, by typing Show Stat at the server console.
To view Domino error messages in the NT Performance Monitor

To see any error messages related to generating Domino statistics within
the Performance Monitor, look for notestat messages in the Application
Log of the Event Viewer.
To uninstall the Domino statistic counter from the Performance

Monitor
To remove the Domino statistic counter from the Performance Monitor,
enter this command at the NT command prompt:
unlodctr notestat
Setting up Domino Active Directory synchronization

When the Domino server is installed on a Windows 2000 server, as an
administrator, you typically need to maintain two separate directories for
the same set of people and groups. Maintaining user and group
information involves adding entries to both directories, deleting entries,
ensuring that passwords are the same when users use Notes Single
Logon, coordinating group membership in both directories, and ensuring
that user or group settings, such as e-mail addresses and telephone
numbers, are identical.
For more information on migrating Active Directory users, see the book
Upgrade Guide.
User options are available to register Notes users in Active Directory. In
the Domino Administrators user registration interface, there is a
Windows User Options button on the Other panel of the Register
Person - New Entry dialog box. You can select options to register a user
in Active Directory at the same time that the user is registered in
Domino. This is essentially the opposite of what ADSync does.
Regardless of the tool with which you register a new user in both
directories, you can use ADSync to synchronize and delete users from
both directories. You can also use ADSync to rename users in both
directories.
For more information on the user options available when registering
Notes users, see the chapter Setting Up and Managing Notes Users.
Administration
Lotus Domino 6 includes a set of tools to make synchronization between

Domino and Active Directory(R) simple and easy. The Active Directory
Domino Upgrade Service (AD DUS) is a tool that you can use with
Active Directory synchronization (ADSync) when you have data in your
Active Directory and you have just installed Domino. AD DUS can
optionally be used to migrate all or a set of your Active Directory users.
After youve done that, you can start using ADSync to maintain those
users in Active Directory and in Domino.
You can synchronize Person and Group documents in the Domino

Directory, and user and group accounts in Active Directory. When you
register or delete a Notes user or delete a Notes group, you can
automatically update the Active Directory. Use the Notes
synchronization options to enable the synchronization of all operations.
Conversely, special menu options and dialog boxes added to the Users
and Computers snap-in of the Microsoft Management Console (MMC)
enable you to specify that additions, deletions, and name changes made
to Active Directory user or group accounts be reflected in the Domino
Directory. You can also add existing Active Directory user or group
accounts to the Domino Directory, and synchronize Active Directory and
Domino Directory entries.
These directory synchronization features let you keep both the Domino
Directory and Active Directory current without having to update both
when either changes. Also, you can manage user and group information
in the Domino Directory and the Active Directory through a single
interface of your choice, either Domino or Windows 2000.
You must have a properly certified Notes ID and appropriate access to
make any changes to a Domino Directory from Notes or Windows 2000,
and have the appropriate rights if you are going to use the Domino 6
server-defined certification authority (CA) to certify users on Domino.
Use a Lotus Notes 6 or more recent client, and Lotus Domino 6 or more
recent server as your registration server. You must create policies that
contain registration settings documents, either implicit or explicit, for all
Domino certifiers with which you are going to certify new users. Also,
you must have appropriate rights in the Active Directory allowing you to
add user accounts and synchronize passwords.
To set up Domino Active Directory synchronization

Install the Active Directory domain controller, the Domino server, and
the Domino Administrator on separate machines to improve
performance and enhance security. However, if necessary you may
install any two or all three of these on the same machine.
1. From a Windows 2000 Professional workstation, log into the
Windows domain using a user account with administrative rights.
2. From the Windows 2000 Server CD, install the Windows 2000
Administration Tools Package. From the CD, run
\i386\adminpak.msi.
Note This file is not on the Windows 2000 Professional workstation

CD. You must install the file from the Windows 2000 Server CD.
Microsoft licensing permits you to install this administrative package
on Windows 2000 Professional workstations.
3. From the Start menu, click Programs - Administrative Tools - Active
Directory Users and Computers, and verify that the workstation has
connected to the domain controller.
4. Install, but do not run, the Domino Administrator.
5. Open a command prompt. From your Notes install directory, type:
regsvr32 nadsync.dll
A message box appears indicating that registration is complete. This

can take up to one minute.
6. Run the Domino Administrator and complete the configuration
process.
7. From the Domino Administrator, create an organizational policy or
an explicit policy and a Registration policy settings document. You
must have at least one policy to use with ADSync.
8. From the Start menu, click Programs - Administrative Tools - Active
Directory Users and Computers. Click the Lotus Domino Options
folder.
10. Enter your Notes password.

11. Click the Notes Settings tab.
12. Click the Notes Server for Registration button and specify a
registration server. This is typically the administration server of the
Domino Directory.
13. Click OK.
14. Close and restart Active Directory Users and Computers to allow
these changes to take effect.
Enabling the Notes synchronization options

Use the Notes Synchronization Options tab on the Lotus ADSync
Options dialog box to enable or disable Notes/Windows synchronization
features in the Microsoft Management Console (MMC).
1. From the MMC, choose Domino Directory Synchronization.
2. Click Notes Synchronization Options.
Administration
9. Right-click Domino Directory synchronization and then choose

Options.

Field
Action
Enable all synchronization

operations
Click to enable all Notes synchronization

operations. All Windows 2000 and Domino
Notes operations will be synchronized.
Select synchronization
operations to enable
Click to activate all the fields on this dialog

box. When this check box is not selected, all
of the other options on this dialog box are
not enabled.
User/group registration
Click this check box to register new or

existing Windows users and groups in
Notes. When you click this check box the
Synchronize if new user/group already
exists in Notes field becomes active.
Click this check box to prevent the

Synchronize if new
user/group already exists in synchronization options from creating
duplicate users or groups in Notes. This field
Notes
is active only if you select the User/group
registration check box.
User/group deletion
Click this check box to synchronize user and

group deletions. User and groups that are
selected for deletion are then deleted from
the Windows 2000 Active Directory as well
as from the Domino Directory.
User/group synchronization Click this check box to copy the values from
Active Directory objects fields to Domino
Directory fields, according to the field
mapping specified in the Field Mapping tab.
Member lists in groups are synchronized
when you enable this option.
Synchronization occurs when you select a
Synchronize menu item, or click a toolbar
button, or after an Active Directory object is
modified.
When you click this check box, these fields
are activated:
Recertify users on rename
Set common password on user
synchronization
continued
Field
Action
Recertify users on rename
Click to use the Domino Administration

Process to rename a Notes user if the
corresponding Windows 2000 user is
renamed.
This field is active only if the User/group
synchronization check box is selected.
Set common password on

user synchronization
Click to set a new password when you

synchronize users. The password will be
used as the Windows and Notes Internet
password. The Notes User ID password does
not change.
This field is active only if the User/group
synchronization check box is selected.
Prompt to confirm/cancel
synchronization operations
Click to use one of the options for

confirming or canceling synchronization
operations. Choose one:
Prompt for all operations - prompt prior
to initiating all synchronization
operations.
Prompt only for user/group deletions prompts only when deleting users or
groups.
Use CA process for user ID

certification
Click this check box to use the new Domino

6 server-based certification authority (CA)
when registering new users.
4. Click Apply and OK.

For more information on the Domino CA, see the chapter Setting Up a
Domino Server-Based Certification Authority.
Specifying Notes settings

Use the Notes Settings tab on the Lotus ADSync Options dialog box to
enable or disable Notes and Windows registration features in the
Microsoft Management Console (MMC).
2. Click Notes Settings.
Administration
Do not prompt for any operations - no

prompts are issued prior to performing
any synchronization options.

Field
Action
Use Registration
server for all
operations
Click this check box to use the server that you

designated as the Registration server for all
synchronization operations and for deletions.
When you deselect this option, these fields are
enabled:
Notes server for synchronization
Notes server for deletion
Notes server for

registration
Click this check box to open the Choose Server

dialog box from which you can select a Registration
server. The registration server must be a Domino 6
server.
Notes server for

synchronization

dialog box from which you can select a
Synchronization server. All synchronization
operations are done on this server.
This check box is enabled only if the Use
Registration server for all operations check box is
not selected.
Notes server for

deletion

dialog box from which you can select a deletion
server. All deletions are performed on this server.
This check box is enabled only if the Use Registration
server for all operations check box is not selected.
Administration ID
Click this check box to open the Choose Notes

Administrator ID dialog box in which you can
specify another Notes User ID as the administrator
ID. The initial user ID file name is taken from
current Notes client settings.
On user deletion
Click this check box to specify options for mail file

deletion when the user is deleted. Choose one:
Dont delete mail file To delete the Person
document but leave the users mail files intact.
Delete just the mail file specified in the Person
record To delete only the mail file specified in
the Person document. No replicas of the mail file
are deleted.
Delete mail file specified in the Person document
and all replicas Deletes all mail database
replicas on other servers in addition to the mail
file specified in the users Person document.
continued
Field
Action
Default certifier
name
Click to specify a certifier that will be used during

user registration. ADSync uses this certifier if
mapping was not set for a particular Active
Directory container on the Container Mappings tab.
Default explicit
policy
Click to specify the explicit policy (and its related

settings) to be applied to users during user
registration.
Register security
groups in Notes as
Click to assign a group type when registering

security groups in Notes. Choose one:
Multi-purpose Use for a group that has
multiple purposes, for example, mail and ACLs.
Deny List only is typically used to prevent
terminated employees from accessing servers, but
this type of group can be used to prevent any
user from accessing particular servers. The
Administration Process cannot delete any
member from this group.
Register distribution Click to assign a group type when registering

distribution groups in Notes. Choose one:
groups in Notes as

this type of group can be used to prevent any
user from accessing particular servers. The
Administration Process cannot delete any
member from this group.
Mapping Active Directory fields with Domino Directory fields

Use the Field Mappings tab on the Lotus ADSync Options dialog box to
map specific Active Directory fields and Person and Group document
fields. Person and Group documents are stored in the Domino Directory.
Mapping is different for the two object classes, User and Group.
Administration
Multi-purpose Use for a group that has

multiple purposes for example, mail and ACLs.
You can modify any of the initial mappings, create mappings, or create
Notes field names. When an Active Directory object is created or is
synchronized with Notes, all field values in the mapped Active Directory
object are copied to corresponding fields in the Person or Group
document in the Domino Directory. If necessary, fields are created in the
Person or Group document and existing field values are overwritten.
This is one-way synchronization. No changes are made to the Active
Directory object.
Field Mappings in ADSync, unlike other settings, are different for each
Active Directory domain.
To map fields
2. Click Field Mappings.
3. Choose either User or Group in the Field mappings for Object class
field.
4. Scroll through the In Active Directory list until you locate the Active
Directory field that you are mapping to a Domino Directory field.
5. Right-click the corresponding In Domino Directory field (it may
appear blank). An editable field appears. Enter the field name or
select one from the list.
6. Continue this process until you have mapped as many fields as
needed.
To allow the new fields to display in the dialog box, close and then
restart the Microsoft Management Console. The new fields appear.
Mapping Active Directory containers to Notes certifiers and policies

Use the Container Mappings tab on the Lotus ADSync Options dialog
box to define the mapping between Active Directory containers and
Notes certifiers and Notes policies. Container mappings are used to
register new users and translate group member names into the correct
Notes format during synchronization. The group members must belong
to an organizational unit that is mapped to a specific Notes certifier.
When initializing, ADSync reads all Active Directory containers, Domino
certifiers, and explicit policies from the Domino Directory on the
registration server. Because Active Directory allows you to create a
hierarchy of organizational units and containers, it makes sense to preserve
that hierarchy in Domino by using different certifiers and policies to
register people from different Active Directory containers. Plan and then
specify mappings between two hierarchies before starting to use ADSync,
especially if any of those hierarchies are extensive. If you do not specify

mappings, the default certifier name and organizational policy are used.
You can map multiple containers to one policy and/or to one certifier.
When you create or delete Active Directory containers or Notes certifiers
and policies, they can be mapped using the Container Mappings table by
closing and reopening the Microsoft Management Console.
Container Mappings in ADSync differ for each Active Directory domain.
To map containers
2. Click Container Mappings.
3. Scroll through the AD Container list until you locate the Active
Directory containers to which you are mapping a particular Notes
certifier and/or a Notes Policy. If you are mapping more than one
container to one policy or certifier, select multiple containers before
choosing a policy or certifier.
4. Right-click the corresponding Notes Certifier field (it may appear
blank). An editable field appears. Enter the certifier name or select
one from the list.
5. Right-click the corresponding Notes Policy field (it may appear
blank). An editable field appears. Enter the policy name or select one
from the list.

To allow the new policies and certifiers to display in the dialog box, close
and then restart the Microsoft Management Console. The new policies
and certifiers appear.
Registering new users in Active Directory and in Domino Directory

simultaneously
Before starting any operation in ADSync, review all of the ADSync
settings, especially Notes Settings and Container Mappings.
You can register new users in Notes at the same time that you register
them in the Active Directory, or you can register existing Active Directory
users in Notes. If any of the users or groups being registered already exist
in Notes, and the Synchronize if new user/group already exists in Notes
option on the Notes Synchronization Options tab is checked, a duplicate
user or group is not created. Instead, synchronization is performed.
Administration
6. Continue this process until you have mapped as many containers,

certifiers, and policies as needed.
Registration uses certifier IDs or the Domino 6 server-based certification

authority (CA). Only certifiers listed in the registration servers Domino
Directory are used. If you are using certifier IDs, you are prompted for
the path and password, once per certifier per MMC session.
If you create users and groups without additional prompts, all defaults
are used, and the entire registration queue is processed. When users are
created, random passwords are generated and placed in the database,
NTSYNC45.NSF, located in the root directory of the local Notes data
directory.
For information on the fields that display while registering users, consult
your Microsoft documentation.
To register new Windows 2000 users in Domino
1. From the MMC, right-click Users - New - User.
2. Complete the fields on the windows that display.
3. Complete these fields on the Notes registration window:
Fields
Action
Register in
Domino
Directory
Click this check box to register this user in the Windows

Active Directory and in the Domino Directory. Other
fields on this dialog box are enabled when you click this
check box.
First name,
Middle name,
Last name
Enter the users first name and last name, and optionally,
enter a middle name.
Org unit
(Optional) Enter an organizational unit if your enterprise

uses them. For example, if user John Smith is part of
engineering, the organizational unit may be Eng. The
user name would be John Smith/Eng.
Smith/Eng/Acme and John Smith/Doc/Acme, where
one employee is a member of Engineering and the other
is a member of Documentation. Each is assigned a
different organizational unit name.
Note The users Short name and Internet address are

automatically generated. To change the Short name or
Internet address, click the appropriate space and enter
the new text.
Certifier context Choose the certifier to use to certify this user.

Organizational
Policy
Non-modifiable. Displays the name of the organizational

policy that is assigned if there is one. If there are no
organizational policies, this field displays None.
continued
Fields
Action
Explicit Policy
Choose an explicit policy from the list.
Use common
password
Click this check box if you want to use one password for
Windows, Notes, and Notes Internet. The existing
Windows password is then replaced by the password
you enter here.
To preserve the existing Windows 2000 password, enter
that password as the common password.
If the Use common password check box is selected, the
Notes password for the user name field and the Confirm
password field are enabled.
Password
Enter the new password.
Confirm
password
Enter the same password again to confirm it.
Internet address The default Internet address as derived from the

Windows 2000 user name and the current Notes domain
for example, KCarter@domain.com
Short name in
Notes
The short name by which the user will be known in

Notes. By default, the short name consists of the users
first initial and last name.
4. Click Next.
5. Review the settings you specified for the user you are registering and
click Finish.
Registering existing Active Directory users and groups in Notes

There are two procedures available for registering existing Active
Directory users and groups in Notes.
When you are registering user and groups, all groups are registered first.
Administration
Reviewing ADSync operations in the Application Log

You can examine the Windows 2000 event viewer for more information
about any errors that may occur. Look for NUMEEvent messages in
the Application Log. All ADSync operations are recorded in the
Application Log.
Registering existing users or groups quickly without prompts

Use this method to register many existing users or groups at one time.
Users and groups are registered using the existing information in the
registration queue so that you are not prompted to enter user-specific or
group-specific information on multiple dialog boxes for every user or
group that you are registering. This is the recommended method for
registering multiple users and groups at one time, but this method can be
used to quickly register an individual user or group.
1. From the MMC, click Users.
2. On the Results pane, right-click the users and/or groups you are
registering and then click Register in Domino. You can choose
multiple users and/or groups and then click Register in Domino
once for all of your selections.
3. Choose Register users and groups at once without additional
prompts; use defaults. This button registers users and groups
without prompts.
4. Choose one of these options:
Field
Action
If error happens during

registration of some users
and/or groups, try to
register them later
Click this check box to register any users or

groups whose registrations fail on the first try.
If not selected, users and groups are not
registered if the first attempt fails.
If registration is canceled
for some users and/or
groups, try to register
them later
Click this check box to allow to attempt to

register any users or groups whose registrations
are canceled on the first try. If not selected,
users and groups will not be registered if the
first attempt is canceled.
This option is active only if Prompt for the
name and password of each user, and for the
name and members of each group button is
selected.
5. Click Register Now.

Note You have the option of choosing one of the following if you
decide not to register now:
Click Register later to store the users or groups in the registration
queue. You can then register them later.
Click Do not register to cancel user registration.
After successful registration in Notes, users and groups are synchronized
with the Active Directory. A progress bar displays during the
Registering existing users or groups individually with prompts

Use this method to register users and groups individually. You are
prompted to enter multiple fields of information on multiple dialog
boxes for each user and for each group that you register. This method is
recommended when registering very small numbers of users or groups,
or when you need to modify information for users and groups during the
registration process. This option provides administrators with control
over Notes registration information for each user or group. When used to
register numerous users or groups, this method is time-consuming.
During group registration, for each group you can specify the members
that are to be registered in Notes by clicking the Members button on the
dialog box on which it appears. You are also able to specify a new group
name, description, and group type if you want to modify any of those.
For more information on Active Directory, see the Microsoft Active
Directory documentation or use the Microsoft Active Directory online
help for fields.
1. From the MMC, click Users.
2. On the Results pane, right-click the user or group you are registering
and then click Register in Domino.
3. Choose Prompt for the name and password of each user, and for the
name and members of each group. When this option is chosen, the
If registration is canceled for some users and/or groups, try to
register them later check box is also active.
Field
Action
If error happens during

registration of some users
and/or groups, try to
register them later
Click this check box to attempt to register at a

later time, any users or groups whose
registrations fail on the first try. If not
selected, users and groups are not registered if
the first attempt fails.
If registration is canceled
for some users and/or
groups, try to register them
later
Click this check box to attempt to register at a

later time, any users or groups whose
registrations are canceled on the first try. If
not selected, users and groups will not be
registered if the first attempt is canceled.
This option is active only if Prompt for the
name and password of each user, and for the
name and members of each group button is
selected.
Administration
4. Choose one of these options:
5. Click Register Now.

Note You have the option of choosing one of these if you decide not
to register now:
Click Register later to store the users or groups in the registration
queue. You can then register them later.
Click Do not register to cancel user registration.
6. Complete the fields on all dialog boxes that display for each user or
group.
7. Click Finish when you are done.
For more information on the Notes Registration dialog box that
displays for users, see the topic Registering new users in Active
Directory and in Domino Directory simultaneously in this chapter.
For more information on the Notes Registration dialog box that
displays for groups, see the topic Registering new groups
simultaneously in Active Directory and in Domino Directory later
in this chapter.
Synchronizing users and groups

Active Directory user and group accounts can be synchronized with the
corresponding Person and Group documents in the Domino Directory.
Synchronizing users facilitates other user synchronization operations,
such as user registration and deletion, which can be initiated through the
Microsoft Management Console (MMC) or Domino. Synchronization also
enables users to have a common password for Windows and for Domino
Web Server access, copies all mapped field values from user or group
objects in Active Directory to corresponding documents stored in the
Domino Directory, and it copies member lists of the groups. The
synchronization server specified in Notes Settings is used for all
synchronization operations.
For more information on Notes Settings, see the topic Specifying Notes
Settings in this chapter.
Synchronization is initiated at these times:
After the user or group is registered in Domino from the MMC using
ADSync.
When one or more users or groups are selected on the results pane of
the MMC and the Synchronize with Domino option is selected from
the context menu or the toolbar.
When you change any of the properties of the user or group object
and confirm your changes by clicking the OK or Apply buttons.
During synchronization, ADSync attempts to match the Active Directory

object with an entry in the Domino Directory. If more than one match is
found, ADSync prompts you to specify the match from those that have
been located.
The field mappings that are set in the Field Mappings table designate
which fields are synchronized during synchronization. System fields that
cannot be safely synchronized in two directories are excluded from the
Field Mappings table.
For more information on Field Mappings, see the topic Mapping Active
Directory fields with Domino Directory fields in this chapter.
If the Set common password check box is checked on the
Synchronization Options tab on the Lotus ADSync Options dialog box,
you are prompted to enter a new password during synchronization. This
changes the Windows password as well as the Notes Internet password
for that user.
For more information on synchronization options, see the topic
Enabling the Notes synchronization options topic earlier in this
chapter.
Note Consult your Windows 2000 documentation for information about
running and working with the MMC and the Users and Computers
snap-in.
Before registering new groups, review all of the ADSync settings,

especially the Notes Settings and Container Mappings.
You can register new groups in Notes at the same time you register them
in the Active Directory.
For information on the fields that display while registering groups,
consult your Microsoft documentation.
Administration
Registering new groups in Active Directory and in Domino Directory

simultaneously
Complete this procedure to simultaneously register a group in Notes and

in Active Directory:
1. From the MMC, right-click Users - New - Groups.
2. Complete these fields on the Notes registration window that
displays:
Fields
Action
Register in
Domino
Directory
Click this check box to create a Notes group to

correspond to the Windows group. Deselect to create
the group only in the Active Directory. When this
option is selected, all other fields on this dialog box are
active.
Group name
Enter a group name.

This field is active only if you select the Register in
Domino Directory check box.
Group type
Specifies the purpose of the group and determines the

views in the Domino Directory where the group name
appears:
purposes for example, mail and ACLs. This is the
default.
this type of group can be used to prevent any user
from accessing particular servers. The Administration
Process cannot delete any member of this type of
group.
This field is active only if you select the Register in
Domino Directory check box.
Description
(optional) Enter a description of the group.
3. Click Next.
4. Review the information that displays and click Finish. Click OK.
Adding members to a group

1. From the MMC, select the name of the group to which you are
adding members.
2. Complete the fields on the Newgroup Properties dialog box. For
more information on completing these fields, refer to the Microsoft
help documentation.
Renaming Active Directory and Notes users and groups

When you rename a user or group in the Active Directory, and there is a
corresponding user in the Domino Directory that was previously
synchronized with its Active Directory counterpart, ADSync renames or
recertifies that user or group accordingly. The server that is used for
synchronizing the Domino Directory with the Active Directory is the
synchronization server that you specify on the Notes Synchronization
Options tab.
When you rename a Notes user or group, all occurrences of that user
name are updated in the Domino Directory and other databases by the
Domino Administration Process on the Domino server.
To rename a user or group in Active Directory and in Domino Notes
1. From the MMC, right-click the name of the user or group you are
renaming, and click Rename.
3. Complete the fields in the Rename User/Group wizard. Be sure to
enter the new name in any fields in which you want the name change
to take effect.
4. On the Verification to Rename dialog box, verify that the check box
Corresponding user or group in Domino Directory is selected to
change the name in the Domino Directory.
5. Click Yes.
For information on renaming a user in Domino, see the chapter Setting
Up and Managing Notes Users.
For information on renaming a group in Domino, see the chapter Setting
Up and Managing Groups.
For information on administration requests, see the appendix
Administration
2. Enter the users or groups new name.
Deleting Active Directory and Notes users and groups

When you delete a user or group from the Active Directory and there is a
corresponding user or group in the Domino Directory that was
synchronized with it, ADSync removes the Person document or Group
document for that Domino Directory entry using the Administration
Process on the deletion server. You can designate a deletion server and
change user mail file deletion settings in the Notes Settings tab of the
Lotus ADSync Options dialog box.
When you delete a Notes user or group, all references to it are removed
from the Domino Directory by the Domino Administration Process
running on a Domino server. After initiating the deletion, you must
approve the request in the Administration Requests (ADMIN4.NSF)
database on the Domino server.
For more information on deleting users in Domino, see the chapter
Setting Up and Managing Notes Users.
For more information on administration requests, see the appendix
Note To use a Notes administrator ID other than the one most recently
used, go to the Notes Settings tab of the Lotus ADSync Options dialog
box and specify another administrators ID.
How to delete users from Active Directory and Domino
1. From the MMC, right-click the name of the user you are deleting and
then click Delete.
2. Click Yes at the verification message.
Chapter 18
Planning Directory Services
This chapter describes the Domino directory services features and some
of the planning issues to consider before using them.
Overview of Domino directory services

Domino provides a range of directory service features that are useful for
both small and enterprise companies including:
The option to use dedicated directory servers and to use a central

directory architecture
Lightweight Directory Access Protocol (LDAP) features
Flexible directory access control, including the ability to use an

extended ACL to set access at the form and field level
Tools for creating and managing entries in the directory
Directory features for Notes clients
Features for multiple-directory environments
Internationalization features
Directory customization features
Using directory servers in a Domino domain
Each Domino domain has at least one administration server for the
Domino Directory. The administration server is responsible for carrying
out Administration Process requests that automate changes to the
18-1
Directory Services
A Domino domain is a network of clients and servers whose users,

servers, connections, and access control information is described in a
single database called the Domino Directory. When you set up the first
server in an organization, Domino creates a Domino domain and a
Domino Directory for the domain. When you add servers to the domain
they pull replicas of the Domino Directory. To create an additional
domain and Domino Directory, you perform a first server setup.
Domino Directory. By default, the first server set up in a domain is the

administration server for the Domino Directory.
You can use directory servers in a Domino domain to dedicate specific
servers to providing directory services. Clients and specialized servers
such as mail and application servers use the directory servers to look up
user, group and similar information.
A directory server might:
In a central directory architecture, store a primary Domino Directory

that servers with Configuration Directories access remotely
Run the LDAP service
Run the Dircat task to build and store directory catalogs
Store replicas of directories that are aggregated into the directory

catalog
Store replicas of secondary Domino Directories that servers in the

domain access through directory assistance
You can set up Notes clients to use directory servers, rather than their
mail servers, to look up names and addresses.
For information on setting up Notes clients to use directory servers, see
the chapter Setting Up the Domino Directory.
Using a central directory architecture in a Domino domain

Prior to this release, companies always used a distributed directory
architecture in which every server in a Domino domain had a full replica
of the domains primary Domino Directory. A primary directory contains
all types of documents: documents used to provide directory services
such as Person and Group documents as well as documents used to
configure Domino servers.
In this release, companies can implement a central directory architecture.
In a central directory architecture, a few directory servers in a domain
have a replica of a the primary Domino Directory that contains the entire
contents of the Domino Directory. The other servers in the domain have a
Configuration Directory, a small, selective replica of the Domino
Directory that contains only documents used for Domino configuration.
A server with a Configuration Directory uses a primary Domino
Directory on another server referred to as a remote primary Domino
Directory to look up information in Person, Group, Mail-In Database,
and Resource documents, and in any new types of custom documents a
company has added to the directory.
Enterprise companies that use centralized architectures can benefit from

this feature. A central directory architecture allows for tighter
administrative control over directory management because only a few
directory replicas contain user and group information. In addition,
application and mail servers can run on less powerful machines then the
directory servers require, since the application and mail servers dont
have to store a primary Domino Directory, which can be the largest
database in a company. If the user and group information in a directory
changes frequently, the servers with Configuration Directories have
immediate access to the changes that critical business applications and
processes require, because they dont have to wait for the changes to
replicate locally.
To use a central directory architecture you must have adequate network
bandwidth to support the remote primary directory lookups. For
failover, it is also important that at least two servers in a domain are
configured as a remote primary Domino Directory.
For additional information on implementing a central directory
architecture, see the chapter Setting Up the Domino Directory.
Planning LDAP features

Lightweight Directory Access Protocol (LDAP) is a standard Internet
protocol for searching and managing entries in a directory. Domino and Notes
provides these LDAP features
The LDAP service enables a Domino server to function as an LDAP
directory server and process LDAP requests.
LDAP accounts on Notes clients enable Notes users to do LDAP-style

searches for an addresses in LDAP directories.
The ldapsearch utility enables you to use LDAP search syntax to

search an LDAP directory.
Directory assistance can enable a Domino server to use a remote

LDAP directory for client authentication and/or to look up the
members of groups during database authorization.
Planning the LDAP service

A Domino server that runs the LDAP task functions as an LDAP
directory server, ready to process requests from LDAP clients. Such
requests can come from any of the popular Web browser clients that
have built-in LDAP support to retrieve directory information, or from
custom LDAP applications designed to search for and manage directory
information.
Planning Directory Services 18-3
Directory Services
Some of the questions to ask when planning for the LDAP service are:
What levels of LDAP client authentication do you want to use?

Anonymous access, enabled by default, allows LDAP clients to
connect without providing names and authentication credentials,
such as password or certificates. Typically you allow LDAP clients
connecting anonymously only read access to the directory.
Should you use an extended ACL to control LDAP access to the

directory? An extended ACL provides more granular directory
access control than the database ACL alone supports. If you use an
extended ACL, the database ACL and extended ACL control
Anonymous LDAP search access as well as anonymous access for the
other supported client protocols. If you do not use an extended ACL,
a Configuration Settings document controls Anonymous LDAP
search access.
Should you create a full-text index for the Domino Directory? If your
LDAP clients typically use search filters that search for names or mail
addresses, then its not necessary to full-text index the directory. If
LDAP clients user other types of search filters, creating a full-text
index for the directory is recommended so the LDAP service can
process these kinds of requests more quickly by searching a full-text
index.
Do you need to extend the schema to add support for new object
classes or attributes? You may need to extend the schema if your
company has LDAP applications that search for application-specific
information. You can use the Domino LDAP Schema database
(SCHEMA.NSF) to extend the schema, or add forms and fields to the
directory. Using the Schema database is recommended.
For additional information, see the chapters Setting Up the LDAP

Service and Managing the LDAP Schema.
Planning directory assistance for the LDAP service
You can set up directory assistance on a server that runs the LDAP
service so the LDAP service can extend client LDAP requests to a
secondary Domino Directory or to a remote LDAP directory.
Some of the issues to consider with respect to setting up the LDAP
service to use directory assistance for a secondary Domino Directory
include:
What access do I want LDAP clients to have to the secondary

Domino Directory? You control LDAP access separately for each
Domino Directory or Extended Directory Catalog the LDAP service
serves.
If you use a custom LDAP application to administer the directory,

the LDAP service allows the application to modify the directory only
if the directory is stored locally on the server running the LDAP
service. If the secondary Domino Directory is stored on a remote
server, the LDAP service can return a referral to that server instead
or processing the LDAP operations itself.
Some of the issues to consider with respect to setting up the LDAP

service to use directory assistance to refer LDAP clients to a remote
LDAP directory include:
The LDAP service can never process an LDAP search, add, or modify
request in a remote LDAP directory. It can only refer LDAP clients to
a remote LDAP directory.
By default the LDAP service can return a given LDAP client a

referral to only one remote LDAP directory. If you want to enable the
LDAP service to return an LDAP client more than one referral so that
an LDAP client can follow up with alternate referral if the directory
server specified in the first referral is unavailable, you must increase
the Maximum number of referrals setting for the LDAP service.
You can specify alternate LDAP directories for referral in one

Directory Assistance document for a remote LDAP directory.
Note The LDAP service, like any Domino Internet protocol server, can
use directory assistance to authenticate its clients using credentials in a
secondary directory, and to use groups in a secondary directory for
database authorization.
For more information, see the topic Planning directory assistance later
in this chapter.
Planning LDAP accounts on Notes clients
Directory Services
Notes clients can use LDAP accounts set up in the Personal Address
Book to connect directly to a remote LDAP directory server. Using an
LDAP account, a Notes user can browse the remote LDAP directory and
can search for addresses in the remote LDAP directory when sending
mail.
Some of the issues to consider before setting up LDAP accounts on Notes

clients are:
Would you rather set up directory assistance on Notes clients mail

servers or directory servers to provide Notes users with access to a
remote LDAP directory rather than use LDAP accounts? If the Notes
clients run Notes Release 4, you must use directory assistance
because Notes Release 4 clients dont support the use of LDAP
accounts. You might also use directory assistance to avoid having to
update client LDAP accounts if the remote LDAP directory
configuration changes; if you use directory assistance, you change
only the Directory Assistance document for the remote LDAP
directory if the directory server configuration changes.
What settings do you want to use in an LDAP account? For example,

if an LDAP directory server requires a search base, you should
specify a search base in the account. Should you use a simple search
filter that searches only for a cn attribute to locate user entries, or a
more complex search filter that also searches for a mail, uid, sn, or
givenname attribute? If searches of the cn attribute only are adequate
for your needs, using the simple search filter improves the speed of
searches.
Should you use Setup policy settings and/or Desktop policy settings
documents to set up and modify the LDAP accounts? This approach
automates the process of creating and updating the accounts.
LDAP accounts for the Bigfoot and VeriSign directories are set up by
default.
The ldapsearch utility

LDAPSEARCH.EXE is a utility that you run from the operating system
prompt that searches any LDAP directory. ldapsearch connects to a
directory server that you specify and returns results according to
specified search criteria. ldapsearch is provided with the Domino server
and the Notes client. This tool uses standard LDAP search syntax so you
can also use it to learn about using LDAP to search an LDAP directory.
For additional information, see the chapter Using the ldapsearch
Utility.
Domino does not provide a comparable tool for modifying an LDAP
directory.
Planning directory access control

Use the database ACL to control the general access that users and servers
have to the Domino Directory. Optionally, use an extended ACL to refine
the general database ACL and further restrict access to specific portions
of the directory. An extended ACL is available for only a Domino
Directory and an Extended Directory Catalog.
Some of the questions to ask when planning directory access control
include:
Do you want to assign administrators to specific administration roles

in the Domino Directory? If administrators in your company have
specialized administrative duties, consider assigning the
administrators only to the administration roles in the ACL that
correspond to their duties. If your company administrators do all
administrative tasks, assign them to all of the roles.
Do you want to use an extended ACL? One of the reasons to use an

extended ACL is to limit cross-organizational access to a directory
that contains information for multiple organizations or
organizational units.
Do you want to allow Anonymous access to the directory? By

default, you use the domain Configuration Settings document in the
Domino Directory to control anonymous LDAP search access. By
default, anonymous LDAP users have Read access to a specific list of
attributes.
The Anonymous entry in the directory database ACL by default is
set to No Access and controls anonymous access for all users other
than LDAP users. If you use an extended ACL, then the Anonymous
entry in database ACL, and the extended ACL, then also control
anonymous LDAP access. Typically you give the Anonymous entry
no more than Reader access.
For additional information, see the chapters Setting Up the Domino

Directory and Setting Up Extended ACLs.
The tools you can use to add entries to the Domino Directory are the
Notes user registration program, migration tools that are integrated with
the Notes user registration program, Domino directory synchronization
tools, and third-party LDAP applications. You can also add an entry
manually, for example you typically add a group entry manually. You
might also develop a custom Notes application to add entries.
Directory Services
Planning new entries in the Domino Directory
Note In general an entrys distinguished name is determined by the first

value listed in the FullName field. Domino Group and Server entries are
the exceptions. The ListName field controls the distinguished name of a
Domino Group and the ServerName field controls the distinguished
name of a Domino server. If you add more than one value to a FullName,
ListName, or ServerName field, keep the distinguished name as the first
value.
Notes user registration program
The Notes user registration program, available through the Domino
Administrator and Web Administrator clients, is the traditional method
for adding user entries to the Domino Directory. The registration
program registers users with hierarchical names names with multiple,
distinguishing components provided by a certifier. The registration
program can register users with Notes IDs, X.509 certificates, or
passwords, and can register users to use Notes mail, an Internet mail
protocol, or no mail.
Before you register Notes users you should decide on a naming scheme
for the users and create certifiers that reflect that scheme. You should
also use the Policies feature with a Registration policy settings document
to simplify the process of registration by filling in many of the
registration settings automatically.
For more information, see the chapters Setting Up and Managing Notes
Users and Using Policies.
Directory synchronization tools
If you create a new user or group account in Windows NT User Manager
for Domains or in Active Directory, Domino provides tools you can use
to simultaneously register the user or group in the Domino Directory.
For more information, see the chapter Using Domino with Windows
Synchronization Tools.
Migration tools
The Notes user registration program provides migration tools that
convert third-party mail system users or third-party LDAP directory
users to Notes users. Be aware that if you migrate users from an LDAP
directory the migration tools convert the entries from the LDAP directory
into Notes entries with new names based on a certifier specified in the
Notes user registration program.
For more information on migration tools, see the Upgrade Guide.
Third-party LDAP applications

If you use the LDAP service, you can use an LDAP application to add
entries to the Domino Directory. Because Domino does not provide such
an LDAP application, your company must develop or obtain one to add
entries to the directory in this way. These are some of the issues to keep
in mind if you use an LDAP application to add entries to a Domino
Directory:
You must set up the directory to allow LDAP write access.
Enabling schema checking for the LDAP service is recommended so

the directory contents conform to the schema and are consistent.
The distinguished names of entries must be 256 characters or less.
For additional information on using LDAP to add entries, see the chapter
Setting Up the LDAP Service.
Planning the management of entries in the Domino Directory

You can use the Domino Administrator, the Web Administrator,
directory synchronization tools, and third-party LDAP applications to
manage entries in the Domino Directory.
Domino Administrator and Web Administrator
The People & Groups tab of the Domino Administrator and Web
Administrator clients provide several tools for managing Domino user
and group entries in the Domino Directory, including tools that:
Rename and recertify users
Edit user and group entries
Find user and group entries
Set policies for user and group entries
Many of these tools invoke the Administration Process to automate these

tasks.
Directory synchronization tools

If you modify or delete a Domino user or group, Domino provides tools
you can use to simultaneously carry out the modification or deletion to a
corresponding user or group in Windows NT User Manager for Domains
or in Active Directory,
Directory Services
For additional information, see the chapters Setting Up the

Administration Process and Setting Up and Using Domino
Administration Tools.
For more information, see the chapter Using Domino with Windows
Synchronization Tools.
Third-party LDAP applications
The LDAP service allows third-party LDAP applications to modify
directory entries. By default the LDAP service does not allow LDAP
write operations to a directory, so you must set up the directory to allow
them.
Planning directory services for Notes clients

There are a variety of directory services features available to Notes
clients. If there are Notes clients client settings that apply to groups of
Notes users, use policies with Setup or Desktop settings documents to set
up the desired settings on Notes clients automatically.
The Personal Address Book is a directory on the Notes client that stores
Contacts created by users documents containing information about
people with whom the users come in contact and/or send mail and
that stores mailing lists created by users for sending mail to groups of
people. The Personal Address Book also stores a variety of documents
related to configuration of the Notes client.
For more information, see Lotus Notes 6 Help.
Condensed Directory Catalog
A condensed Directory Catalog, sometimes referred to as a Mobile
Directory Catalog when used on a Notes client, is an optional directory
that aggregates user and group entries from one or more Domino
Directories. A condensed Directory Catalog provides Notes users with a
small, local, organization-wide directory that they can use either off-line
or when connected to the local area network.
For more information, see the chapter Setting Up Directory Catalogs.
Type-ahead addressing
Using type-ahead addressing a Notes user enters a few letters in a mail
addressing field and Notes tries too match those letters to a name in a
directory. If Notes finds a match, it enters the completed name in the
addressing field automatically. If a Notes user has a local condensed
Directory Catalog configured, type-ahead addressing does not search a
directory on a server. However pressing F9 to resolve a name will search
for the name in both local and server directories.
Administrators can use a setting in a Configuration Settings document to

disable type-ahead addressing on a server to reduce network traffic and
improve server performance.
For more information on disabling type-ahead addressing on a server,
see the chapter Customizing the Domino Mail System.
Easy location of user and group entries
Notes users can use an addressing tool or a generic search tool to find
easily user and group entries in a directory. When searching a Personal
Address Book or a Domino Directory, these tools provide a
type-ahead-style mechanism to match letters entered by a user to a name
in a directory. Users can choose to view entries in a directory by name,
by Notes name hierarchy, by corporate hierarchy, and by alternate
names (if used).
To search all local Address Books or an LDAP directory accessed using
an LDAP Account document, users can use an LDAP-style search query
to locate entries. For example, users can search for all entries with the last
name Brown.
For additional information, see Lotus Notes 6 Help.
Access to server directories
The Notes client has automatic access to the Domino Directory in its
domain. If an administrator sets up directory assistance for a secondary
directory, or sets up a server-based directory catalog, Notes clients can
easily address mail to users and groups in those directories.
In addition, a Notes client can set up LDAP accounts to connect directly
to a remote LDAP directory.
For more information on LDAP account, see the earlier topic Planning
LDAP accounts on Notes clients.
For more information, see the chapter Setting Up the Domino

Directory.
Directory Services
Directory servers
Using the Domino directory server field on the Servers tab of a
Location document in the Personal Address Book, Notes clients can use
directory servers, rather than mail servers, for directory lookups.
Planning directory services in a multiple-directory environment

Domino provides directory catalogs and directory assistance to help
companies operate in environments with secondary directories. A
secondary directory is any server-based directory that is not a servers
primary Domino Directory. A secondary directory can be a Domino
Directory for a different Domino domain, a Domino Directory that you
create manually from the PUBNAMES.NTF template that is unaffiliated
with a Domino domain, an Extended Directory Catalog, or a remote
LDAP directory.
Planning directory catalogs

A directory catalog is an optional directory database that can aggregate
entries from multiple Domino Directories into a single database. A
directory catalog provides enterprise-wide directory access via a single
database.
Directory catalogs are either client-based or server-based. Using a
client-based condensed Directory Catalog, often referred to as a Mobile
Directory Catalog, Notes users can access directory information for an
enterprise off-line, when not connected to the network. Servers use
server-based directory catalogs, either a condensed Directory Catalog or
an Extended Directory Catalog, to look up information originating from
a secondary Domino Directory.
Some of the questions to ask when planning directory catalogs are:
Which documents and fields should be aggregated into a directory

catalog? Which information you aggregate depends on the type and
purpose of the of directory catalog.
If your company uses multiple Domino Directories, should you set

up servers to use a directory catalog? The more Domino Directories a
company uses, the more benefit there is to aggregating the
directories in a directory catalog used by servers. An Extended
Directory Catalog, rather than a condensed Directory Catalog, is
recommended for servers.
Do you want to use a server-based directory catalog for client

authentication? If so, how you enable the use of the directory catalog
for this purpose depends on the type of server-based directory
catalog you use.
If you plan to use a condensed Directory Catalog, how should the

entries be sorted? You should sort a Mobile Directory Catalog
according to how users typically enter names when addressing mail
so that type-ahead addressing can find the names.
For additional information on planning directory catalogs, see the

chapter Setting Up Directory Catalogs.
Planning directory assistance

Servers use directory assistance to look up information in a secondary
directory a secondary Domino Directory, an Extended Directory
Catalog, or a remote LDAP directory. Directory assistance provides these
services:
Client authentication using credentials in a secondary directory
ACL group lookups for database authorization using one secondary

directory
Notes mail addressing using a secondary directory
LDAP service searches of a secondary Domino Directory or

Extended Directory Catalog
LDAP service referrals to a remote LDAP directory
Some of the questions to ask when planning directory assistance include:

Which services do you want to enable for each secondary directory?
If you use a server-based directory catalog, how does it relate to

directory assistance? The answer depends on the type of directory
catalog you use. An Extended Directory Catalog has its own
Directory Assistance document and the source directories that are
aggregated in the directory catalog should not also have separate
Directory Assistance documents. However its beneficial to create
Directory Assistance documents for the directories aggregated in a
condensed Directory Catalog.
Do you plan to use a secondary directory, Domino or LDAP, for

client authentication? If so, you must specify in the Directory
Assistance document for the directory the user names in the
directory that are allowed to be authenticated (trusted for
authentication). If clients use name-and-password security, configure
in the Server document of the server to which the clients connect the
types of name formats that clients can provide for authentication.
Do you plan to use a secondary directory to look up groups listed in

database ACLs to verify database access? You can enable one
secondary directory only Domino or LDAP for this purpose.
How many directory assistance databases should you use? You can
create more than one and set of groups of servers to use specific
ones.
In addition, if you are setting up directory assistance for a remote LDAP

directory:
Directory Services
Does the directory server require a search base? If so, enter the
search base in the Directory Assistance document.
Do you plan to use the LDAP directory for client authentication or

for ACL group authorization? If so, for tighter security, in the
Directory Assistance document, enable SSL and require the remote
directory server to present X.509 certificate.
Is the remote LDAP directory Active Directory? If so, in the Directory

Assistance document for the directory select LDAP search filters that
work specifically with Active Directory.
For additional information on planning directory assistance, see the

chapter Setting Up Directory Assistance.
Comparison of directory catalogs and directory assistance

The following table compares the features that directory catalogs and
directory assistance support.
Feature
Mobile Directory Condensed

Catalog
Directory
Catalog
on server
Directory
assistance for
secondary
Domino
Directory or
Extended
Directory
Catalog
Directory
assistance
for remote
LDAP
directory
Notes client mail

addressing
Yes
Yes
Yes
Yes
Notes client
LDAP-style
searches
Yes
Yes
Yes
No
Notes client
directory
browsing
Yes
Yes
Yes
No
Notes client
type-ahead
addressing
Yes
Yes (if no
Mobile
Directory
Catalog)
Yes (if no
Mobile
Directory
Catalog)
No
Notes client F9
Yes
address resolution
Yes
Yes
No
LDAP client
search and write
operations
Yes (search)
No (write)
Yes
No
No
continued
Feature
Mobile Directory Condensed

Catalog
Directory
Catalog
on server
Directory
assistance for
secondary
Domino
Directory or
Extended
Directory
Catalog
Directory
assistance
for remote
LDAP
directory
LDAP client
referrals
No
No
No
Yes
Internet client
authentication
No
Yes
Yes
Yes
Group
authorization
(enabled for one
secondary
directory only)
No
No
Yes
Yes
Directory search order

There are a variety of ways to configure directories in a multiple
directory environment. The order in which Notes and Domino search
directories depends on the nature of the search and the configuration of
the directory.
Directory search order for Internet client authentication
Directory search order for group names in database ACLs
Directory search order for LDAP searches
Directory search order for a name in a Notes address field
Directory search order for Internet client authentication
1. The servers primary Domino Directory.

2. A condensed Directory Catalog on the server.
3. All directories defined in the servers directory assistance database
that:
Have a naming rule that is trusted for authentication and that
matches the logon name of the Internet user
Directory Services
To authenticate an Internet client connecting to a Domino server, the

server searches directories for the user name and credentials in the
following order:
Have the directory assistance option Make this domain available

to: Notes clients and Internet Authentication/Authorization
enabled.
If there more than one directory with a trusted naming rule that
matches the user name, the server searches the directory with the
most specific matching rule first. If directories have identical trusted
naming rules that match the Internet user name, search orders
assigned to the directories determine the order in which the server
searches them.
Directory search order for group names in database ACLs

When a Internet or Notes user attempts to access a database on a server
and the database ACL includes a group name, the server searches
directories in this order to locate the group to determine if the user is a
member of it:
1. The servers primary Domino Directory.
2. One directory LDAP or Notes configured in the servers
directory assistance database with the Group Authorization option
selected.
Directory search order for LDAP searches

A server running the LDAP service searches directories in the following
order to process LDAP search requests:
1. A servers primary Domino Directory, unless the primary Domino
Directory is configured in a directory assistance database used by the
server and has the option Make this domain available to: LDAP
clients deselected.
3. A Domino Directory or Extended Directory Catalog that is
configured in a servers directory assistance with the option Make
this domain available to: LDAP clients selected.
If an LDAP user doesnt specify a search base, which is a
distinguished name used to indicate the directory location at which
to begin a search, the LDAP service searches the Domino Directories
and/or Extended Directory Catalog according to the search orders
assigned to the directories. The LDAP service searches directories
with no assigned search orders alphabetically according to their
specified domain names.
If an LDAP user specifies a search base, only directories assigned
naming rules that correspond to the search base are searched. If there
is more than one directory assigned a naming rule that matches, the
directory with the most specific matching rule is searched first. For
example, if a user specifies the search base ou=Sales,o=Acme, the
server first searches a directory with the rule /Sales/Acme, before
searching a directory with the rule */Acme. If directories have
identical naming rules that match the search base specified by the
user, search orders assigned to these directories determine the order
in which the directories are searched.
4. If the search is not successful in any Domino Directory or Extended
Directory Catalog, the LDAP service refers clients to an LDAP
directory enabled for LDAP clients in the directory assistance
database.
If an LDAP user doesnt specify a search base, the LDAP service does
not return a referral.
If an LDAP user specifies a search base, the server picks an LDAP
directory enabled for LDAP users with a naming rule that matches
the specified search base. If there is no such directory, the server
doesnt return a referral. If there is more than one such directory, the
server picks the one with the most specific matching rule before
picking one with a less-specific rule. If directories have identical
naming rules that match the search base specified by the user, search
orders assigned to these directories determine the order in which the
LDAP service picks them for referrals.
Directory search order for a name in a Notes address field

When a Notes user enters a user or group name in an address field of a
Notes memo, the Notes client and mail server search directories in the
following order to retrieve the address for the name. If a name is found
during any step, searches continue only if the Recipient name lookup
field in the Notes users current Location document is set to
Exhaustively check all address books.
1. The users Personal Address Book.
2. Any local Mobile Directory Catalogs on the client.
3. The primary Domino Directory on the users mail server or directory

server.
Directory Services
For searching to continue to a server, the Mail file location field in

the active Location document must be set to On server.
Type-ahead searches never continue to a server if there is a local
Mobile Directory Catalog.
5. Directories defined in the servers directory assistance database that

have the option Make this domain available to: Notes clients and
Internet Authentication/Authorization enabled.
If the user enters a common name rather than a hierarchical one, the
server searches all directories according to the search order specified
for the directories.
If the user enters a hierarchical name, only directories assigned
naming rules that correspond to the hierarchical name the user
entered are searched. If there is more than one directory assigned a
naming rule that matches, the directory with the most specific
matching rule is searched first. For example, if a user enters the name
Phyllis Spera/Sales/Acme, the server first searches a directory with
the rule /Sales/Acme, before searching a directory with the rule
*/Acme. If directories have identical naming rules that match the
name entered by the user, search orders assigned to the directories
determine the order in which the directories are searched.
Planning internationalized directory services

Domino and Notes provide the following features to support directory
services in non-English-speaking environments:
Alternate names
LDAP Alternate Language Information documents
Alternate names
The alternate naming feature assigns a Notes user an alternate name
recognizable in the users native language, in addition to a primary name
that is internationally recognizable. Users use alternate names to use
their native languages when displaying and working with names in the
Domino Directory.
For additional information, see the chapter Setting Up and Managing
Notes Users.
Companies can create corporate hierarchies to customize the way the
Domino Directory categorizes user entries. For example, companies
might create a corporate hierarchy that categorizes by management level.
You can assign one user to a maximum of four corporate hierarchies.
When Notes users address mail or use the search tool to find people, they
can choose to display the entries according to their corporate hierarchy
assignments, rather than simply by name or by Notes name hierarchy.
For additional information, see the chapter Setting Up the Domino

Directory.
LDAP Alternate Language Information documents
If you use the LDAP service, optionally assign language subattributes to
an attribute to define an alternate language value for the attribute.
For additional information, see the chapter Setting Up the LDAP
Service.
Planning directory customization

You can add forms and views to the Domino Directory to accommodate
specific needs of your company. If you use the LDAP service, you can
also use the Domino LDAP Schema database (SCHEMA.NSF) to define
new object classes and attributes to be added to the directory.
Some of the questions to ask when planning directory customization are:
To define a new type of entry in the directory, should you use the
Schema database or create a form in the Domino Directory instead?
If you dont use the LDAP service, you must create a form. If you use
the LDAP service you can use the Schema database to define object
classes and attributes with some LDAP-specific characteristics that
are not available when you create Domino Directory forms. However
only LDAP clients, not Notes and Web clients, can access entries
defined only in the Schema database.
If you use the LDAP service, are there attributes and object classes
already defined in the Domino LDAP schema that serve your
companys needs? The schema the types of directory entries that
are defined for the LDAP service by default defines many object
classes and attributes which you may be able to use rather than
adding new ones.
If your company doesnt use the LDAP service, should you create a
form in such a way that it can represent an LDAP object class? Its
good practice to create a form that can represent an LDAP object
class, so that if in the future your company uses the LDAP service,
the design requirements are in place.
For additional information, see the chapter Managing the LDAP

Schema and the appendix Customizing the Domino Directory.
Directory Services
Directory services terms

central directory architecture
Directory architecture in a Domino domain in which some servers store
Configuration Directories and use primary Domino Directories on
remote servers for lookups.
condensed Directory Catalog
A directory catalog created from the DIRCAT5.NTF template that is
optimized for small size and used primarily on Notes clients.
Configuration Directory
A directory in a central directory architecture that contains only
documents related to Domino configuration.
directory server
A server whose purpose is providing directory services.
directory assistance
A feature used by servers to extend client authentication, name lookups,
and LDAP operations to secondary directories.
directory assistance database
A database created from the DA50.NTF template and used to configure
directory assistance.
directory catalog
An optional directory database that can aggregate entries from multiple
Domino Directories into a single database. There are two kinds of
directory catalogs: condensed Directory Catalogs and Extended
Directory Catalogs.
Directory Assistance document
Document created in a directory assistance database that describes a
secondary directory.
distributed directory architecture
Directory architecture in a Domino domain in which all servers use a
local primary Domino Directory.
Domino Directory
A directory created automatically from the PUBNAMES.NTF template
during first server setup that describes the users, servers, connections,
and access control information for a Domino domain, or a directory
created manually from the PUBNAMES.NTF.
Domino domain
A network of clients and servers whose users, servers, connections, and
access control information is described in a Domino Directory.
A directory catalog used by servers that, to facilitate quick name lookups,
retains the individual documents and the multiple, sorted views
available in the Domino Directory. You create an Extended Directory
Catalog from the PUBNAMES.NTF template. Servers use directory
assistance to locate an Extended Directory Catalog.
extended ACL
An optional directory access control feature available for a Domino
Directory and Extended Directory Catalog used to apply restrictions to
users overall directory access.
LDAP schema
A set of rules that defines what can be stored as entries in an LDAP
directory. The Domino LDAP Schema database (SCHEMA.NSF), which
is created from the SCHEMA.NTF template, publishes the schema for a
domain.
LDAP service
The LDAP server task running on a server to process LDAP client
requests.
Lightweight Directory Access Protocol (LDAP)
A standard Internet protocol for accessing and managing directory
information. LDAP is a simpler version of the X.500 protocol that
supports TCP/IP.
Mobile Directory Catalog
Name for a condensed Directory Catalog set up on a Notes client.
primary Domino Directory

The Domino Directory that a server searches first and that describes the
Domino domain of the server.
remote LDAP directory
A directory on a remote LDAP server accessed via directory assistance.
Directory Services

A directory database on a Notes client created from the
PERNMAMES.NTF template that contains the names and addresses of
users and groups added by Notes users.
remote primary Domino Directory

In a central directory architecture, a primary Domino Directory that a
server with a Configuration Directory uses remotely.
secondary directory
Any directory a server uses that is not its primary Domino Directory.
secondary Domino Directory
Any Domino Directory a server uses that is not its primary Domino
Directory.
Chapter 19
Setting Up the Domino Directory
This chapter describes the Domino Directory and explains how to set up
the Domino Directory for a Domino domain.
The Domino Directory

The Domino Directory, which some previous releases referred to as the
Public Address Book or Name and Address Book, is a database that
Domino creates automatically on every server. The Domino Directory is a
directory of information about users, servers, and groups, as well as
custom entries you may add. Registering users and servers in a domain
automatically creates corresponding Person documents and Server
documents in the Domino Directory for the domain. These documents
contain detailed information about each user and server.
The Domino Directory is also a tool that administrators use to manage
the Domino system. For example, administrators create documents in the
Domino Directory to connect servers for replication or mail routing, to
schedule server tasks, and so on.
When a server runs the LDAP service, the Domino Directory is accessible
through the Lightweight Directory Access Protocol (LDAP).
Typically, a Domino Directory is associated with a Domino domain.
When you set up the first server in a Domino domain, Domino
automatically creates the Domino Directory database and gives it the file
name NAMES.NSF. When you add a new server to the domain, Domino
automatically creates a replica of the Domino Directory on the new server.
To optimize its performance, the Domino Directory has these database

properties enabled by default:
Document table bitmap optimization to improve the performance of

small view updates for example, updates of the Connections view.
19-1
Directory Services
You can also create a Domino Directory manually from the

PUBNAMES.NTF template and use it as a secondary directory to store,
for example, entries for your Internet users.
Dont maintain unread marks to improve database performance

and reduce the size of the database.
For more information on database performance properties, see the

chapter Improving Database Performance.
Setting up the Domino Directory for a domain

After you install and set up servers in a Domino domain, perform these
procedures to set up the Domino Directory for the domain.
1. (Optional) Set up a central directory architecture in the domain.
2. Control access to the Domino Directory.
3. (Optional) Categorize users in the domain by corporate hierarchy.
4. (Optional) Set up Notes clients to use a directory server in the domain.
5. (Optional) Customize the Directory Profile.
6. Schedule replication for the Domino Directory.
Using a central directory architecture in a Domino domain

A central directory architecture is an optional directory architecture you
can implement in a Domino domain. This architecture differs from the
traditional distributed directory architecture in which every server in a
domain has a full replica of the primary Domino Directory.
With a central directory architecture, some servers in the domain have
selective replicas of a primary Domino Directory. These replicas, which
are known as Configuration Directories, contain only those documents
that are used to configure servers in a Domino domain, such as Server,
Connection, and Configuration Settings documents. A server with a
Configuration Directory uses a remote primary Domino Directory on
another server to look up information about users and groups and other
information related to traditional directory services.
Users
,
Group
s,
Custo
m
Primary Directory
Primary Directory
D
Con omino
figur
ation
D
Con omino
figur
ation
Directory Server
Directory Server
Mail Server
Dom
Confi ino
gura
tion
Dom
Confi ino
gura
tion
Mail Server
Users
,
Group
s,
Custo
m
Dom
Confi ino
gura
tion
Application Server
Dom
Confi ino
gura
tion
Application Server
A central directory architecture:
Provides servers with Configuration Directories quick access to new

information because the servers arent required to wait for the
information to replicate to them.
Enables servers that store Configuration Directories to run on less

powerful machines because they dont have to store and maintain
the primary Domino Directory.
Provides tighter administrative control over directory management

because only a few directory replicas contain user and group
information.
A server with a Configuration Directory connects to a remote server with

a primary Domino Directory to look up information in the following
documents that it doesnt store locally:
Person
Group
Mail-in Database
Resource
Any custom documents you add
For example, to authenticate a user, a server with a Configuration

Directory looks for the user credentials in a Person document in a remote
primary Domino Directory on another server in the domain.
You can set up a Domino Directory as a Configuration Directory when
you set up an additional server in the domain. If a server is already set
up, you can use replication settings for the directory to change a primary
Domino Directory to a Configuration Directory or change a
Configuration Directory to a primary Domino Directory.
Setting Up the Domino Directory 19-3
Directory Services
Planning a central directory architecture for a domain

The central directory architecture is most useful for an enterprise
organization that has a domain with a large Domino Directory. Using a
central directory architecture requires network speeds that make remote
directory lookups feasible. In addition, servers that store primary Domino
Directories that function as remote primaries must have the capacity to
handle the additional workload generated by the remote lookups.
Only an application that does a NAMELookup or similar directory call
can use a Configuration Directory to do a lookup in a remote primary
Domino Directory.
Deciding which servers should use primary Domino Directories
The administration server for the Domino Directory must store a primary
Domino Directory. For failover, at least one other server in the domain
should store a primary Domino Directory. There may be additional
servers that require primary Domino Directories as well, depending on
network bandwidth and stability, server usage patterns and locations,
and so forth. You may want servers that use primary Domino Directories
that function as remote primaries to be within a cluster to provide
failover and workload balancing.
If there is a network congestion point in the domain, at least one server
on each side of the congestion point should have a primary Domino
Directory that functions as a remote primary.
Using a combined central and distributed directory architecture
You can use a hybrid directory architecture within one domain. For
example, suppose at a companys headquarters there are multiple servers
connected via fast network connections. There are also smaller remote
offices that have limited network bandwidth but are within the same
domain. Servers at corporate headquarters can use the central directory
model that includes a combination of primary Domino Directories and
Configuration Directories, while the remote satellite offices can continue
to use the distributed directory architecture in which each server stores a
primary Domino Directory.
Using a combined primary Domino Directory and Extended
Directory Catalog
Although not a typical configuration, you can integrate an Extended
Directory Catalog with a primary Domino Directory to collect users and
groups from the primary domain and secondary domains into one
directory database. A server that stores a Configuration Directory can
use this combination directory on a remote server as a remote primary
Domino Directory.
When you use this combination directory, all the users from the
aggregated secondary directories are automatically trusted for
authentication, and all the groups can be used in database ACLs for
For more information on integrating an Extended Directory Catalog with
a primary Domino Directory, see the chapter Setting Up Directory
Catalogs.
Managing Domino Directories in a central directory architecture

To manage a central directory architecture, in which there are a
combination of Configuration Directories and primary Domino
Directories in a domain, you can:
Change the directory type of a Domino Directory
Control how a server finds a remote primary Domino Directory to use
Prevent the use of a Domino Directory replica as a remote primary
Show the primary Domino Directories that servers with

Configuration Directories can use
Changing the directory type of a Domino Directory

The first server set up in a domain is always set up with a primary
Domino Directory. When you set up an additional server in the domain,
you choose whether to set up the replica of the Domino Directory on the
server as a Configuration Directory or as a primary Domino Directory.
The default selection is a primary Domino Directory.
After server setup, you can change the directory type. After you change
directory type, the Administration Process generates a Store Directory
Type in Server Record request to change the value of the Directory Type
field on the Basics tab of the Server document.
1. From the Domino Administrator, connect to the server that stores the
replica of the Domino Directory you want to change.
3. Select the Domino Directory, and then double-click.
Directory Services
Changing a primary Domino Directory to a Configuration Directory

Note Do not change the primary Domino Directory on the
administration server to a Configuration Directory.
4. Choose File - Replication - Settings, and change the replication

settings for the directory as follows:
a. Click Space Savers in the Replication Settings dialog box.
b. Next to Include, select Configuration Documents only.
c. Click OK.
5. Use the server command Replicate to replicate the Domino Directory
that has the changed settings with a primary Domino Directory on
another server. Do a push-pull replication.
6. Restart the server that stores the Domino Directory replica you
changed.
Changing a Configuration Directory to a primary Domino Directory
1. From the Domino Administrator, connect to the server that stores the
replica of the Domino Directory you want to change.
4. Choose File - Replication - Settings, and change the replication
settings for the directory as follows:
a. Select Space Savers in the Replication Settings dialog box.
b. Next to Include, select All Fields.
c. Deselect Documents that meet a selection formula.
d. Click Yes when you see the following prompt:
Switching to Folders will clear the current selection formula. Are
you sure you want to do this?
e. Click OK.
5. Use the server command Replicate to replicate the Domino Directory
that has the changed settings with a primary Domino Directory on
another server. Do a push-pull replication.
6. Restart the server that stores the Domino Directory replica you
changed.
Controlling how a server finds a remote primary Domino Directory

to use
To locate a remote primary Domino Directory, a server with a
Configuration Directory can use a default logic or can use a directory
replica specified through directory assistance.
The default logic to locate a remote primary Domino Directory
The Directory Servers view in a Domino Directory list the replicas of the
primary Domino Directories in the domain that are available for use as
remote primary directories by servers with Configuration Directories.
The views sort these replicas alphabetically by their server names.
A server that stores a Configuration Directory uses the following logic to
build a list in memory of the five best remote primary Domino Directory
replicas to use. If the first replica in the list is unavailable, the server uses
the next replica in the list, and so on.
1. Look in the replication history and find the remote primary directory
replica with which the server most recently replicated. Then look for
the replica with which it replicated prior to that, and so on.
2. If the list in memory does not yet include five replicas of a remote
primary directory, look for a primary directory replica in the same
Notes named network. If there is more than one such replica, order
them alphabetically by their server names.
3. If the server has not yet located five replicas, refer to the Directory
Servers view to order the remaining remote primary directory replicas
alphabetically by their server names, until there are five primary
directories in the list or until all the primary directories are listed.
To create a Directory Assistance document in a directory assistance

database that servers with Configuration Directories use:
1. Make sure you have set up a directory assistance database on servers
with configuration Domino Directories.
2. From the Domino Administrator, connect to a server that is set up to
use the directory assistance database.
Directory Services
Setting up directory assistance to locate a primary Domino

Directory
You can use directory assistance rather than the default logic to control
which remote primary Domino Directory replicas in a domain servers
with Configuration Directories use. For example, if servers with primary
Domino Directories are in a cluster, you can use directory assistance to
use cluster failover to locate the primary Domino Directory replicas.
4. Expand Directory and select Directory Assistance.

5. Click Add Directory Assistance.
6. On the Basics tab, do the following:
a. Next to Domain Type, select Notes.
b. Next to Domain Name, enter the domain of the servers that store
the remote primary Domino Directories. This domain should be
the same domain as that of the servers with configuration
Domino Directories.
c. Next to Search Order, select 1.
d. Next to Group Authorization, select No. A server can always use
groups in a primary Domino Directory replica to authorize
database access, regardless of what you select for this option.
Select No to reserve the use of the Group Authorization option
for a secondary directory.
7. On the Replicas tab do one of the following:
If the servers that store the primary Domino Directories are
clustered, to user cluster failover specify one replica within the
cluster. If that replica is unavailable, cluster failover takes effect
automatically. To use cluster failover, specify only one replica in
the cluster.
If the servers that store primary Domino Directories are not
clustered, for failover specify at least two replicas of the primary
Domino Directories to use.
Note A server always trusts the primary Domino Directory for client
authentication, so it is not necessary to enable a trusted rule in the
Directory Assistance document.
For more information on directory assistance, see the chapter Setting Up
Directory Assistance.
Preventing the use of a Domino Directory replica as a remote

primary
Do the following to prevent servers with Configuration Directories from
using a specific replica of the Domino Directory as a remote primary.
You can prevent a replica from being used only when servers with
Configuration Directories use the default logic, and not directory
assistance, to locate a remote primary Domino Directory. You might
prevent the use of a specific replica to avoid the use of a server that has
limited connectivity or CPU capacity.
1. From the Domino Administrator, select the server that stores the
2. Select the Configuration tab, and select Server - Current Server
Document.
3. Click Edit Server.
4. On the Basics tab, in the Directory Information section, below the
Directory Type field, deselect Allow this directory to be used as a
remote primary directory for other servers.
Showing the Domino Directory replicas that can function as remote

primaries
The Directory Servers view in the Domino Directory lists the primary
Domino Directories that are in the domain and that have the option Allow
this directory to be used as a remote primary directory for other servers
selected on the Basics tab of their Server documents. The Central Directories
view sorts the primary Domino Directory replicas by server name.
1. From the Domino Administrator, in the server pane on the left, select
any server in the domain. If you dont see the server pane, click the
servers icon.
2. Click the Files tab and open the Domino Directory.
3. Select the view Servers - Directory Servers.
Tip Use the Show Xdir command on a server that uses a Configuration
Directory to show the remote primary Domino Directory replica the
server last used.
Controlling access to the Domino Directory

Do the following to control access to the Domino Directory:
Set the Domino Directory ACL to control overall access.
Assign administrators to the roles in the Domino Directory ACL that

correspond to their administrative tasks.
(Optional) Use the Administrators field to control access to

individual documents.
(Optional) Use the extended ACL to set access at the form and field
level.
For information on setting up an extended ACL, see the chapter Setting

Up Extended ACLs.
Directory Services
Setting overall access levels in the Domino Directory ACL

The Domino Directory, like all Notes databases, has an access control list
(ACL) that controls the overall access that users and servers have. The
following table shows the default name entries in the Domino Directory
ACL and the default access settings for each entry.
Default name entry
Access level
User type
-Default-
Author access without the

Create documents privilege or
administration roles
Unspecified
Anonymous
No access
Unspecified
LocalDomainAdmins
Manager access with no

Person
group
LocalDomainServers
Manager access with all

Server group
administration roles except
PolicyCreator and PolicyModifier
OtherDomainServers
Reader access
Server group
Server in the domain on which Manager access with all

the directory was created.
Server
Administrator specified during Manager access with all

server setup
Person
You might want to customize the database ACL. For example, to have
stricter control over database access, you might change the access for the
-Default- entry to No Access and explicitly add the names of groups of
users to the ACL that you want to allow access.
Note The default access for the -Default- entry allows users only to
change some of the fields in their Person documents.
Using administration roles in the Domino Directory ACL

The Domino Directory ACL includes Creator and Modifier roles that you
assign to administrators so they have the authority to create and edit
specific types of documents. By assigning one or more roles along with
general access levels, you can limit an administrators access to some
types of documents but allow greater access to other types of documents.
Roles are useful when groups of administrators have specialized
responsibilities. If all of the administrators in your organization have
identical administrative responsibilities, assign them to all roles.
The access defined in the ACL by a role never exceeds a general access
level. For example, even if you give the UserCreator role to an
administrator who has Reader access in the ACL, the administrator
cannot use the Create menu to create Person documents.
For more general information on roles in an ACL, see the chapter
Creator roles
Assign creator roles to control who can create documents in the Domino
Directory. To create documents in the Domino Directory, administrators
must have:
The Create documents privilege
The Creator role that corresponds to the type of document being

created
The following table describes the available Creator roles.

Role
Allows
GroupCreator
Administrators to create Group documents
NetCreator
Administrators to create all documents except Person,

Group, Policy, and Server documents
PolicyCreator
Administrators to create Policy documents
ServerCreator
Administrators to create Server documents
UserCreator
Administrators to create Person documents
Caution Assigning Creator roles does not provide true security because
Domino sometimes ignores Creator roles when administrators add
documents to the directory programmatically. For example, an
administrator who does not have the UserCreator role can still use the
User Registration program to register a user.
Directory Services
Modifier roles
Rather than assigning Editor access which allows administrators to
modify all documents, assign administrators Author access along with
one or more Modifier roles to control the types of documents they can
edit. For example, assign the UserModifier role to administrators who are
responsible for managing users. Unlike Creator roles, Modifier roles are a
true security feature.
The following table describes the available Modifier roles.

Role
Allows
GroupModifier
Administrators to edit Group documents
NetModifier
Administrators to edit all documents except Person, Group,

Policy, and Server documents
PolicyModifier
Administrators to edit Policy documents
ServerModifier
Administrators to edit Server documents
UserModifier
Administrators to edit Person documents
When using Modifier roles, keep in mind the following points:
An administrator with Author access and a Modifier role cannot edit

fields assigned the security property Must have at least Editor
access to use.
To delete a document, an administrator must have Author access, the

Delete documents privilege, and the appropriate Modifier role.
Modifier roles apply only to administrators who have Author access.

Administrators who have Editor access or higher automatically can
modify all documents.
Using the Administrators field to control access to individual

documents in the Domino Directory
Most types of documents in the Domino Directory contain an
Administration tab with an Administrators field on it. To allow an
administrator who has Author access to the directory to modify a single
document, enter the administrators name in the Administrators field.
1. From the Domino Administrator open the server that stores the
Domino Directory you want to change.
2. Click the Files tab and open the Domino Directory.
3. Open any document and click Edit.
4. Click the Administration tab.
5. In the Administrators field, enter the names of individual
administrators or the name of a group of administrators who can edit
this document.
You can categorize a Person document in the Domino Directory by a
corporate hierarchy. When a Notes user clicks the Address button to
select the name in the Person document from a Domino Directory, or
uses the Find People search tool to find the name, the user can view the
name by the assigned Corporate Hierarchy.
You can categorize user names in any way you want in a corporate
hierarchy. For example, you might categorize users by company division:
Marketing
Kaplan, Judy
Spera, Phyllis
Research and development
Burke, Kathy
Murphy, Bob
You can assign a user to up to six subcategories below a top-level
category. For example, the following corporate hierarchy sorts each user
by one subcategory below a top-level company division category.
Marketing
Design
Spera, Phyllis
Planning
Kaplan, Judy
Research and development
Hardware
Burke, Kathy
Murphy, Bob
You can assign a user to up to four corporate hierarchies. For example, in
addition to categorizing a user by company division, you could also
categorize the user by geographic location:
Boston
Spera, Phyllis
Directory Services
Software
Marketing
Design
Spera, Phyllis
Categorizing a user by corporate hierarchy

1. From the Domino Administrator, select the server that stores the
Domino Directory to modify.
2. Click the People & Groups tab.
3. Select People, select the users Person document, and click Edit
Person.
4. Click the Work/Home tab.
5. Click the Corporate Hierarchy Information tab.
6. (Optional) If you want the users name to appear in a specific order
relative to other names categorized in the same way, in the Personal
ranking field, enter a number to indicate the order in which the
users name should appear. A user name given a ranking of 1 is
listed before a name with a ranking of 2, and so on. Leave the
Personal ranking field blank to sort the users name alphabetically by
last name among other names without a ranking.
7. Below Hierarchy 1, enter categories in the Level fields by which to
sort the users name. Repeat this step to assign the user to up to three
additional hierarchies.
For example, to categorize the user Judy Kaplan this way, with no
personal ranking:
Marketing
Planning
Kaplan, Judy
Philadelphia
Kaplan, Judy
fill out the Corporate Hierarchy Information tab in her Person document
like this:
Setting up Notes clients to use a directory server

You can set up Notes clients to use a different server than their mail
servers for mail addressing. Type-ahead addressing searches a directory
server only when Notes users dont use Mobile Directory Catalogs.
Directory servers arent used for LDAP directory searches initiated by
Notes users.
To use Desktop settings, Setup settings, or a User Setup Profile to
automate the setup:
1. Create a Desktop settings, Setup settings, or User Setup Profile
For information, see the chapter Using Policies.

Alternatively, a user can add the name of a directory server manually in
the Domino directory server field which is on the Servers tab of a
Location document in the Personal Address Book.
For more information on Location documents, see Lotus Notes 6 Help.
Directory Services
2. Enter the name of the directory server in the Directory server field in
the Basics tab of the document.
Customizing the Directory Profile

Use the Directory Profile to specify miscellaneous settings for the
Domino Directory:
1. From the Domino Administrator, in the server pane on the left, select
the server that stores the replica of the Domino Directory you want
to modify. If you dont see the server pane, click the servers icon.
4. Choose Actions - Edit Directory Profile.
5. Complete any of these fields, and then click Save & Close.
Field
Enter
Domain defined by this

Domino Directory
The name of the Domino domain for this

directory. Domino completes this field
automatically as part of first server setup.
Condensed server
directory catalog for
domain
The file name for a condensed Directory

Catalog used by servers in the domain. As an
alternative to using this field, you can specify
the file names for individual condensed
Directory Catalogs in the Directory catalog
database name on this server field in the Basics
section of Server documents. Setting up a
directory catalog is optional.
Sort all new groups by

default
Choose one:
Yes to display the members of a new group
in alphabetical order.
No (default) to display members of a group
in the order in which you add them. If you
select No, you can still override this option
and alphabetize members of a specific group.
Use more secure Internet Choose one:

Passwords
Yes (default) to use strong encryption for
Internet passwords.
No to use less secure encryption available
with previous releases of Domino.
continued
Field
Enter
Allow the creation of

Alternate Language
Information documents
Choose one:
Yes (default) to allow you to create Alternate
Language Information documents that
enable LDAP clients to search for user
information in an alternate language.
No to prevent the creation of Alternate
Language Information documents.
List of administrators
who are allowed to create
Cross Domain
Configuration documents
in the Administration
Process Requests
database
Enter the names of users who can create Cross

Domain Configuration documents to allow the
Administration Process to submit requests
between Domino domains.
Scheduling replication of the Domino Directory

Create Connection documents to schedule replication of the Domino
Directory on all servers in the Domino domain. Since the Domino
Directory is central to a Domino system, its important to replicate it
frequently. Although the replication schedule you select ultimately
depends on the configuration of the servers in the domain, in general,
replicate the Domino Directory at least every 30 minutes or, if the
directory is large and changes frequently, every 10 to 15 minutes.
Schedule the Administration Requests database (ADMIN4.NSF) to
replicate as frequently as you replicate the Domino Directory. The
Administration Process, which simplifies some administration tasks, uses
the Administration Requests database and the Domino Directory to do its
work. If the Domino Directory is large, create a Connection document to
schedule replication of only the Domino Directory and the
Administration Requests database.
Directory Services
For information on scheduling replication between servers, see the

chapter Creating Replicas and Scheduling Replication. For information
on the Administration Process, see the chapter Setting Up the
Administration Process.
Chapter 20
Setting Up the LDAP Service
This chapter describes how to set up a Domino server to use the
Lightweight Directory Access Protocol (LDAP) service.
The LDAP service

LDAP, Lightweight Directory Access Protocol, is a standard
Internet protocol for searching and managing entries in a directory,
where an entry is one or more attributes associated with a
distinguished name. A distinguished name for example, cn=Phyllis
Spera,ou=Sales,ou=East,o=Acme is a name that identifies an entry
within a directory tree. A directory can contain many types of entries
for example, entries for users, groups, devices, and application data.
Commercial Internet clients such as Netscape Mail, Microsoft Internet
Explorer, and Notes clients with LDAP accounts use LDAP to look up
directory information, for example during mail addressing. You can also
develop LDAP applications to search and manage directory contents.
Read about the ldapsearch utility provided with Domino and Notes to
learn about LDAP search syntax.
For information on the ldapsearch utility, see the chapter Using the
ldapsearch Utility.
Running the LDAP task on a server enables the LDAP service to process
LDAP client requests.
LDAP service features
Support for LDAP v3 and v2 clients
Anonymous access, name-and-password authentication, secure

sockets layer (SSL) connections and X.509 certificate authentication,
Simple Authentication and Security Layer (SASL) protocol.
LDAP operations extended beyond the primary Domino Directory to

secondary Domino Directories and to directory catalogs
LDAP referrals to remote LDAP directories
20-1
Directory Services
The LDAP service supports these features:
Support for LDAP search, add, modify, modifyDN, compare, and

delete operations
Two methods for schema extension, and support for schema

publishing and schema checking
LDAP language tags to support LDAP searches in alternate

languages
Use of a third-party, LDAP-compliant server such as the Netscape

Enterprise Server to authenticate users that have passwords or
X.509 certificates stored in the Domino Directory on a Domino server
running the LDAP service. For information on setting up a
third-party server to use the Domino Directory for client
authentication, see the documentation for the server.
LDAP searches of document text in databases configured in a

Domain Catalog
In addition to the LDAP service, Domino and Notes offer these LDAP
features:
Notes client support for LDAP. For more information, see Notes 6
Help.
Command-line utility, ldapsearch, for searching LDAP directories
Migration tools that use LDAP to import entries from another LDAP
directory and register the entries in Domino
LDAP C API Toolkit
How the LDAP service works

When the LDAP task is running on a server, the server can listen for and
process LDAP client requests. By default, the LDAP task runs
automatically on the administration server for the Domino Directory. The
schema daemon spawned by the LDAP task on the administration server
uses the Domino LDAP Schema database to propagate schema changes
to any other servers in the domain that run the LDAP service. The LDAP
task on the administration server for the LDAP service domain Domino
Directory also verifies the directory tree to ensure the LDAP service
complies with the standard LDAP requirement that each part of a
distinguished name has an entry in the directory that represents the
name part as an object class.
For information on the schema daemon, see the chapter Managing the
LDAP Schema. For more information on directory tree verification, see
the next topic.
In addition to using its primary Domino Directory for processing LDAP

requests, the LDAP service can extend LDAP request processing to
directory catalogs and secondary Domino Directories, and can refer
LDAP clients to remote LDAP directories, if processing is unsuccessful in
any Domino Directory or directory catalog.
By default the LDAP task listens for LDAP client requests over TCP/IP
port 389, and accepts both anonymous connections, and connections that
bind using name-and-password security. The LDAP service can also
listen for requests over an SSL port, usually port 636. The LDAP service
can accept requests over the SSL port from anonymous LDAP clients,
and from LDAP clients authenticated using name-and-password security
and/or X.509 certificates.
To search for an entry specified in an LDAP request, the LDAP service
does either a view lookup or a full-text search, depending on the search
filter specified in the request. Views lookups are typically faster than
full-text index searches.
Note The LDAP service always does a full-text search to locate
information in a condensed Directory Catalog set up on the server.
When an LDAP search filter specifies a name or mail attribute, the LDAP
service uses views to quickly locate entries. The PUBNAMES.NTF
template design property for these hidden views has Universal with
Unicode standard sorting selected for the sort order. Unicode provides
a unique definition for every character an LDAP client can specify
regardless of the language configured on the client. Using Unicode
sorting, the LDAP service can accurately process LDAP requests
specified in different languages when using these views.
If an LDAP search filter searches for an attribute other than a name or
mail attribute, the LDAP service searches the full-text index, if one exists.
If no full-text index exists, the LDAP service uses a view, but the search
will take longer than the full-text index search.
Setting Up the LDAP Service 20-3
Directory Services
Note The first value in the FullName field defines the distinguished
name for any entry in the Domino Directory except a Domino Group or
Domino Server; the first value in the ListName field defines the
distinguished name for a Domino Group, and the first value in the
ServerName field defines the distinguished name for a Domino Server.
The LDAP service and directory tree verification

When the LDAP service starts on the server that is the administration
server for the primary Domino Directory, it displays these messages at
the server console:
LDAP server: "Started verifying Directory Tree on filename"
LDAP server: "Finished verifying Directory Tree on filename"
These messages indicate that the LDAP service is verifying that each part
of a Notes-style distinguished name in a document in the directory has a
separate document to define the name part. If the LDAP service detects
that a part of a name is missing such a corresponding document, it
creates one in a hidden view. Creating an additional document in this
way ensures that LDAP clients can always use subtree searches to find
the original document.
For example, if the distinguished name in a Person document is Phyllis
Spera/Boston/Acme, and there is no Domino Certifier document
registered for the organizational unit Boston, the LDAP service creates an
organizationalUnit document for Boston. Then, an LDAP user can use a
search filter that specifies a search base of ou=Boston,o=Acme with the
subtree scope to find the entry cn=Phyllis Spera,ou=Boston,o=Acme.
If the server running the LDAP service is the administration server for a
Domino Directory or Extended Directory Catalog, the LDAP service can
verify the directory tree. The LDAP service does not verify the directory
tree for a Configuration Directory or for a condensed Directory Catalog.
The LDAP service can create three types of documents, depending on
which part of a Notes distinguished name is missing one: country,
organizationalUnit, and organization documents. The LDAP service adds
such a document when:
A Notes user name is registered with a unique organizational unit

that is not controlled by a certifier. In this case, the LDAP service
creates an organizationalUnit document.
A Notes user name is registered with a country part. In this case, the
LDAP service creates a country document.
An administrator creates a document manually that contains a

Notes-style distinguished name with an organizational unit or
organization that doesnt correspond to a Notes certifier document.
In this case, the LDAP service creates an organizationalUnit or an
organization document.
Directory tree verification applies only to the distinguished names of

documents are added and visible through Notes, since entries added
through the LDAP protocol always have an object class defined for each
distinguished name part.
Running directory tree verification manually
You can run directory tree verification manually, for example if youve
added documents to a directory since you last started the LDAP service.
To run directory tree verification manually, enter this command from the
Domino Directory administration server:
Tell Ldap VerifyDIT
Finding the documents that directory tree verification creates

To find the documents created by directory tree verification, use an
LDAP client and specify the following search filter:
"creatorsname=servername"
where servername is the name of the name of the Domino that created the
documents. Specify the name in LDAP format, for example:
"creatorsname=cn=westserver,o=acme"
How the LDAP service forms a value for the mail attribute
To return to value for the mail attribute for a Person, Group, Mail-In
Database, or Resource document, the LDAP service searches for the
following:
1. A fully formed Internet address in one of these fields, in the order
indicated:
a. Internet Address (InternetAddress)
b. Short Name (ShortName) If the Internet Address Lookup
field on Conversions tab of a Global Domain document is
disabled, the LDAP service doesnt look for a short name.
2. Rules specified below the Internet address lookup field in the

SMTP Address Conversion section on the Conversions tab of a
Global Domain document. If your organization uses more than one
Global Domain document, you must select Yes in the Use as
default Global Domain field of the Global Domain document you
want to use.
Directory Services
c. Forwarding address (MailAddress) Forwarding address is

the label for this field for Notes mail users, but the label is
different if another mail system is specified for a user.
3. A DNS domain name retrieved from the operating system of the

machine on which the LDAP service runs. The syntax is:
user's hierarchical name%notesdomain@hostname
For example, Randi

Bowker/Marketing/East/Acme%Acme@acme.com
Note If an extended ACL denies an LDAP access to the LDAP mail
attribute or the corresponding Domino InternetAdress field, the LDAP
service does not follow the above steps to derive an address for the entry
to return to the LDAP user.
The LDAP service and secondary directories

You can set up directory assistance on a server that runs the LDAP
service to:
Process LDAP search requests using secondary Domino Directories

and Extended Directory Catalogs. These directories can be either
local or remote to the server running the LDAP service.
Process LDAP write requests to secondary Domino Directories and

Extended Directory Catalogs
Refer LDAP clients to remote LDAP directories when searches are

unsuccessful in any Domino Directory or directory catalog.
Use secondary Domino Directories, Extended Directory Catalogs,

and/or remote LDAP directories to look up the authentication
credentials of LDAP clients connecting to the LDAP service.
Look up the members of groups used in the access control lists

(ACLs) of the directories served by the LDAP service in one of the
following directories, in addition to the primary Domino Directory:
secondary Domino Directory, Extended Directory Catalog, or remote
LDAP directory.
Prevent the LDAP service from carrying out LDAP operations in the
If a server that runs the LDAP service is set up to use a condensed

Directory Catalog, the LDAP service searches the directory catalog
automatically after searching the primary Domino Directory. Note that
an Extended Directory Catalog, rather than a condensed Directory
Catalog, is recommended for use on servers.
For more information, see the chapters Setting Up Directory Assistance
and Setting Up Directory Catalogs.
Setting up the LDAP service

Before you set up the LDAP service, make sure you understand TCP/IP
concepts, including DNS host names and IP addressing.
Follow these steps to set up a server to run the LDAP service:
1. The LDAP task runs automatically on the administration server for
the primary Domino Directory. On other servers in the domain, run
the LDAP task manually.
2. If your organization uses more than one Global Domain document,
specify the one that the LDAP service uses to return Internet
addresses to LDAP clients. Open the Global Domain document. In
the Use as default Global Domain field, choose Yes.
3. (Optional) Customize the default LDAP service configuration. In
many cases, the LDAP service default settings are adequate.
4. To check whether you set up the LDAP service correctly, use an
LDAP search utility such as ldapsearch provided with Notes and
Domino, to issue a query to the LDAP service.
5. Set up LDAP clients to connect to the LDAP service.
If clients wish to connect to the LDAP service over the Internet,
connect the server that runs the LDAP service to an Internet service
provider (ISP), and register the servers DNS name and IP address
with the ISP.
For information on troubleshooting problems with the LDAP service, see
the chapter Troubleshooting.
Note A server that runs the LDAP service on the Windows platform
should not use the systems name as the Domino server name.
For more information, see the chapter Setting Up the Domino
Network.
Directory Services
Starting and stopping the LDAP service

The following table describes the ways to start and stop the LDAP
service.
To do this
Perform this task
Start the LDAP service automatically Edit the ServerTasks setting in the
when you start Domino
NOTES.INI file to include the LDAP task.
Domino adds the LDAP task to the
ServerTasks setting automatically on the
administration server for a domain
Domino Directory, or if you select the
option Directory services (LDAP
services) during server setup.
Start the LDAP service manually
Enter Load LDAP at the console.
Stop and restart the LDAP service
Enter Restart Task LDAP at the console.
Stop the LDAP service
Enter Tell LDAP Quit at the console.
For information on the NOTES.INI file and on server commands, see the
appendices.
Preventing the LDAP service on the administration server for the

Domino Directory from processing LDAP client requests
You can prevent the administration server for the Domino Directory
from processing LDAP requests, and leave this processing to another
server or servers in the domain that run the LDAP service. Prevent the
administration server from LDAP request processing, for example, if the
LDAP ports on the administration server conflict with the operating
system. When you disable the LDAP ports on the Domino Directory
administration server, the LDAP service on the server continues to run
the schema daemon and verify the directory tree for the domain, but
does not accept LDAP client requests.
To disable the LDAP ports:
1. Open the Server document of the Domino Directory administration
server.
3. Click the Ports - Internet Ports - Directory tab.
4. In the SSL port status and TCP/IP port status fields, choose
Disabled.
6. If necessary, wait for the change to replicate to the Domino Directory

administration server for the domain, then enter this command on
the Domino Directory administration server to put the changes into
effect:
Restart Task LDAP
The server console displays the message:

"LDAP Server: No ports enabled, listener not started but
control task running to maintain schema."
Disabling the LDAP service in a domain

If you do not want to run the LDAP service on any server in a domain,
you can stop the LDAP service from running on the administration
server for the Domino Directory. Do the following on the administration
server:
1. Add the NOTES.INI setting DisableLDAPOnAdmin=1.
2. Remove LDAP from the ServerTasks NOTES.INI setting.
Customizing the LDAP service configuration

The default LDAP service configuration works without modification, but
you can customize it to suit your needs. The following table describes the
LDAP service configuration settings. In addition to the settings in the
table, there are NOTES.INI settings you can use to configure the LDAP
service.
For more information, see the topic NOTES.INI settings for the LDAP
service later in the chapter.
Directory Services
Except where noted in the table, restarting the LDAP task or the Domino
server is unnecessary after changing a setting because the task checks for
setting changes automatically, by default at three-minute intervals. You
can use the NOTES.INI setting LDAPConfigUpdateInterval to change the
interval at which the LDAP service checks for changes to its settings.
Setting
Description
For more information
Controls the ports LDAP clients

Port and port
security settings1 can use to connect to the LDAP
service, and the authentication
methods enabled for each port
Default: TCP/IP port 389
enabled for name-and-password
authentication and for
anonymous access
Changing requires restarting the
LDAP task
See the topic

Changing the LDAP
service port and port
security
configuration.
Automatically
Full Text Index
Domino
Directory? 4
Controls whether the LDAP

service creates and updates
full-text indexes on the Domino
Directories it serves
Default: does not create full-text
indexes
See the topic

Full-text indexing
directories served by
the LDAP service.
Choose fields
that anonymous
users can query
via LDAP 2, 3,
If the port settings allow

anonymous access, controls
which attributes anonymous
LDAP users can search
server
See the topic

Configuring
anonymous LDAP
search access to a
directory.
Allow LDAP
users write
access 3
Controls whether LDAP users

can modify a directory
Default: LDAP modifications not
allowed
server
See the topic Using

LDAP to modify a
directory served by
the LDAP service.
Rules to follow
when this
directory... 4
Controls how the LDAP service

responds when it encounters
more than one entry or naming
rule that applies to an LDAP
add, modify, or compare
operation
Default: dont carry out the
operation
See the topic

Configuring how
the LDAP service
responds to multiple
name matches when
processing write and
compare operations.
Timeout 4
Controls the maximum time

allowed to process an LDAP
search
Default: no limit
See the topic

Customizing search
processing to
improve LDAP
service performance.
continued
Setting
Description
For more information
Maximum
Controls the maximum number
number of entries of entries that the LDAP service
returned 4
can return in response to an
LDAP search
Default: no limit
See the topic

Customizing search
processing to
improve LDAP
Minimum
Controls the minimum number
characters for
of characters users must place
wildcard search 4 before the first wildcard in a
substring search filter
Default: 1
See the topic

Customizing search
processing to
improve LDAP
Allow Alternate
Language
Information
processing 4
Controls whether LDAP users

can do alternate language
searches
Default: not allowed
See the topic

Enabling LDAP
alternate language
searches.
Enforce
schema? 4
Controls whether directory

modifications through LDAP
must conform to the schema
Default: schema enforced
See the topic

Enabling or
disabling
schema-checking.
DN Required on Controls whether the LDAP

Bind? 4
service requires clients to log on
with distinguished names for
name-and-password
authentication
Default: distinguished logon
names not required
See the topic

Requiring
distinguished logon
names for LDAP
name-and-password
security.
Controls whether the LDAP

service returns results in UTF8 to
LDAP v2 clients.
Default: Returns results in UTF8
to v2 clients
See the topic

Configuring
character encoding
for LDAP V2 clients.
Maximum
number of
referrals 4
Controls the maximum number

of directory server referrals the
LDAP service can return to a
client
Default: 1
See the topic

Configuring the
number of referrals
the LDAP service can
return.
Activity
Controls the size of the
Logging
information Activity Logging
truncation size 4 can log for an LDAP Add or
Modify operation
Default: 4096 bytes
See the topic

Limiting the amount
of attribute
information logged
for LDAP Add and
LDAP Modify
activity.
Directory Services
Encode results
in UTF8 for
LDAP-v2
clients? 4
Set in the Server document of each server that runs the LDAP service. To
configure authentication options for the ports enabled in a Server
document, you can instead use a Directory Site document. Using the site
document to configure authentication options is required in a hosted
organization environment.
2
Alternatively, use the database ACL/extended ACL to specify

anonymous LDAP search access.
3
Set in the domain Configuration Settings document of each Domino

Directory and Extended Directory Catalog the LDAP service serves. Each
directory can have different settings.
4
Set in the domain Configuration Settings document of the primary

Domino Directory of the servers that run the LDAP service in a domain.
Setting applies to the LDAP service running on any server in the domain.
For information on the Activity Logging truncation size setting, see the
chapter Setting Up Activity Logging. For information on the Enforce
schema? setting, see the chapter Managing the LDAP Schema.
Changing the LDAP service port and port security configuration

By default, LDAP clients can connect to the LDAP service over TCP/IP
port 389, anonymously or using name-and-password authentication. By
default, LDAP clients cannot connect using SSL.
Note To authenticate using name-and-password security some LDAP
clients, for example Netscape Mail, Microsoft Internet Explorer, and
Notes clients with LDAP accounts, first do an anonymous search to
retrieve the distinguished names used for the authentication, so that
users dont have to specify the distinguished names themselves. To
enable such clients to authenticate using names and passwords, you
must enable anonymous access, as well as name and password
authentication, for the LDAP service port the clients use to connect. You
must also allow anonymous read access to the attribute(s) the clients use
to search the directory anonymously to retrieve the distinguished names.
Attributes typically searched for are cn, uid, sn, givenname, or mail.
Follow these steps to change the LDAP service port and port security
configuration on a specific server that runs the LDAP service:
2. In the left pane, expand Server and open the Server document for the
server that runs the LDAP service.
4. Click the Ports - Internet Ports - Directory tab.
Note If you are administering a hosted organization environment,

an asterisk (*) in the following tables indicates options you must
specify instead in a Internet Site document. In a non-hosted
organization environment, you can use the Internet Site document,
but you arent required to.
For information on using Internet Site documents, see the chapter
5. To change the TCP/IP port configuration for the LDAP service,
complete these fields:
Field
Enter
TCP/IP port
number
Choose 389 (default) to use the industry standard port for

LDAP connections over TCP/IP. You can specify a
different port, but 389 works in most situations.
TCP/IP port
status
Choose one:
Enabled (default) to allow LDAP clients to connect to
the server without using SSL.
Redirect to SSL to direct LDAP clients connecting
without using SSL to use SSL instead. The LDAP
service returns a message to LDAP clients indicating
that they must connect over SSL.
Disabled to prevent LDAP clients from connecting
using the TCP/IP port.
Enforce server Choose one:

access settings Yes to apply the Access server and Not access server
settings set in the Server Access section on the Security
tab of this Server document to authenticated LDAP clients
connecting to the LDAP service over the TCP/IP port.
No (default) to specify that the LDAP service ignore the
Server Access settings.
No to prevent LDAP clients from using

name-and-password authentication when connecting
Authentication If the TCP/IP port status field is set to Enabled, choose
one:
options:
Anonymous* Yes (default) to allow LDAP clients to connect
anonymously using the TCP/IP port.
No to prevent LDAP clients from connecting
anonymously using the TCP/IP port.
Directory Services
Authentication If the TCP/IP port status field is set to Enabled, choose one:
options: Name Yes (default) to allow LDAP clients to use
& Password*
name-and-password authentication when connecting
For more information on server access settings, see the chapter

Controlling Access to Domino Servers. For more information on
the authentication options, see the chapter Setting Up
Name-and-Password and Anonymous Access to Domino Servers.
6. To change the SSL port configuration for the LDAP service, complete
these fields:
Field
Enter
SSL port
number
Choose 636 (default) to use the industry standard port

for LDAP connections over SSL. You can specify a
different port, but 636 works in most situations.
SSL port status
Choose one:
Enabled to allow LDAP clients to connect to the
LDAP service over SSL.
Disabled (default) to prevent LDAP client
connections over SSL.
Authentication
options: Client
certificate*
If SSL port status is set to Enabled, choose one:

Yes to allow LDAP clients to use client certificate
authentication when connecting.
No (default) to prevent the LDAP service from using
client certificate authentication.
Authentication
options: Name
& password*
If the SSL port status field is set to Enabled, choose one:

Yes to allow LDAP clients to use name-and-password
authentication when connecting to the LDAP service
over SSL.
No (default) to prevent LDAP clients from using
name-and-password authentication over SSL.
Authentication
options:
Anonymous*
If the SSL port status field is set to Enabled, choose one:

Yes (default) to allow LDAP clients to connect to the
LDAP service anonymously over SSL.
No to prevent anonymous SSL connections.
For more information on the authentication options, see the chapters

Setting Up Clients for S/MIME and SSL and Setting Up
Name-and-Password and Anonymous Access to Domino Servers.
8. If you made the changes on a different server than the one for which
you are configuring the LDAP service, replicate the changes to the
server that runs the LDAP service.
9. Enter the following command on the server that runs the LDAP
service to put the changes into effect:
Restart Task LDAP
Full-text indexing directories served by the LDAP service

The LDAP services uses hidden views in a Domino Directory or
Extended Directory Catalog to search for entries when LDAP users
specify names or mail addresses in a search filters. When LDAP users
specify other attributes as search criteria, the LDAP service searches the
full-text index, if one is created. If your LDAP users search on attributes
other than names or mail addresses, create a full-text index for the
directories the LDAP service serves to improve the speed of these types
of searches.
Note The LDAP service always searches the full-text index to find
information in a condensed Directory Catalog set up on the server.
You can configure the LDAP service so that the Indexer creates full-text
indexes automatically on the Domino Directories the LDAP service
servers. To enable or disable automatic creation of a full-text indexes on
the Domino Directories and Extended Directory Catalogs the LDAP
service serves:
1. From the Domino Administrator, open the server that runs the LDAP
service, or a server in the same domain as the one that runs the
LDAP service.
3. In the left pane, expand Directory, then LDAP, and then select
Settings.
If you see the prompt Unable to locate a Server Configuration
document for this domain. Would you like to create one now? click
Yes, then click the LDAP tab on the document.
If you do not see the prompt, click Edit LDAP Settings.
5. Next to Automatically Full Text Index Domino Directory? choose
one:
No (default) to prevent the LDAP service from creating and

updating full-text indexes automatically.
7. If you selected No to disable this feature, you must delete manually
any full text index(s) you want to remove.
Directory Services
Yes to enable the LDAP service to create and update full-text

indexes automatically
Configuring anonymous LDAP search access to a directory

If the TCP/IP and/or SSL port configuration for the LDAP service allows
anonymous LDAP access, use one of these tools to specify which
information anonymous LDAP users can search in a Domino Directory
or an Extended Directory Catalog served by the LDAP service:
Domain Configuration Settings document
Database ACL/extended ACL
You specify anonymous search access separately for each directory the
LDAP service serves.
Note Always use the directory database ACL, optionally with an
extended ACL, to control directory access for authenticated LDAP users,
and to prevent anonymous LDAP users from modifying the directory.
Domain Configuration Settings document
The Choose fields that anonymous users can query via LDAP setting
on the LDAP tab of a domain Configuration Settings document in a
Domino Directory or Extended Directory Catalog is the default method
used to determine search access for anonymous LDAP users. The LDAP
service uses the default settings in this document as the default
anonymous search access, even if you do not create the document.
You can modify the Choose fields that anonymous users can query via
LDAP setting to customize search access for anonymous LDAP users.
Database ACL/Extended ACL
You can use the database ACL along with an extended ACL to define
anonymous LDAP search access to a directory, rather than use the
domain Configuration Settings document.
For information on extended ACLs, see the chapter Setting Up
Extended ACLs.
Choosing which method to use
The database ACL/extended ACL is a more flexible method of
controlling anonymous LDAP search access than the domain
Configuration Settings document. For example, when you use the
domain Configuration Settings document to allow or deny access to an
attribute, the access applies to all entries that contain the attribute.
However, when you use the database ACL/extended ACL, you can deny
access to an attribute contained in entries at a particular branch of the
directory tree, but allow access to the same attribute contained in entries
located at other branches. Or you can deny access to the attribute in a
particular type of entry throughout the directory, but allow access to it in
another type of directory entry.
However, there are implications to using extended access that dont apply
to the use of the domain Configuration Settings document. For example,
after you enable extended access, you can make directory changes only on
a directory replica located on a Lotus Domino 6, and not on a server from
a previous release of Domino. The database ACL/extended ACL method
also causes database security to be enforced for Notes namelookups, such
as type-ahead lookups. If the domain Configuration Settings document
method is adequate for your needs, it may make sense to use it instead.
Anonymous LDAP search access and upgrades from previous
releases
If you upgrade a server from a previous release to Lotus Domino 6, the
LDAP service uses the LDAP anonymous access configuration from the
previous release. If you create or edit the domain Configuration Settings
document after updating the directory with the Lotus Domino 6
PUBNAMES.NTF design, the list of attributes allowed for anonymous
access include the following attributes not listed in previous releases:
Attribute
Attribute
Attribute
Attribute
altServer
ditContentRules
namingContexts subschemasubentry
attributeTypes
extendedAttributeInfo o
supportedControl
extendedClassInfo
objectClass
supportedExtension
cn
objectClasses
supportedLDAP
Version
createTimestamp ldapSyntaxes
ou
supportedSASL
Mechanisms
creatorsName
modifiersName
st
vendorname
dc
modifyTimestamp
street
vendorversion
Using the domain Configuration Settings document to customize

anonymous LDAP search access to a directory
To use the domain Configuration Settings document to customize
anonymous LDAP search access to a specific Domino Directory or
Extended Directory Catalog served by the LDAP service, first open the
document, then configure anonymous search access.
Directory Services
These attributes were not listed listed in previous releases because you
could not prevent anonymous LDAP access to them in previous
releases anonymous LDAP users always had search access to these
attributes. In Lotus Domino 6, you can deny anonymous LDAP search
access to the attributes above, although they are allowed for anonymous
search access by default to be consistent with the anonymous search
behavior of previous releases.
Step 1: Open the domain Configuration Settings document in the

directory
To open the domain Configuration Settings document for the primary
Domino Directory:
1. From the Domino Administrator, open a server within the domain
that runs the LDAP service.
3. In the left pane, expand Directory, then LDAP, and then select Settings.
To open the domain Configuration Settings document for a secondary
Domino Directory or an Extended Directory Catalog:
To open the domain Configuration Settings document in a Domino
Directory that is not the directory for a domain, or to open the document
in an Extended Directory Catalog:
1. From the Domino Administrator, open the directory.
2. Select the Servers - Configurations view.
3. If you do not see a domain Configuration Settings document in the
view, a document named * - [All Servers], skip to step 4. If you do
see this document, do the following:
a. Open the document
b. Click the LDAP tab.
c. Click Edit Server Configuration.
view, create one by doing the following:
a. Click Add Configuration.
b. On the Basics tab select Yes next to Use these settings as the
default settings for all servers.
c. Click the LDAP tab.
Step 2: Customize anonymous LDAP search access to the directory

After you have opened the domain Configuration Settings document for the
directory, follow these steps to customize anonymous LDAP search access:
1. Next to Choose fields that anonymous users can query via LDAP
select Select Attribute Types to open the LDAP Attribute Type
Selection dialog box.
The Queriable Attribute Types box at the right of the dialog box
shows the attributes anonymous LDAP users can access.
2. To add an attribute to the Queriable Attribute Types box to allow
anonymous LDAP users to access the attribute:
a. In the Object Classes box, select an object class that contains the
attribute.
b. Click Display Attributes to display in the Selectable Attribute
Types box all the attributes defined for the selected object class(es).
c. Select the attribute in the Selectable Attribute Types box that
you want to allow anonymous LDAP users to access, and click
Add to add the attribute to the Queriable Attribute Types box.
You can select more than one attribute.
Or, to add all the attributes listed in the Selectable Attribute
Types box, click Add All.
When you allow anonymous access to an attribute, the access applies
to all object classes for which that attribute is defined.
3. To remove an attribute from the Queriable Attribute Types box to
prevent anonymous LDAP users from accessing the attribute, select
the attribute and click Remove. Or, to remove all attributes, click
Remove All.
Tip To revert the Queriable Attribute Types box to the attributes
the LDAP service allows for anonymous LDAP access by default,
click Use Default Values.
4. Click OK to close the LDAP Attribute Type Selection dialog box.
6. Do the following for each server in the domain that runs the LDAP
service:
a. If you made the changes to a Domino Directory replica on a
different server, replicate the changes to the server.
b. Enter the following command on the server to put the changes
into effect:
Restart Server
Directory Services
5. Click Save & Close to save the changes in the Configuration Settings
document.
Converting the default anonymous access settings to database ACL

and extended ACL settings
As soon as you select the advanced ACL option Enable Extended
Access for a directory served by the LDAP service, the Choose fields
that anonymous users can query via LDAP setting stops controlling
anonymous LDAP search access and is no longer visible in the domain
To convert the default anonymous search access settings set in the
domain Configuration Settings document to database ACL and extended
ACL settings for a Domino Directory or Extended Directory Catalog, do
the following:
1. Make sure you have read thoroughly the documentation on
Extended ACLs.
For more information, see the chapter Setting Up Extended ACLs.
2. Open the directory and select Enable Extended Access in the
Advanced tab of the database ACL.
3. On the Basics tab of the ACL, give the Anonymous entry Reader
access.
4. Click Extended Access and set the access as follows:
5. Select / (root) as the target.
6. Add Anonymous as a subject at / (root).
7. Leave This container and all descendants selected as the scope.
8. For the default privileges, click Allow Browse and click Deny Create,
Delete, Read, and Write.
9. Click Form and Field Access.
10. Next to Schema, select Domino.
11. In the Forms box, select Person.
12. With the Person form still selected, select each of the following fields
in the Fields box, and for each field click Allow Read:
AltFullName
Certificate
FirstName
InternetAddress
LastName
Location
MailAddress
MailDomain
O
OfficeCity
OfficeCountry
OfficeState
OU
PublicKey
ShortName
Street
Type
UserCertificate
13. In the Forms box, select Group.
14. With the Group form still selected, select each of the following fields
in the Fields box, and for each field click Allow Read:
InternetAddress
MailDomain
Members
Type
15. Next to Schema, select LDAP.
16. In the Object Classes box, select dominoPerson.
17. With the dominoPerson object class still selected, in the Attributes
box select cn and click Allow Read.
18. Click OK twice, and when you see the prompt Save changes before
exiting? Click Yes.
Directory Services
Note If you disable Enable Extended Access in a directory ACL, the

default settings in the Choose fields that anonymous users can query via
LDAP setting in the domain Configuration Settings document resume
control of anonymous LDAP search access for the directory.
Using LDAP to modify a directory served by the LDAP service

By default, the LDAP service does not allow LDAP clients to modify the
directories the LDAP service serves. However, you can enable LDAP
write access for any of the following directories to allow LDAP users
with the required database access to modify the directories:
Primary Domino Directory of the LDAP service
Secondary Domino Directory or Extended Directory Catalog the

LDAP services serves
You control LDAP write access separately for each directory. For
example, you could enable write access for the primary Domino
Directory, and leave write access disabled for an Extended Directory
Catalog.
Note You cannot enable LDAP write access to a condensed Directory
Catalog served by the LDAP service.
Keep the following points in mind if you enable LDAP write access for a
directory:
1. Domino does not provide a tool for doing LDAP write operations,
you must develop or obtain one.
2. If you allow LDAP write access, use the directory database ACL, and
optionally, extended ACL, to control the directory changes that
LDAP users can make.
3. Enable schema checking for the LDAP service to require that
directory changes made via LDAP conform to the directory schema.
By default schema checking is disabled, if you allow LDAP write
operations, enabling it is recommended to maintain consistent
directory contents.
4. The Administration Process server task doesnt respond to LDAP
write operations. For example, if an LDAP user deletes a Person
document, the Administration Process cant delete the associated
user name from database ACLs.
5. The LDAP service can carry out an LDAP write operation in a
secondary Domino Directory or Extended Directory Catalog only if
that directory is stored locally on the server that runs the LDAP
service. If the LDAP service receives a write operation request for a
Domino Directory on a remote server, it sends an LDAP referral to
the client. The LDAP service refers the client to the administration
server for the directory. If there is no administration server specified,
it refers the client to the remote server that stores the directory. The
client must then follow the referral itself.
Note If you enable LDAP write access to a secondary Domino

Directory, do not use a condensed Directory Catalog that aggregates
that directory on a server that runs the LDAP service.
6. The distinguished names of directory entries are limited to 256
characters. Distinguished names do not have to conform to the
standard Notes naming model of organizational unit (ou),
organization (o), and country (c). For example, distinguished names
such as these are acceptable:
dn: cn=Jay Walker + uid=123456,u=Sales,o=Widget Inc.,c=GB
dn: foo=Bar, o=Acme
dn: cn=L. Eagle,o=Sue\, Grabbit and Runn,c=GB
Names such as these are recommended primarily for entries that are
accessed through LDAP only, since Notes users may find them
confusing.
7. Prior to doing batch adds of 100 or more directory entries, you can
use the NOTES.INI setting LDAPBatchAdds to process the additions
more quickly. Disable the setting when the batch adds are complete.
8. You cant modify the value of an entrys structural object class
attribute.
Enabling or disabling LDAP write access to a directory served by
the LDAP service
By default, the LDAP service does not allow LDAP clients to modify the
directories the LDAP service serves. If you enable directory changes to be
made via LDAP, the directory database ACL and, optionally, an
extended ACL, control the extent to which authenticated and anonymous
LDAP users can modify directory entries. For example, an LDAP user
with Editor database ACL access can modify all entries, whereas an
LDAP user with only Author database ACL access and the UserModifier
role can modify only Person entries and not other entries.
1. From the Domino Administrator, open the directory for which you
want to enable write access.
2. Select the Servers - Configurations view.
Directory Services
To enable or disable LDAP write access to the primary Domino Directory

of the LDAP service, or to a secondary Domino Directory or Extended
Directory Catalog the LDAP service serves:

view, a document named * - [All Servers], skip to step 4. If you see
this document, do the following:
a. Open the document
b. Click the LDAP tab.
c. Click Edit Server Configuration.
view, create one by doing the following:
a. Click Add Configuration.
b. On the Basics tab select Yes next to Use these settings as the
default settings for all servers.
c. Click the LDAP tab.
Tip If you are enabling write access for the primary Domino
Directory in the domain, a shortcut for steps 2-4 is: from the Domino
Administrator open the server that stores the directory; click the
Configuration tab; in the left pane expand Directory, then LDAP, and
then select Settings; click Edit LDAP Settings.
5. Next to Allow LDAP users write access choose one:
Yes to allow directory changes via LDAP.
No (default) to prevent directory changes via LDAP.
7. For each server in the domain that runs the LDAP service, do the
following:
a. If you made the changes to a Domino Directory replica on a
different server, replicate the changes to the server.
b. Enter the following command on the server to put the changes
into effect:
Restart Server
8. If you enabled LDAP write access, set up the database ACL, and
optionally extended ACL, to specify the directory contents that
LDAP users can modify.
For more information, see the chapters Setting Up the Domino
Directory and Setting Up Extended ACLs.
9. Configure how the LDAP service responds when it finds more than
one occurrence of a name specified in an LDAP write operation.
Configuring how the LDAP service responds to multiple name

matches when processing write and compare operations
The LDAP service uses its Rules to follow when this directory is the
primary directory and there are multiple matches on the distinguished
name being compared/modified setting to determine how to responds
in either of these situations:
It receives an LDAP modify, modify DN, delete, or compare request

and finds more than one entry, within one directory or across
directories, with a distinguished name that matches the one specified
in the request.
It receives an LDAP add request and finds more than one Domino
Directory enabled for LDAP clients in its directory assistance
database with a directory assistance naming rule that most
specifically matches the distinguished name specified in the request.
Note that if there is no Domino Directory enabled for LDAP clients in
directory assistance with a rule that matches the distinguished name
specified in an add operation, the LDAP service adds the entry to its
primary Domino Directory. If there is only one Domino Directory
enabled for LDAP clients in directory assistance with a rule that
matches the distinguished name specified in an add operation, the
LDAP service adds the entry to that directory.
For more information on the LDAP service and directory assistance, see
the chapter Setting Up Directory Assistance.
To specify the Rules to follow when this directory is the primary
directory and there are multiple matches on the distinguished name
being compared/modified for all servers in the domain that run the
LDAP service:
LDAP service.

Directory Services
Settings.
5. In the Rules to follow when this directory is the primary directory

and there are multiple matches on the distinguished name being
compared/modified field, choose one to specify how the LDAP
service responds in the two situations described above:
Rules to follow... setting Results
Dont modify any
(default)
Prevents the operation from occurring. The

LDAP service returns an error, and you can
investigate the duplicate names/naming rules.
Modify first match
Carries out the LDAP modify, delete, or

compare operation on the first entry
encountered in a directory enabled for LDAP
write operations that matches the
distinguished name specified in the operation.
Carries out the LDAP add operation in the
Domino Directory configured in directory
assistance database that is enabled for LDAP
write operations and has the most specific
matching rule and the lowest search order
Modify all matches
Carries out the LDAP modify, delete, or

compare operation on all the entries
encountered that match the distinguished
name specified in the operation.
Carries out the LDAP add operation in all the
Domino Directories configured in the
directory assistance database with a matching
rule that most specifically matches the
distinguished name specified in the add
operation, and that are enabled for LDAP
write operations.

Examples of the "Rules to follow..." setting and LDAP add
operations
Assume the LDAP service uses directory assistance to serve secondary
Domino Directories in Domains B, C, and D, in addition to its primary
Domino Directory. These secondary directories are stored locally on the
server running the LDAP service and are configured in the directory
assistance database as follows:
Domain
Naming rule
Search order
Domain B
*/*/*/*/*/*
Domain C
*/*/*/*/*/*
Domain D
*/*/*/DomainD/Acme*
Note If a directory is stored on a remote server, the LDAP service can

send an LDAP referral to the client but cannot process the add operation
remotely itself.
For more information, see the chapter Setting Up Directory Assistance.
The following table provides examples of how the LDAP service
processes add operations as a result of the above directory assistance
configuration and different selections for the Rules to follow when this
directory is the primary directory and there are multiple matches on the
distinguished name being compared/modified LDAP service setting.
Name of entry being added
Rules to Directory or Explanation

follow... directories to
setting
which entry
added
cn=Kate Power,ou=DomainD,o=Acme N/A
Domain D
Domain D
directory is the
only directory
with a rule that
most specifically
matches a name
added
cn=John Ashby,ou=DomainC,o=Acme Modify

first
match
Domain B
Rules for
Domain B and C
both match the
name being
added; entry
added to
Domain B
because it has
lower search
order than
Domain C.
cn=John Ashby,ou=DomainC,o=Acme Dont

modify
any
None
Rules for
Domain B and C
both match the
name being
added; entry not
added.
Directory Services
cn=John Ashby,ou=DomainC,o=Acme Modify Domains B Rules for

Domain B and C
all
&C
both match the
matches
name being
added; entry
added to both
directories.
Customizing search processing to improve LDAP service

performance
To improve the performance of the LDAP service, you can choose
options to customize how the service processes searches. These settings
apply to all servers in a domain that run the LDAP service.
Timeout and Maximum number of entries returned
By default, LDAP service takes as long as necessary to process searches,
and returns all entries it finds that match the search criteria. If LDAP
service performance is slow, consider using the Timeout and
Maximum number of entries returned fields on the LDAP tab of a
domain Configuration Settings document to set limits on the length of
searches and the number of entries returned. If the LDAP client that
sends a request also specifies limits, whichever setting is lower takes
precedence.
Minimum characters for wildcard search
Specify the minimum number of characters that users must place before
the first wildcard in a search filter when the wildcard is combined with a
substring. The default is 1 character. If you increase this value, users
must provide more specific substring search filters, and as a result, the
LDAP service searches fewer entries and processes the searches more
quickly. If LDAP service performance is slow, consider increasing the
minimum characters required for wildcard searches to 2.
If a filter begins with a wildcard followed by a substring, the LDAP
service removes the initial wildcard (unless Minimum characters for
wildcard search is set to 0), then uses what remains as the search filter.
For example, if the option is set to 2 and a user specifies the filter sn=*br*,
the LDAP service uses the filter br* to process the search. However, if a
user specifies the filter *b*, the LDAP service rejects the search request
because after the first wildcard is removed, b*, which is the remaining
search filter, contains only one character before the (now) first wildcard.
Note The Minimum characters for wildcard search option doesnt
apply to search filters that use only a wildcard as a value, for example, a
search filter such as sn=* is always allowed. Because this kind of filter
searches only for the presence of an attribute, not for an attribute value, it
does not have the search performance implications associated with
wildcards in substring searches. To control the number of entries
returned as the result of a presence search filter, use the Maximum
number of entries returned option to set a maximum number of entries
that the LDAP service can return.
Specifying settings to improve LDAP service search performance:

1. From the Domino Administrator, open a server that runs the LDAP
service, or a open a server in the same domain as one that runs the
LDAP service.
Settings.
5. Change settings in any of these fields:
Field
Enter
Timeout
The maximum time, in seconds, allowed for

LDAP client searches; default is 0. For example,
specify 60.
Maximum number of
entries returned
The maximum number of directory entries the

LDAP service returns to LDAP clients as search
results; default is 0, meaning that there is no
limit. For example, specify 100.
Minimum characters for

wildcard search
The minimum number of characters that must

precede the first wildcard in a search filter when
the wildcard is combined with a substring;
default is 1.
Enabling LDAP alternate language searches
Many LDAP clients do not support language tags in search queries. Such
LDAP clients can specify, for example, givenName=Etienne to find an
entry with givenName;lang-fr=Etienne defined.
To enable LDAP alternate language searches, configure the LDAP service
to allow them, and add the language tags to entries. Use an Alternative
Language Information document in the Domino Directory to add
language tags to a Person document. Use LDAP add and modify
operations to add language tags to any other type of entry.
Directory Services
RFC 2596 defines language tags that you can append to an attribute to
define an alternate language value for the attribute. For
example,givenName;lang-fr=Etienne defines Etienne as a french value
for the givenName attribute. The LDAP service supports language tags.
Configuring the LDAP service to allow LDAP alternate language

searches
Follow these steps to allow all servers in a domain that run the LDAP
service to process LDAP alternate language searches:
1. In the Directory Profile, enable support for LDAP alternate language
searches:
a. From the Domino Administrator, open the primary Domino
Directory of the server that runs the LDAP service:
b. Choose Actions - Edit Directory Profile.
c. In the Allow the creation of Alternate Language Information
documents field, choose Yes.
d. Click Save & Close.
2. In the domain Configuration Settings document, enable support for
LDAP alternate language searches:
a. From the Domino Administrator, open the server that runs the
LDAP service, or a open a server in the same domain as the one
that runs the LDAP service.
b. Click the Configuration tab.
c. In the left pane, expand Directory, then LDAP, and then select
Settings.
d. Do one of the following:
document for this domain. Would you like to create one now?
click Yes, then click the LDAP tab on the document.
e. In the Allow Alternate Language Information processing field,
choose Yes.
f. Click Save & Close.
Using an Alternative Language Information document to define
language subattributes for a Person document
To add LDAP language tags for a specific language to a Person
document (dominoPerson entry), create an Alternative Language
Information document that is associated with the Person document. The
Alternative Language Information document contains a subset of the
fields in the Person document, for which you assign values in the
alternate language. You can create multiple Alternative Language
Information documents for one Person document. You can create
Alternative Language Information documents in any Domino Directory
that the LDAP service serves.
To add LDAP language tags for a specific language to a Domino Person

document:
1. From the Domino Administrator, open the Domino Directory that
contains the Person document.
2. Click the People & Groups tab.
3. Select People, and open the Person document to which you want to
add the language tags.
4. Choose Actions - Add Alternate Language Information.
5. Click the Basics tab, and do the following:
a. In the Language field, select the language to use.
b. Enter values in the selected language for any of the other fields in
the Basic tab.
Note The User name (FullName) field is inherited from the Person
document. LDAP uses this as the distinguished name that identifies
the person, and you cant create an alternate language version of it.
6. Click the Work/Home tab, and enter values in the selected language
for any of the fields in the Work, Home, and Corporate Hierarchy
tabs.
For information on Corporate Hierarchies, see the chapter Setting
Up the Domino Directory.
Viewing Alternative Language Information documents
To view the Alternative Language Information documents associated
with Person documents:
1. From the Domino Administrator, click the Files tab, and open the
Domino Directory.
2. Expand the People view, and select the Alternate Languages view.
To conform to RFCs 2251 through 2254, you can use the LDAP service
option DN Required on Bind? to require that an LDAP client that binds
using name-and-password security to any LDAP service running in the
domain use their fully qualified LDAP distinguished name as their
LDAP client logon name. In a Person document in the Domino Directory,
the distinguished name is the first value in the FullName field, labeled
User Name. By default, the LDAP service doesnt require an LDAP client
to use the distinguished name as a logon name.
Directory Services
Requiring distinguished logon names for LDAP name-and-password

security
If you dont require distinguished names as logon names for

name-and-password security, the Internet authentication field on the
Security tab of a Server document for a server that runs the LDAP service
controls which client logon names are allowed for name-and-password
security.
For more information on name-and-password security, see the chapter
Setting Up Name-and-Password and Anonymous Access to Domino
Servers.
To enable or disable the requirement that LDAP users use their
distinguished names as log on names when using name-and-password
security when binding to the LDAP service:
service, or a server in the same domain as a server that runs the
LDAP service.
Settings.
click Yes, then click the LDAP tab on the document that is created.
If you do not see this prompt, click Edit LDAP Settings.
5. Next to DN Required on Bind? choose one:
Yes to require distinguished names as LDAP client logon names
for name-and-password security.
No (default) to not require distinguished names for client logon
names.
Configuring character encoding for LDAP V2 clients

By default, the LDAP service uses UTF-8 character encoding when
returning results with international characters to LDAP V2 clients.
Although the LDAP V2 RFC does not support the use of UTF-8, the
default behavior ensures that LDAP V2 clients such as EudoraPro 4.1
and Netscape Communicator versions prior to 4.73, which use UTF-8,
can work well with the LDAP service.
To support LDAP V2 clients that dont use UTF-8, you can change the
default encoding to prevent the LDAP service from using UTF-8
character encoding for V2 clients. If you prevent the use of UTF-8
character encoding for LDAP V2 clients, then the LDAP service may
sometimes be unable to return results containing international characters
to V2 clients that use UTF-8.
Note The LDAP service always uses UTF-8 character encoding when
returning results with international characters to LDAP V3 clients, for
example, Microsoft Outlook Express clients and Notes clients.
To enable or disable the use of UTF-8 character encoding for LDAP V2
clients for the LDAP service running on any server in a domain:
LDAP service.
Settings.
5. Choose one:
Yes (default) to use UTF-8 character encoding for LDAP V2
clients.
No to prevent the use of UTF-8 character encoding for LDAP V2
clients.
Configuring the number of referrals the LDAP service can return
For more information on LDAP service referrals, see the chapter Setting
Up Directory Assistance.
Directory Services
When the LDAP service cant find information for which an LDAP client
is searching, it can return a referral to the client, which is a URL to
another directory server that might hold the information the client is
requesting. The LDAP service uses directory assistance to return
referrals.
By default, the LDAP service can return one referral to a client. To

configure the number of referrals the LDAP service running on any
server in a domain can return to LDAP clients:
LDAP service.
Settings.
5. Next to Maximum number of referrals specify the maximum
number of referrals the LDAP service can return to a client.
Setting up clients to use the LDAP service

You can set up both non-Notes clients and Notes clients to use the LDAP
service running on a specific server.
Setting up non-Notes clients to use the LDAP service
To set up Internet clients to connect to the LDAP service, specify the
following on the clients:
Host name of a Domino server running the LDAP service for

example, ldap.acme.com
Port to use for the connection, for example 389 for TCP/IP, or 636 for
SSL.
(Optional) Client authentication: SSL or name-and-password security
Search base applies only to any secondary Domino Directories the

LDAP service serves using directory assistance
For more information, see the documentation provided with the client.
Setting up Notes clients to use the LDAP service
To set up Notes clients to connect to the LDAP service running on a
particular Domino server, create LDAP accounts for the LDAP service in
the Notes clients Personal Address Books. Use Setup policy settings
and/or Desktop policy settings documents to automate setup of the

LDAP accounts. If you do not automate setup of the accounts, you or the
users must create the accounts manually.
For more information on accounts, see Notes 6 Help.
Note User Setup Profiles used in Lotus Domino Release 5 for automated
LDAP account setup continue to work in Lotus Domino 6.
To use a Setup policy settings document and/or Desktop policy settings
document to automate setup of LDAP accounts for the LDAP service on
Notes clients:
1. Make sure you understand policies and how to set them up.
2. If you havent already done so, create a Desktop policy settings
document or a Setup policy settings document to use to automate
setup of the LDAP accounts.
3. Open the Desktop policy settings document or Setup policy settings
document you want to use to automate setup of the LDAP account.
4. Click the Accounts tab, then complete the following fields
Enter
Inherit Default Accounts

Settings from Parent
Select to inherit default account settings from

parent.
Enforce Default Accounts

Settings in Children
Select to enforce default account settings in

children.
Account Names
A descriptive name for the LDAP service

account; users see this name in the list of
directories the client can search. If you
specify more than one account for
example, an account for another Internet
service separate account names with
commas (,).
Server Addresses
The host name of the server running the

LDAP service for example,
ldap.acme.com.
Protocols
LDAP
Use SSL Connection
Yes to use SSL; otherwise, No.
Directory Services
Field
LDAP client authentication

To authenticate LDAP clients, the LDAP service can look up the clients
distinguished names and passwords/certificates in any of the following
directories:
Primary Domino Directory
Condensed Directory Catalog on server (passwords only

recommended)
Secondary Domino Directory
Remote LDAP directory
The primary Domino Directory of the server running the LDAP service is
trusted for client authentication automatically. You must explicitly trust
other directories for client authentication.
For additional information, see the chapters Setting Up Directory
Catalogs, Setting Up Directory Assistance, Setting Up
Name-and-Password and Anonymous Access to Domino Servers, and
Setting Up Clients for S/MIME and SSL.
Using LDAP to search a Domain index

If the LDAP service is running on a server that stores a Domain Index,
you can develop an LDAP application to search the Domain Index for all
documents that contain a specific text string and then return specific
attributes of these documents. Use this search query format:
"(&(ObjectClass=Document)(Object=*xxx*))" attributes
where:
xxx represents the text string to search for
attributes are any of these attributes to retrieve:
cn
url
doctitle
docauthor
docsummary
dbheading
dbcategories
dbtitle
For example, the following query searches for all documents that contain
the text HR policies and then returns the cn, url, doctitle, docauthor,
and dbtitle values for those documents:
"(&(ObjectClass=Document)(Object=*HR policies*))" cn url
doctitle docauthor dbtitle
You can use operators with the Object attribute search filter. For
example, to find all documents that contain both the text HR policies
and the text 1999 and then return the same set of attributes as the
example above, use this query:
"(&(ObjectClass=Document)(&(Object=*HR
policies*)(Object=*1999*)))" cn url doctitle docauthor
dbtitle
To search the text of a database, you must have at least Reader access in
the ACL of the source database.
Monitoring the LDAP service

Use these methods to monitor the LDAP service:
Show the current LDAP service configuration settings
Show statistics related to LDAP service port activity
Showing the current LDAP service configuration settings

To show the current status of:
The settings for the LDAP service that are controlled through the
domain Configuration Settings document.
The LDAP service port settings in the Internet Ports section of the
Server document.
LDAP Activity Logging
enter this server command on a server that runs the LDAP service:
To show the status of the above settings as well as the status of the LDAP
service settings controlled through the NOTES.INI file, enter this server
command:
Tell Ldap showconfig debug
Directory Services
Tell Ldap Showconfig
Showing statistics related to LDAP service port activity

You can see statistics about LDAP service port activity related
specifically to LDAP operations, and also network statistics related to
general network activity over the LDAP service ports. You can use the
Show Stat command to see statistics.
Note Each statistic listed in the following tables begins with the prefix
LDAP. but the tables omit the prefix. For example, the statistic
LDAP.Total LDAP Connections is shown as Total LDAP Connections.
Statistics related to LDAP operations
The following statistics relate to connections made using LDAP. Statistics
calculation begins at LDAP service startup.
Statistic
Description
Total LDAP Connections
Number of LDAP connections
Simple LDAP Connections
Number of LDAP connections using

name-and-password authentication
Anonymous LDAP
Connections
Number of anonymous LDAP connections
Strong Authentication
Connections
Number of LDAP connections using X.509 client

certificate authentication
Failed LDAP Connections
Number of LDAP connections that failed
Total LDAP Searches
Number of LDAP search requests processed
Longest LDAP Search time Longest amount of time taken to successfully

complete an LDAP search request that has been
received so far. This statistic does not include
LDAP searches that fail with any error.
Average LDAP Search time Average amount of time taken to process LDAP
search requests received so far. The value includes
time taken to process search requests that fail, and
so on occasion it may exceed the Longest LDAP
Search time value.
Longest LDAP Search
request
Longest amount of time to receive an LDAP search

request
Total LDAP Modifies
Number of LDAP modify requests processed
Total LDAP Compares
Number of LDAP compare requests processed
Total LDAP Adds
Number of LDAP add requests processed
Total LDAP Deletes
Number of LDAP delete requests processed
Total LDAP ModifyDNs
Number of modifyDN requests processed

continued
Statistic
Description
Total LDAP Extended

Operations
Number of requests to extend the schema

processed
Total LDAP Abandons
Number of abandon requests processed
Total LDAP Searches for

Subschema
Number of requests to search the subschema

processed
Total LDAP Searches for

Root DSE
Number of requests to search the root DSE

processed
Total LDAP Referrals

returned
Number of referrals to remote LDAP directories

returned
Total LDAP Searches on

Domain Catalog
Number of requests to search the Domain Catalog

processed
Total LDAP Search Entries

Returned
Number of entries returned from search requests
Total LDAP Search time
Total time spent processing LDAP searches
Server.Running
Shows whether the LDAP service is running
Statistics for network activity on the LDAP service ports

The following statistics relate to network activity over the LDAP service
ports since Domino server startup. These statistics can reflect network
activity that does not involve the LDAP protocol, for example activity
resulting from telnet requests.
Description
Sessions.Inbound.Accept.Queue
Number of new connections waiting to be

serviced by threadpool
Sessions.Inbound.Active
Number of currently running inbound

TCP/SSL connections
Sessions.Inbound.Active.SSL
Number of currently running inbound SSL

connections
Sessions.Inbound.BytesReceived
Number of bytes received by all inbound

TCP/SSL connections
Sessions.Inbound.BytesSent
Number of bytes sent by all inbound

TCP/SSL connections
Sessions.Inbound.Peak
Maximum number of concurrent inbound

TCP/SSL connections
Sessions.Inbound.Peak.SSL
Peak number of concurrent inbound SSL

connections
continued
Directory Services
Statistic
Statistic
Description
Sessions.Inbound.Total
Number of all TCP/SSL inbound

connections since server started
Sessions.Inbound.Total.SSL
Number of all SSL inbound connections

since server started
Sessions.Inbound.Total.SSL.Bad_ Total number of failed inbound SSL

Handshake
handshakes since server started
Sessions.Outbound.Active
Number of currently running outbound

TCP/SSL connections
Sessions.Outbound.Active.SSL
Number of currently running outbound SSL

connections
Sessions.Outbound.BytesReceived Number of bytes received by all outbound

TCP/SSL connections
Sessions.Outbound.BytesSent
Number of bytes sent by all outbound

TCP/SSL connections
Sessions.Outbound.Peak
Maximum number of concurrent outbound

TCP/SSL connections
Sessions.Outbound.Peak.SSL
Maximum number of concurrent outbound

SSL connections
Sessions.Outbound.Total
Number of all TCP outbound connections

Sessions.Outbound.Total.SSL
Number of all SSL outbound connections

Sessions.Outbound.Total.SSL.Bad Total number of failed outbound SSL

_Handshake
handshakes since server started
Sessions.Threads.Busy
Total number of running threads servicing

network IO requests
Sessions.Threads.Idle
Total number of idle threads waiting to

service network IO requests
Sessions.Threads.InThreadPool
Current number of threads in threadpool
Sessions.Threads.Peak
Peak number of threads in threadpool
NOTES.INI settings for the LDAP service

The following table contains the NOTES.INI settings that pertain
specifically to the LDAP service.
appendix.
Note If you use the Set Configuration command to specify a setting, the
LDAP service detects the change automatically within three minutes, by
default.
Description
DisableLDAPOnAdmin
Disables the LDAP service for a domain
LDAPBatchAdds
To speed processing of batch LDAP adds to the

Domino Directory, specifies that the LDAP
service immediately updates only the
($LDAPRDNHier) view to reflect the changes
LDAPConfigUpdateInterval
Specifies how often the LDAP service checks for

and puts into effect changes to its configuration
settings
LDAPGroupMembership
Controls how the LDAP service responds to

searches of Domino Mail only groups and to
searches of groups without a GroupType
attribute value
LDAPNotesPort
Specifies the name of the Notes network for

TCP/IP used by the LDAP service on a
partitioned server or by the LDAP service on a
single server that uses more than one Notes
port for TCP/IP
LDAPPre55Outlook
When the LDAP service receives a search query

that specifies country (c=xx) as a search base,
specifies that it convert the search base to root
() to accommodate pre 5.5 Microsoft Outlook
Express client behavior
Schema_Daemon_Breaktime
Specifies how often (in seconds) the schema

daemon checks the status of the LDAP task to
see if it should shut down
Schema_Daemon_Idletime
Specifies how long (in minutes) the schema

daemon spawned by the LDAP service remains
idle after it finishes its tasks
continued
Directory Services
Setting
Setting
Description
Schema_Daemon_Reloadtime Specifies how often (in hours) the schema

daemon spawned by the LDAP service on the
Domino Directory administration server loads
schema changes made using Domino Directory
forms into memory
Schema_Daemon_Resynctime Specifies how often (in hours) the schema
daemon spawned by the LDAP service on the
Domino Directory administration server
updates the Domino LDAP Schema database
when its in-memory schema differs from the
schema published in the Schema database
RFCs supported by the LDAP service

The Domino LDAP service supports the RFCs described in the following
table.
RFC
Description
2079
Definition of an X.500 Attribute Type and an Object Class to Hold

Uniform Resource Identifiers
2222
Simple Authentication & Security Layer (SASL)
2251
Lightweight Directory Access Protocol (v3)
2252
Lightweight Directory Access Protocol (v3) Attribute Syntax Definitions
2253
Lightweight Directory Access Protocol (v3) UTF-8 String Representation

of Distinguished Names
2254
The String Representation of LDAP Search Filters
2255
The LDAP URL Format
2256
A Summary of the X.500 (96) User Schema for use with LDAPv3
2596
Use of Language Codes in LDAP
2798
Definition of the inetOrgPerson LDAP Object Class
Chapter 21
Managing the LDAP Schema
This chapter defines the term LDAP schema and provides information
about the Domino LDAP schema and how to extend it.
LDAP schema
A directory entry contains information about a particular entity, for
example, a person or a group, and is associated with a distinguished
name. An LDAP schema is a set of rules that define what can be stored as
entries in an LDAP directory. Each LDAP directory has a default schema,
which organizations can customize, or extend, by adding elements to it.
The elements of a schema are attributes, syntaxes, and object classes.
LDAP directory servers provide the ability to enforce the schema to
ensure that directory changes made using LDAP operations conform to it.
Attributes
An attribute defines a piece of information that directory entries contain.
For example, some common attributes for entries related to people are cn
(common name), telephoneNumber, and userPassword.
An attribute is either mandatory or optional for a particular type of
entry. When an attribute is mandatory and directory administrators use
schema-checking to enforce the schema, administrators must provide a
value for the attribute when they add or modify the entries using LDAP
operations. An attribute can be defined to allow multiple values.
Multiple types of directory entries can use the same attribute.
Object classes
Object class 1: adds attribute A

Object class 2: inherits A; adds B, C, D
Object class 3: inherits A, B, C, D; adds E, F
There are three types of object classes: abstract, structural, and auxiliary.
21-1
Directory Services
An object class defines a set of attributes for a type of directory entry.

Two or more object classes in an object class hierarchy define the
attributes for a type of entry. An object class inherits attributes from all
object classes above it in the hierarchy and then adds attributes of its
own; for example:
Abstract object classes

An abstract object class defines an attribute or set of attributes that all
object classes in an object class structure inherit. Every object class
structure must have an abstract object class as the top-level object class.
A default LDAP schema typically uses the abstract object class top. top
includes only one attribute, objectClass, which defines an object class for
each entry in the directory.
Structural object classes
A structural object class defines a type of entry in an LDAP directory.
Examples of standard LDAP structural object classes are person,
organizationalPerson, and inetOrgPerson. An object class structure must
include at least one structural object class.
Auxiliary object classes
An auxiliary object class adds attributes to another object class, usually a
structural object class. An auxiliary object class is useful for defining a set
of attributes used by multiple object classes. An auxiliary object class
usually inherits from the abstract object class top. Object classes cant
inherit attributes from an auxiliary object class. Instead, you must add an
auxiliary object class to each object class that uses it.
Syntaxes
A syntax defines the data format in which an attribute value is stored.
Directory String, Integer, and JPEG are examples of standard LDAP
syntaxes.
The Domino LDAP schema

The default Domino LDAP schema includes:
Domino-specific schema elements defined by the default forms in the

Domino Directory
All LDAP-standard schema elements defined in RFCs 2252, 2256,

2798, 2247, and 2739. The LDAP service uses the file
LSCHEMA.LDIF to build these elements in the default schema.
You can extend the schema to add custom schema elements that your
organization needs.
To see detailed information about the Domino LDAP schema, open the
Domino LDAP Schema database (SCHEMA.NSF) on any server that runs
the LDAP service.
For information relating to upgrading the LDAP schema, see the Upgrade
Guide.
How an LDAP object class relates to a Domino form

An LDAP object class is similar to a form in the Domino Directory, in
that each defines a set of information for a directory entry. A Dominospecific object class whose name usually begins with domino always
maps to a form in the Domino Directory. For example, the object class
dominoPerson maps to the form Person, and the object class dominoGroup
maps to the form Group.
An object class that is not specific to Domino, for example a standard
LDAP object class defined in the LSCHEMA.LDIF file, maps to a
form only if you create such a form. For example, the object class
residentialPerson is part of the default Domino LDAP schema, but it has
no corresponding form in the Domino Directory. Therefore by default
you can use only LDAP operations to add, search, and modify,
residentialPerson entries. To give Notes and Web users access to these
entries, you must you create a corresponding form following a specific
procedure. If you create a corresponding form, residentialPerson entries
are created as documents that are visible to Notes and Web users.
For instructions on creating a form in the Domino Directory that
corresponds to an object class, see the appendix Customizing the
Domino Directory.
Domino forms that are not defined as object classes in the default
Domino LDAP schema
The following forms in the Domino Directory are not defined as object
classes in the schema because their designs do not include a field that
defines a distinguished name:
CrossCertificate
Location
Server\Configuration Settings
Server\Connection
Server\Holiday
Server\Domain
Server\User Setup Profile
Directory Services
Managing the LDAP Schema 21-3
How an LDAP attribute relates to a Domino field

An LDAP attribute is similar to a field in the Domino Directory in that
each define a piece of information about a directory entry. An LDAP
attribute defined for a Domino-specific object class always maps to a
field in a form in the Domino Directory. The name of the attribute and
the name of the field may not be identical. This difference occurs when a
preexisting field in Domino has a purpose similar to an LDAP-standard
attribute. For example, the LDAP attribute uid maps to the Domino field
ShortName.
By default, an attribute that is not Domino-specific does not map to a
visible field in the Domino Directory.
LDAP-standard attributes on Domino forms
If a Domino object class inherits from an LDAP-standard object class, the
fields that represent the inherited attributes may be hidden in the
Domino Directory document. For example, the dominoPerson object class
inherits the attribute employeeNumber from the LDAP-standard object
class inetOrgPerson. However, the field employee number is only
apparent when you select a Person document, choose Edit - Properties,
and select the second tab in the Document properties box to see a listing
of all the fields. You can add the field to the $PersonInheritableSchema
subform to make the field visible.
How an LDAP syntax relates to a field type

There are some syntaxes in the default Domino LDAP schema that map
to Domino field types. For example, the LDAP syntax Integer maps to the
field type Number. To see whether a syntax maps to a Domino field, find
the document for the syntax in the Schema database (SCHEMA.NSF),
and compare the LDAP name field to the Notes mapping field.
Object class hierarchy for dominoPerson object class

The dominoPerson object class, which maps to the Person form in the
Domino Directory, is part of this object class hierarchy:
top
person
organizationalPerson
inetOrgPerson
dominoPerson
Object class hierarchy for dominoGroup object class

The dominoGroup object class, which maps to the Group form in the
Domino Directory, is part of this object class hierarchy:
top
groupOfNames
dominoGroup
The schema daemon

When the LDAP service runs on a server, it spawns a schema daemon
that runs at regular intervals. The schema daemon running on the
administration server for the Domino Directory implements schema
changes and propagates the changes to other (subordinate) servers in the
domain that run the LDAP service. The schema daemon running on each
subordinate server updates its LDAP service with the schema changes
propagated from the administration server. The Domino LDAP Schema
database (SCHEMA.NSF) is the vehicle for propagating the schema
changes.
The schema daemon ensures that each LDAP service running in the
domain uses a schema that is up-to-date and consistent across servers.
The schema daemon runs when the LDAP service first starts, and then
after that at 15-minute intervals by default.
For information on NOTES.INI settings that are available to control the
schema daemon, see the topic NOTES.INI settings related to the schema
daemon later in this chapter.
The LDAP service runs by default on the administration server for the
Domino Directory. The schema daemon spawned by the LDAP service
on the administration server does the following to maintain the schema
for the domain:
Note Be sure the administration server for the Domino Directory is

the first server in the domain you upgrade to Lotus Domino 6 so that
it is the server that first creates the Schema database.
Directory Services
1. Creates the Domino LDAP Schema database (SCHEMA.NSF) from

the SCHEMA.NTF template (the first time the schema daemon runs
in this release, and subsequently if the Schema database is ever
deleted).
2. Builds the schema for the domain into memory by loading

information from the following files:
LDAP-standard schema elements from the local LSCHEMA.LDIF
file these elements do not change.
Forms and fields from the primary Domino Directory, which
supply the Domino-specific schema elements, and optionally,
extended schema elements added as forms and fields. For
performance reasons, this step is done only once every 24 hours
by default. You can use the NOTES.INI setting
Schema_Daemon_Reloadtime to change the default interval.
Schema elements from the Extended Documents view of its local
Domino LDAP Schema database.
Note If the schema daemon finds the same schema element defined
in more than one of these files, it uses this order of precedence to
determine which definition to use: 1) LSCHEMA.LDIF, 2) Domino
Directory, 3) Schema database.
3. The first time it runs, publishes the schema in memory to disk in the
All Schema Documents view of the Schema database. Subsequently,
it compares its in-memory schema to the on-disk schema published
in the Schema database, and if the two schemas are different, the
daemon updates the All Schema Documents view of the Schema
database with the more recent in-memory schema. For performance
reasons, this step is done only once every 24 hours by default. You
can use the NOTES.INI setting Schema_Daemon_Resynctime to
change the default interval.
4. Replicates its local Schema database with replicas on subordinate
servers that run the LDAP service if the contents of the two replicas
are different. This replication occurs without the use of Connection
documents immediately after step 3 is complete. If a subordinate
server does not yet have a local replica of the Schema database, the
schema daemon on the administration server creates one on the
subordinate server.
The schema daemon on each subordinate server in the domain that run
the LDAP service does the following:
1. Replicates information from the replica of the Schema database on
the administration server for the Domino Directory to its local
Schema database if the two replicas are different.
If the subordinate server doesnt yet have a local replica of the
Schema database and the administration server is running, it pulls a
replica from the administration server. If the administration server is
unavailable, the subordinate server uses a local LSCHEMA.LDIF file
and Domino Directory forms to determine the schema until the

administration server is available.
2. The first time it runs, loads the schema published on disk in the All
Schema Documents view of its local Schema database into memory.
Subsequently, it compares its in-memory schema to the on-disk
schema published in its local Schema database. If the two are
different, updates its in-memory schema with the more recent
schema published in the local Schema database.
Tip Use the server command Tell LDAP ReloadSchema to manually
initiate the steps described above.
LDAP-standard elements
(LSCHEMA.LDIF)
a
em
sch
d
a
Lo
- Domino-specific elements
- Extended elements
(NAMES.NSF)
Schema
- Extended elements
(SCHEMA.NSF)
LDAP Service
SCHEMA.NSF
Subordinate
Server
Loa
ds
che
ma
Schema
SCHEMA.NSF
che
ds
Loa
LDAP Service
Schema
Administration
Server for Domino Directory
SCHEMA.NSF
ma
LDAP Service
Subordinate
Server
Domino LDAP Schema database
Administrators use the Schema database to learn about the schema and
to extend the schema. Administrators can access the Schema database
from a Lotus Notes Release 5, Lotus Notes 6, or Web browser client, and
can use the Schema database to extend the schema from a Lotus Notes 6
or Web browser client.
SCHEMA.NSF replaces the Domino Release 5 SCHEMA50.NSF database.
For more upgrade information, see the Upgrade Guide.
Directory Services
The schema daemon spawned by the LDAP service running on the

administration server for the Domino Directory creates the Domino
LDAP Schema database (SCHEMA.NSF). Subordinate servers within the
domain that run the LDAP service automatically get a replica of this
database. The Schema database is the vehicle used to propagate schema
changes to all the servers in the domain that run the LDAP service.
Views in the Schema database

The Domino LDAP Schema database (SCHEMA.NSF) includes these
views:
All Schema Documents
Extended Documents
Pending Documents
Draft Documents
Each of these views included sub-views for object classes, attributes, and
syntaxes.
All Schema Documents view
The All Schema Documents view contains a document for each element
defined in the schema. It also contains documents for draft schema
elements awaiting administrator approval and pending schema elements
awaiting processing by the schema daemon on the administration server
for the Domino Directory.
Extended Documents view
The Extended Documents view shows a document for each extended
object class, attribute, and syntax added using the Schema database and
incorporated into the schema by the schema daemon running on the
administration server for the Domino Directory.
The Extended Documents view does not show schema extensions made
by adding forms and fields to the Domino Directory. Only the All
Schema Documents view shows new schema elements defined by new
Domino Directory forms and fields.
Pending Documents view
The Pending Documents view shows a document for each object class,
attribute, and syntax that an administrator has added using the Schema
database and approved that is awaiting processing by the schema
daemon on the administration server for the Domino Directory.
In the All Schema Documents view, a green check mark icon indicates a
pending schema element.
Draft Documents view
The Draft Documents view shows a document for each new object class,
attribute, and syntax that an administrator has added using the Schema
database, but has not yet approved.
In the All Schema Documents view, an hourglass icon indicates a draft
schema element.
Using the Schema database to view the schema

The Domino LDAP Schema database (SCHEMA.NSF) contains
information about each attribute, syntax, and object class defined in the
schema. You can also retrieve the entire schema by doing an LDAP
search of the schema entry; however the Schema database provides
schema information in a easy-to-read format.
Viewing information about an attribute defined in the schema
1. Open the Schema database (SCHEMA.NSF) on any server in the
domain that runs the LDAP service.
2. Select the All Schema Documents - LDAP Attribute Types view.
3. Open a document to view information about a specific attribute. Any
document without an icon next to it in the view is an attribute
defined in the schema.
For information about the fields in Attribute documents, see the topic
Using the Schema database to add an attribute to the schema later in
this chapter.
Viewing information about an object class defined in the schema
2. Select the All Schema Documents - LDAP Object Classes view.
3. Open a document to view information about a specific object class.
Any document without an icon next to it in the view is an object class
Tip To determine which object classes use a particular attribute, do a
full text search for the attribute from the All Schema Documents - LDAP
Object Classes view.
For information about the fields in Object Class documents, see the topic
Using the Schema database to add an object class to the schema later in
this chapter.
2. Select the All Schema Documents - LDAP Syntaxes view.

3. Open a document to view information about a specific syntax. Any
document without an icon next to it in the view is a syntax defined in
the schema.
For information about the fields in Syntax documents, see the topic Using
the Schema database to add a syntax to the schema later in this chapter.
Directory Services
Viewing information about a syntax defined in the schema

Methods for extending the schema

Extending the schema refers to adding elements to the schema, usually
object classes and attributes. The default schema comes with many object
classes and attributes that are ready to be used for entries. Before you
extend the schema, see if there are existing elements in the default
schema that you might use instead of extending the schema. For
example, if you need an additional attribute for the dominoPerson object
class, evaluate if you can use an attribute already defined for
dominoPerson.
If the default schema does not contain the attributes you need, add
custom elements.
There are two methods available for extending the schema: using the
Domino LDAP Schema database (SCHEMA.NSF) or using the Domino
Directory to add forms and fields.
Note Modifying the file LSCHEMA.LDIF that is provided with Domino
is not supported as a method for extending the schema. This file is used
to define the LDAP-standard object classes in the default Domino LDAP
schema.
Schema database
You can use the Domino LDAP Schema database (SCHEMA.NSF) to
extend the schema. The Schema database:
Provides an easy-to-use interface for extending the schema
Has built-in error checking that ensures valid schema elements
Supports the creation of draft schema elements, which you can

consider and modify before approving them as part of the schema
Simplifies the creation of object class hierarchies
Allows you to assign object identifiers (OIDs) associated with your

organization to the elements you add
Allows you to define LDAP characteristics for attributes, such as

matching rules, and to define any standard LDAP syntax for an
attribute.
An object class that you add to the schema using the Schema database
does not map to a form in the Domino Directory. Therefore, to add
entries defined by these schema elements to the directory, administrators
must use LDAP operations, and the entries are accessible only via LDAP,
and are not visible to Notes and Web users.
Domino Directory
You can extend the schema by adding forms, subforms, and fields to the
Domino Directory. This method allows Notes and Web users to create
and view entries that use the new schema elements as documents, while
also enabling LDAP user access to the entries. This method is more time
consuming than using the Schema database, and must be done carefully
to avoid mistakes in schema definition.
For information on using the Domino Directory to extend the schema, see
the appendix Customizing the Domino Directory.
Guidelines for extending the schema

Regardless of the method you use to extend the schema, follow these
guidelines:
1. See if there is an object class, attribute, or syntax defined in the
default schema you can use rather than adding a new one.
2. Dont define multiple attributes to store the same type of
information. Instead add one attribute, and define the attribute in an
auxiliary object class that multiple structural object classes use.
3. Dont edit existing schema elements. For example, dont remove
attributes from, or add attributes to, an existing object class. You can
delete a custom object class that is no longer needed as long as you
are sure no one is using it.
4. When possible, create object classes that define attributes as optional
rather than mandatory, so the schema is flexible.
5. After you extend the schema, configure LDAP access to the new
schema elements. For example, if you want anonymous LDAP users
to access a new attribute, make sure you enable the attribute for
anonymous access.
For more information on controlling LDAP access, see the chapter
Setting Up the LDAP Service.
Directory Services
Extending an existing object class

How you add attributes to an object class in the default schema depends
on whether or not the attributes should apply to another object class as
well. If the attributes apply to only one object class, add the attributes to
a new structural object class and have the new object class inherit from
the object class you want to extend. For example, to extend object class A
which is part of the default schema, add attributes to a new structural
object class, B, and define object class B to inherit from A.
If the attributes will apply to more than one structural object class, add
them to a new auxiliary object class and then add the auxiliary object
class to each structural object class that will use the attributes.
For example, suppose you want to add the same attributes to object
classes A and B, both part of the default schema. Add the attributes to a
new auxiliary object class C, then add C to A and B.
Note To add a new type of entry to the directory, typically you create a
new structural object class that inherits from top.
Registering an object identifier (OID) for you organization
When you use the Domino LDAP Schema database to add a new element
to the schema, you must specify an OID for the element. To do this, your
organization should have a registered OID prefix which is used as the
root of all the OIDs you assign to your schema elements. An OID is a
unique series of numbers assigned to a schema element. For example, in
the Domino schema, the dominoPerson object class has the following
OID assignment:
2.16.840.1.113678.2.2.2.1.1.
A registered OID prefix begins with one of the following numbers:
0 if assigned by the International Telecommunication Union (ITU)
1 if assigned by the International Organization for Standardization

(ISO)
2 if assigned jointly by the ITU and ISO.
This number is then followed by a series of numbers that uniquely

identify an organization.
When you create a schema element, assign it the OID prefix registered
for your organization, followed by an additional number that uniquely
identifies the element within the schema.
For more information on OIDs or to request a prefix for your
organization, go to the IANA (Internet Assigned Numbers Authority)
Web site: http://www.iana.org.
Extending the schema using the Schema database

You can use the Domino LDAP Schema database to extend the schema
by:
Adding attributes to the schema
Adding object classes to the schema
Adding syntaxes to the schema
When you use the Schema database to create a new schema element, you
first create a draft document for the element. You approve the draft
document when you are ready, and the document then moves from the
Draft Documents view to the Pending Documents view, where it awaits
processing by the Schema daemon on the administration server for the
Domino Directory. The Schema daemon on the administration server
incorporate the changes into the schema and publishes them in the
Schema database. The Schema database then replicates to subordinate
servers in the domain that run the LDAP service.
To use the Schema database to extend the schema, you must use one of
the following clients:
Lotus Notes 6
Lotus Domino Adminstrator 6
Netscape Navigator with Java applets and Java scripts enabled
Microsoft Internet Explorer with Java applets and Java scripts

enabled
Using the Schema database to add an attribute to the schema

You can use the Domino LDAP Schema database (SCHEMA.NSF) to add
an attribute to the schema:
1. Make sure you have Manager access to the Schema database.
Directory Services
3. Select the All Schema Documents view, then click New Document Add Attribute Type.

For more information, see RFCs 2252 and 2256.
Field
Action
LDAP name
Enter a name for the attribute. The name can contain

only ASCII characters and hyphens. Do not include a
space in the name.
OID
Enter the object identifier.
Syntax name
Select a syntax defined in the schema for the new

attribute, then click OK. The Syntax type field
automatically displays the OID for the selected syntax.
Description
(Optional) Enter a description for the attribute.
Equality match
(Optional) Select a matching rule to apply when the

equality operator is used to search for this attribute.
Ordering match
(Optional) Select a matching rule to apply when an

ordering operator is used to search for this attribute.
Substrings match (Optional) Select a matching rule to apply when a

substring operator is used to search for this attribute.
Single valued
Choose one:
Yes to allow more than one value for the attribute
(default)
No to allow only one value
Collective
Choose one:
Yes to allow the values for this attribute to be shared
No to prevent values from being shared (default)
No user
modification
Choose one:
Yes to prevent users from modifying the values
No to allow users to modify values (default)
5. Click Save & Close. A draft document for the new attribute appears
in the Draft Documents - Draft Attribute Types view.
6. Complete the procedure Approving draft schema documents in the
Schema database.
Using the Schema database to add an object class to the schema

an object class to the schema.
2. Open the Schema database on any server in the domain that runs the
LDAP service.
3. Select the All Schema Documents view, then click New Document Add Object Class.
Field
Action
LDAP name
Enter a name for the object class.
OID
Object Class Type
Select the type of object class.
Superior Object Class (Optional) Select the object class that is

immediately superior to this one in the object class
structure.
Auxiliary Object
Classes
(Optional) If this is a structural object class, select

each auxiliary object class to use with this object
class.
Description
(Optional) Enter a description for the object class.
Mandatory attributes
Select the attributes that are required to have

values.
You cant remove mandatory attributes displayed
that are inherited from a superior object class.
Optional Attributes
Select any attributes that may, but are not required

to, have values.
You cant remove optional attributes displayed that
are inherited from a superior object class.
5. Click Save & Close. A draft document for the new object class
appears in the Draft Documents - Draft Object Classes view.
6. Compete the procedure Approving draft schema documents in the
Schema database.
Using the Schema database to add a syntax to the schema

a syntax to the schema:
LDAP service.
3. Select the All Schema Documents view, then click New Document Add Syntax.
Directory Services

For more information on syntaxes, see RFC 2252.
Field
Action
LDAP name
Enter a name for the syntax type.
OID
5. Click Save & Close:

6. Complete the procedure Approving draft schema documents in the
Schema database.
Approving draft schema elements in the Schema database

When you use the Domino LDAP Schema database (SCHEMA.NSF) to
add a schema element, the Draft Documents and All Schema Documents
views display a draft document for the element. Follow these steps to
approve draft schema elements to move them to the Pending Documents
view, so the schema daemon on the administration server for the Domino
Directory can incorporate them into the schema:
LDAP service.
3. Look at the Draft Documents views to see a draft document for each
schema element added but not yet approved.
4. Review the draft documents, and make any final changes.
5. When you are ready to approve the changes, do one of the following:
To approve only selected draft documents, select a specific Draft
Documents view, select the draft documents you are ready to
approve, and click Approve - Approve Selected Drafts.
To approve all draft documents, select any Draft Documents view,
and click Approve - Approve All Drafts.
The documents you approve move to the Pending Documents views. If
you used a replica of the Schema database on a subordinate server to
approve the schema documents, the documents in the Pending
Documents views must replicate to the administration server for the
Domino Directory. When the schema daemon next runs on the
administration server it verifies the elements in the Pending Documents
views and then publishes them in the Schema database. The updated
Schema database then replicates to subordinate servers in the domain
that run the LDAP service.
Checking the status of approved schema elements in the Schema

database
Every 15 minutes (by default) the schema daemon on the administration
server for the Domino Directory looks for approved schema changes in
the Pending Documents views of the Domino LDAP Schema database.
To check the status of pending schema changes in the Schema database:
1. Open the Schema database (SCHEMA.NSF) on the administration
server for the Domino Directory.
2. Open the Extended Documents view any documents here represent
schema elements that have been incorporated into the schema.
3. Open the Pending Documents view any documents here represent
schema elements the schema daemon has not yet incorporated into
the schema.
Tip Use the Tell LDAP Reloadschema server command on the
administration server for the Domino Directory to manually initiate
processing of the schema changes in the Pending Documents view rather
than wait for the schema daemon to run on schedule.
Deleting schema elements from the Schema database

If you use the Domino LDAP Schema database (SCHEMA.NSF) to add
an element to the schema, you can delete that element if it is no longer
needed. After you delete an element, entries already in the directory with
values for the deleted element remain, but LDAP add and modify
operations can no longer specify the deleted element if schema-checking
is enabled.
Note that deleting an object class does not delete the attributes defined
for the object class. If you want to delete the attributes, you must do so
separately.
To delete an attribute, object class, or syntax shown in the Extended
Documents, Draft Documents, or Pending Documents view of the
Schema database:
2. Open the Schema database on the administration server for the

Domino Directory.
3. Open the Extended Documents, Draft Documents, or Pending
Documents view that contains the schema element to be deleted.
4. Delete the schema element.
Directory Services
1. Make sure you have Manager access in the database ACL with the
Delete documents privilege.
5. If you deleted a document from the Extended Documents view, on

the administration server for the Domino Directory restart the LDAP
task, so the schema daemon loads the schema changes into memory:
Restart Task LDAP
6. If you deleted a document from the Extended Documents view and

the LDAP service also runs on a subordinate server in the domain,
after the Schema database changes replicate to the subordinate
server, restart the LDAP task on the subordinate server:
Restart Task LDAP
Schema-checking
When schema-checking is enabled the LDAP service carries out LDAP
and and modify operations only if the operations conform to the schema.
Schema checking is enabled by default and its best to keep this default
behavior if you allow write access to a directory so you have better
control over the contents of a directory. When schema-checking is
enabled the LDAP service does the following to check that LDAP add
and modify operations comply with the schema:
Verifies that each object class specified in an LDAP add operation is

Verifies that attributes specified in LDAP add and modify operations

are associated with valid object classes for the entry.
Verifies that during an LDAP add operation all mandatory

attribute(s) required by the object classes for the entry are provided.
If any of these checks fail, the LDAP service aborts the operation and
returns the message, Object Class Violation.
Schema-checking is done only for LDAP add and modify operations and
not when Notes and Web users add and change documents in a Domino
Directory.
Note Whether or not you enforce schema-checking, the LDAP service
requires that each directory tree component specified in a distinguished
name during an add or modify DN operation corresponds to an entry in
the directory. For example, to add an entry with the distinguished name
uid=JDoe, o=Acme, there must be an entry in the directory for
o=Acme.
Schema-checking and directory assistance

The schema defined for the domain of the server running the LDAP
service is the basis for schema-checking. If the LDAP service uses
directory assistance to serve a secondary Domino directory or Extended
Directory Catalog for which LDAP write operations are enabled, the
LDAP service uses the schema defined for its own domain to determine
whether or not to allow write operations in the directory served through
Enabling or disabling schema-checking

To disable or enable schema-checking for all the servers in the domain
that run the LDAP service:
service, or a server in the same domain as one that runs the LDAP
service.
Settings.
5. In the Enforce schema? field, choose one:
Yes, to enable schema-checking (default)
No, to prevent schema-checking
Searching the root DSE and schema entry
Directory Services
The LDAP service supports schema-publishing, which means the

directory includes a schema entry that you can use to retrieve the
directory schema. Use the ldapsearch utility provided with Notes and
Domino or use another LDAP V3-compliant LDAP search tool to search
the root directory server entry (DSE) to determine the name of this
schema entry and to retrieve other information about the Domino LDAP
directory for example, to retrieve the LDAP versions, extensions, and
controls supported.
For information on using the ldapsearch utility to search an LDAP

directory, see the chapter Using the ldapsearch Utility.
When you search the root DSE or the schema entry you can specify
whether to return values for operational attributes. An operational
attribute is an attribute that is used for directory administration.
Searching the root DSE

To search the root DSE, use one of the following ldapsearch commands:
To return the values of all attributes, specify one of the following:
ldapsearch -h hostname -b "" -s base "(objectclass=*)"
ldapsearch -h hostname -b "" -s base "(objectclass=*)" * +
To return only the values of non-operational attributes, specify:

ldapsearch -h hostname -b "" -s base "(objectclass=*)" *
To return only the values of operational attributes, specify:

ldapsearch -h hostname -b "" -s base "(objectclass=*)" +
Searching the schema entry

To search the schema entry to retrieve the directory schema, use one of
the following ldapsearch commands.
To return only the values of non-operational attributes, specify:
ldapsearch -h hostname -b "cn=schema" -s base
"(objectclass=subschema)" *
To return only the values of operational attributes, specify:

"(objectclass=subschema)" +
To return the values of all attributes, specify:

"(objectclass=subschema)" * +
The easiest way to see the schema is to open the All Schema Documents
views in the Domino LDAP Schema database (SCHEMA.NSF).
NOTES.INI settings related to the schema daemon

The following table contains the NOTES.INI settings that pertain to the
schema daemon.
appendix.
Setting
Description
DisableLDAPOnAdmin
Disables the LDAP service for a domain
Schema_Daemon_Breaktime
Specifies how often (in seconds) the schema

daemon checks the status of the LDAP task to
see if it should shut down
Schema_Daemon_Idletime
Specifies how long (in minutes) the schema

daemon remains idle after it finishes its tasks
Schema_Daemon_Reloadtime Specifies how often (in hours) the schema

daemon on the administration server for the
Domino Directory loads into memory schema
changes made using Domino Directory forms
Schema_Daemon_Resynctime Specifies how often (in hours) the schema
daemon on the administration server for the
Domino Directory updates the Domino LDAP
Schema database when its in-memory schema
differs from the schema published in the
Schema database
Directory Services
Chapter 22
Using the ldapsearch Utility
This chapter describes how to use the ldapsearch utility to search an
LDAP directory.
Using the ldapsearch utility to search LDAP directories

Domino and Notes provide a command-line search utility,
LDAPSEARCH.EXE, that you use to search entries in any LDAP
directory. ldapsearch connects to a directory server and returns results
that match search criteria you specify.
ldapsearch is available on Domino server and Notes client platforms.
Note To use this tool, the NOTES.INI file must be included in your
systems path statement.
To use ldapsearch, enter the following command from the Domino or
Notes program directory:
ldapsearch parameters searchfilter attributes
Where:
parameters are case-sensitive command-line parameters.
searchfilter is a required search filter that specifies the attributes for

which to search.
attributes are the attributes to return. Separate attributes with spaces.

If you dont specify one or more attributes to return, ldapsearch
returns all attributes from entries that match the search filter.
Note If you have a local condensed Directory Catalog that is encrypted,

to run ldapsearch from the Notes program directory, you must specify
the password associated with the Notes ID used to do the encryption.
22-1
Directory Services
You do not have to use ldapsearch from a machine that runs the Domino
LDAP service.
Table of ldapsearch parameters

The following table describes the case-sensitive parameters you can use
with ldapsearch.
Parameter
Use to
-?
Print help on using ldapsearch.
-a deref
Specify alias de-referencing. Enter never, always, search, or find.

Never is the default if you dont use this parameter.
-A
Retrieve only attribute names, not the values for the attributes.
-b base dn
Specify a distinguished name to use as the starting point for

beginning the search. Use quotation marks to specify the value
for example: ou=West,o=Acme,c=US
You must use this parameter if the server youre searching
requires you to specify a search base. Otherwise, it is optional.
Optionally use -s along with -b to determine the scope of the
search. Without -s, -b searches the entry specified as the starting
point and all descendants of the entry.
-B
Allow printing of non-ASCII values
-D bind dn
Specify a distinguished name that the server uses to authenticate

you. The name must correspond to an entry in the directory and
must have the necessary access to search the directory.
Specify the name in quotation marks for example:
cn=Directory Manager,o=Acme,c=US
If you dont use this parameter, the connection to the server
occurs anonymously. You must use -D if the server doesnt allow
anonymous connections.
Along with -D, you must use the -w parameter to specify a
password associated with the distinguished name.
-f file
Specify a file that contains search filters to use for example, -f

filters. Place each search filter on a separate line. ldapsearch
performs one search for each line. Optionally specify a filter
pattern. For example, specify -f filters cn=%s and enter a
common name value on each line in the file.
-F sep
Print sep rather than equal sign (=) between attribute names and
values. Use this parameter, for example, if a tool that reads the
ldapsearch output expects a different separator.
-h host name Specify the host name of the server to which youre connecting
for example, -h server.acme.com.
continued
Parameter
Use to
-l timelimit
Specify a time limit (in seconds) for the search to complete. If you
do not specify this parameter or if you specify a limit of 0,
searches can take an unlimited amount of time. ldapsearch never
waits longer than a search time limit set on the server, however.
-L
Specify that the output is in LDIF format. LDIF format uses a

colon (:) as the attribute delineator rather than an equal sign (=).
LDIF is useful for adding or modifying many directory entries at
once. For example, you can import the contents of the output into
an LDAP-compliant directory.
-M
Manage referral objects as normal entries so that ldapsearch

returns attributes for the referral entries themselves, rather than
for the entries referred to.
-n
Show how a search would be performed, but do not actually

perform the search.
-p port
Specify the port that the server uses. If you dont use this
parameter, ldapsearch uses port 389.
-R
Do not automatically follow search references returned by the

server. Note that a Netscape Directory server uses the term
referrals for search references.
-s scope
Specify the scope of the search when you use the -b parameter:
base to search only the entry specified with the -b
parameter
onelevel to search only the immediate children of the entry
specified with the -b parameter but not the entry itself
subtree to search the entry specified with the -b parameter
and all of its descendants. This is the default behavior when
you use -b without -s.
The order in which you specify -b and -s is unimportant.
Sort the results by a specified attribute.
-z sizelimit
Specify the maximum number of entries to return. If you dont

specify this parameter or if you specify a limit of 0, an unlimited
number of entries are returned. ldapsearch never returns more
entries than the server allows, however.
-u
Specify that ldapsearch return distinguished names in a

user-friendly format.
-v
Specify that ldapsearch run in verbose mode.
-w password Specify the password associated with a distinguished name used

with the -D parameter.
-x
Use with -S to specify that that LDAP server sorts the results
before returning them. If you use -S without -x, ldapsearch sorts
the results.
Using the ldapsearch Utility 22-3
Directory Services
-S attribute
Using search filters with ldapsearch

You must use a search filter to specify the attributes for which to search.
The syntax for a search filter is:
"<attribute> <operator> <value>"
For example, this search filter finds all entries containing Smith as the
value for the sn (surname) attribute:
"sn=Smith"
You can specify any attribute stored in a directory in a search filter. The
following are common attributes used to search for entries about people:
cn a persons common name
sn a persons last name
telephonenumber a persons telephone number
l a persons geographic location
You can specify search filters on the ldapsearch command line, or you
can specify them in a file and use the ldapsearch parameter -f to refer to
the file. If you use a file, specify each search filter on a separate line.
Note you can include language tags in a search filter if the LDAP
directory, such as the Domino Directory, supports them. For example:
"givenName;lang-fr=Etienne"
Multiple search filters with boolean operators

You can use multiple search filters and boolean operators. Use this
syntax:
"(operator(filter)(filter))"
For example, use this search filter to find entries with the surname
Browning and the location Dallas.
"(&(sn=Browning)(l=Dallas))"
You can nest boolean operators. For example, use this search filter to find
entries with the surname caneel or givenname alfred in the mail domain
MDN:
"(&(maildomain=MDN)(|(sn=caneel)(givenname=alfred)))"
Table of operators used in ldapsearch search filters

The following table describes the operators you can use in a search filter.
Operator
Use to
Example
Find entries that contain an

attribute with a value equal to a
specified value
cn=John Browning
= <string>*<string> Find entries that contain an

attribute with a value equal to a
specified substring
cn=John*
cn=J*Brown
>=

attribute with a value that is
numerically or alphabetically
greater than or equal to a
specified value
cn>=D
<=

roomNumber<=300
attribute with a value that is
numerically or alphabetically less
than or equal to a specified value
=*
Find entries that contain a value

for a specified attribute,
regardless of the attribute value.
~=

sn~=Brning could
attribute with a value
return sn=Browning
approximately equal to a specified
value.
&
Find entries that meet the criteria

specified in all search filters
(&(cn=John
Browning)(l=Dallas))
Find entries that meet the criteria

specified in at least one specified
search filter
(|(cn=John
Find entries that do not meet the

criteria specified in any search
filter
(!(cn=John
sn=*
You can use the plus sign (+) with ldapsearch to return all the
operational attributes for entries. Operational attributes are attributes
used for directory administration, and a directory server only returns
them if you request them.
Directory Services
Using ldapsearch to return operational attributes
For example, to return all operational attributes for entries with the
common name John Brown specify:
ldapsearch -h host "cn=John Brown" +
You can use the + syntax only with the directory servers that support the
syntax, such as the Domino LDAP service.
To return a specific operational attribute only, specify the attribute.
Examples of using ldapsearch

The following table provides examples of using the ldapsearch utility.
Search
Command
All entries on host ldap.acme.com

using port 389, and return all
attributes and values
ldapsearch -h ldap.acme.com
objectClass=*
Same as above, but return only

attribute names
ldapsearch -A -h ldap.acme.com
objectClass=*

using port 389, return all attributes,
and de-reference any aliases found
ldapsearch -a always -h ldap.acme.com

objectClass=*

using port 389, and return
attributes=mail, cn, sn, givenname
ldapsearch -h ldap.acme.com
objectClass=* mail cn sn givenname
(cn=Mike*) under base

ou=West,o=Acme, c=US on host
ldap.acme.com using port 389, and
return all attributes and values
ldapsearch -b ou=West,o=Acme,c=US
-h ldap.acme.com (cn=Mike*)
One level on host ldap.acme.com

using port 389, and return all
attributes and values
ldapsearch -s onelevel -h ldap.acme.com

objectClass=*
Same as above, but limit scope to

base
ldapsearch -s base -h ldap.acme.com

objectClass=*

using port 389; return all attributes
and values; do not exceed the time
limit of five seconds
ldapsearch -l 5 -h ldap.acme.com
objectClass=*

using port 389; return all attributes
and values; do not exceed the size
limit of five
ldapsearch -z 5 -h ldap.acme.com
objectClass=*
continued
Search
Command

ldapsearch -h ldap.acme.com -D
using port 389, binding as user
cn=john doe,o=acme -w password -L
cn=John Doe,o=Acme with a
objectClass=*
password of password, and return
all attributes and values in LDIF
format
Search the host ldap.acme.com using ldapsearch -h ldap.acme.com -s base
port 389. All attributes that
-b cn=john doe,o=acme objectClass=*
anonymous are allowed to see are
returned for the entry cn=John
Doe,o=Acme
ldapsearch -h bluepages.ibm.com -p 391
objectClass=*
Search bluepages.ibm.com on port

391. Doing a subtree search (default)
starting in the organization o=ibm
for any object type of Person who
also has an attribute that matches
any one of the attributes found in the
OR filter. There is a timeout value of
300 seconds and the maximum
number of entries to return is set to
1000. And only the DN (default) and
CN will be returned. (This is a
common filter for Web applications).

-b o=ibm -l 300 -z 1000
(&(objectclass=Person)(|(cn=jerry
seinfeld*)(givenname=jerry
seinfeld*)(sn=jerry seinfeld*)(mail=jerry
seinfeld*))) cn
Search bluepages.ibm.com on port

391 starting at the base entry
cn=HR Group,ou=Asia,o=IBM
with a time limit of 300 seconds and
asking for all the members of this
entry. (Another common filter in
Web applications to determine
group membership).

-b cn=HR Group,ou=Asia,o=IBM -s
base -l 300 (objectclass=*) member
Directory Services
All entries on a different host,

bluepages.ibm.com, which is
configured to listen for LDAP
requests on port 391
Chapter 23
Setting Up Directory Assistance
This chapter describes directory assistance and how to set up and
monitor directory assistance in your organization.
Directory assistance is a feature a server can use to look up information
in a directory other than a local primary Domino Directory
(NAMES.NSF). You can configure directory assistance to use a particular
directory for any of these services:
Client authentication
Group lookups for database authorization
Notes mail addressing
LDAP service searches or referrals
You can set up directory assistance for a remote LDAP directory or a

Domino directory. A remote LDAP directory can be any remote
LDAP-compliant directory, either one on a foreign LDAP directory
server or one on a Domino server that runs the LDAP service.
A Domino directory is a directory created form the PUBNAMES.NTF
template and accessed via NAMELookup calls. Servers can use directory
assistance to do lookups in either local or remote replicas of a Domino
directory. A Domino directory configured for directory assistance can be
a secondary Domino Directory, an Extended Directory Catalog, or a
23-1
Directory Services
A secondary Domino Directory is any Domino Directory that is not a

servers primary Domino Directory. A secondary Domino Directory can
be a directory associated with another Domino domain. A secondary
Domino Directory can also be a Domino Directory created manually
from the PUBNAMES.NTF template that is not associated with a Domino
Domain, used, for example, to store and track Web user information.
An Extended Directory Catalog contains documents aggregated from

multiple secondary Domino Directories. A server must use directory
assistance to look up information in an Extended Directory Catalog,
unless you integrate the Extended Directory Catalog directly into the
For more information, see the topic Directory assistance for an Extended
Directory Catalog later in this chapter.
The primary Domino Directory is the directory a server searches first that
describes the Domino domain of the server. You can set up directory
assistance for a primary Domino Directory, usually to specify which
replicas of primary Domino Directories that servers with Configuration
Directories can use.
For more information, see the topic Directory assistance for the primary
Domino Directory later in this chapter.
For information on upgrading directory assistance from Domino Release
4.6 to Domino 6, see the Upgrade Guide.
How directory assistance works

To configure directory assistance, you create a directory assistance
database from the template DA50.NTF, and replicate it to the servers that
will use it. A Server must have a local replica of a directory assistance
database to use directory assistance. Then you add the database file
name to the Directory Assistance database name field in the Domino
Directory Server documents of these servers.
You create a Directory Assistance document in the directory assistance
database to describe a particular directory and how it will be used, and
to define how to connect to the directory and to find alternate replicas for
failover. To set up directory assistance for a Domino Directory or an
Extended Directory Catalog you select Notes in the Domain type
field in the Directory Assistance document. To set up directory assistance
for a remote LDAP directory, you select LDAP in the Domain type
field. You use one Directory Assistance document to configure all the
services for a directory and its replicas.
Each server process that provides directory services and detects a local
directory assistance database configuration loads directory information
configured in the directory assistance database into an internal memory
table. During server startup and thereafter at five-minute intervals each
server process checks for changes to the directory assistance database
configuration and if found, each process reloads its internal memory
table to reflect the changes.
To look up names in a Domino Directory or an Extended Directory
Catalog, a server uses NAMELookup calls. To look up names in a remote
LDAP directory, a server uses a gateway feature that translates
NAMELookup calls to LDAP operations, and then translates LDAP
operations back to NAMELookup calls a Domino server doesnt have
to run the LDAP service to use a remote LDAP directory for directory
services.
Directory assistance services

Before you set up directory assistance, read about the services directory
assistance can provide:
Group lookups for database authorization
Notes mail addressing
LDAP service searches and referrals
Directory assistance and client authentication

To authenticate a user who is accessing a database on a Domino server
via any of the supported Internet protocols Web (HTTP), IMAP, POP3,
or LDAP a server can look up the users credentials in a directory that
is configured in its directory assistance database. Servers can use X.509
certificate security or name-and-password security for the authentication.
On the Basics tab, next to Make this domain available to, select
Notes clients and Internet Authentication/Authorization.
On the Naming Contexts (Rules) tab, enable at least one rule that
corresponds to the distinguished names of the users in the directory
to be authenticated, and next to Trusted for Credentials, select Yes.
Setting Up Directory Assistance 23-3
Directory Services
To allow a server to use a directory for Internet client authentication that

is configured in a directory assistance database, do the following in the
Directory Assistance document for the directory:
For example, if your organization registers Web users in a foreign LDAP

directory, when a Web user attempts to access a database on a Domino
Web server, the server can connect to the remote foreign LDAP directory
server to look up the user name and password to do the authentication.
Document for ldap.acme.com:
- Available for: Notes clients and Internet
Authentication/Authorization
- Rule that is "Trusted for Credentials"
Authentication
request
Entry containing credentials

for Web client
Look up
credentials
Directory
Assistance
Database
LDAP
Directory
Web Client
Domino Web Server
ldap.acme.com
Note A server can always use a Domino directory in the directory

assistance database for client authentication if the directory is assigned
the same domain as the servers domain, regardless of what selections
you make in these two fields.
For more information on creating rules that are trusted for credentials,
see the topic Trusted naming rules later in the chapter.
For information on specifying a domain name for a directory in a
Directory Assistance document, see the topic Directory assistance and
domain names later in the chapter.
Note You use an Internet Site document or the Ports - Internet Ports tab
of the Server document to control the types of client authentication an
Internet protocol server allows.
Names accepted for name-and-password authentication
If a server uses name-and-password security to authenticate Internet
clients, you select the types of names that the server can accept from
clients. On the Security - Internet Access tab of the Server document in
the primary Domino Directory, select More name variations with lower
security or Fewer name variations with higher security (the default).
The selection applies to name and password authentication using any
directory, including the primary Domino Directory.
Though a server can accept a name other than a distinguished name from
a client to search for a users entry in a directory, it is always the users
distinguished name in the directory entry that the server compares to
trusted rules in the Directory Assistance document to determine whether
to authenticate the client. For example, suppose a user is registered in a
directory with the distinguished name cn=alice browning,o=Acme, but
the user configures the name alice browning on the client. During
authentication, the server searches for an entry that contains the name
alice browning. When it finds the entry, it can only authenticate the client
if cn=alice browning,o=acme matches a trusted naming rule for the
directory.
A users distinguished name is also used as the basis for access control in
Domino, so you should use users distinguished names in database
ACLs, in groups used in database ACLs, in access lists in Server
documents, and in Web server File Protection documents.
For more information on name-and-password security, see the chapter
Setting Up Name-and-Password and Anonymous Access to Domino
Servers.
Encountering duplicate names during client authentication
If a server finds more than one directory entry containing the name
presented by the client that corresponds to a valid distinguished name
for authentication, within one directory or across directories, the server
authenticates the client using the entry with the valid password or X.509
certificate. If more than one such entry has a valid password or X.509
certificate and the same distinguished name, the server authenticates the
user using the first password or X.509 certificate it finds.
Consistent client names and passwords across protocols
If Domino servers authenticate a client over more than one Internet
protocol, for ease of directory administration, create one directory entry
for the client with one name and password that applies to all the
protocols. Then set up the client to use the same name and password for
all protocols.
For example, if a client connects to Domino over HTTP for Web browsing
and over LDAP for directory services, create one directory entry for the
cllient with a name and password, and set up the client to use the name
and password for both types of connections.
Configurable search filters to control the search filter used to look up

names in the remote LDAP directory
LDAP-to-Domino name mapping to enable users to authenticate

using Notes distinguished names rather than LDAP distinguished
names.
Directory Services
Features available for client authentication using a remote LDAP

directory
The following features are available specifically for client authentication
using a remote LDAP directory:
For more information, see the topics Configuring search filters in a

Directory Assistance document for a remote LDAP directory and
Using Notes distinguished names in a remote LDAP directory later in
the chapter.
Notes client authentication
By default, when a server authenticates a Notes client it does not use
information in Domino Directory Person documents. However, if you
enable the option Compare Notes public keys against those stored in
Directory on the Basics tab of the servers Server document, the server
authenticates a Notes user only if the public key presented by the Notes
client matches the public key in the users Person document.
If a Notes user who connects to a server to authenticate is registered in a
secondary Domino Directory rather than the servers primary Domino
Directory, and the Compare Notes public keys against those stored in
Directory option is enabled for the server to which the user connects,
you must select the option Make this domain available to: Notes clients
and Internet Authentication/Authorization on a Directory Assistance
document to allow a server to do the public key comparison. This
Directory Assistance document can be for:
The secondary Domino Directory in which the Notes user is

registered
An Extended Directory Catalog that aggregates the secondary

Domino Directory in which the Notes user is registered.
Directory assistance and group lookups for database authorization

When a database access control list (ACL) includes a group located in a
servers primary Domino Directory, the server automatically can look up
the members of that group when authorizing a users database access.
You can store groups used for database authorization in one directory in
addition to the primary Domino Directory. This one additional directory
can be a secondary Domino Directory, an Extended Directory Catalog, or
a remote LDAP directory. Note that if the primary Domino Directory and
the one additional directory both contain a group used for database
authorization with the same name, a server uses the group in the
To use one additional directory for group authorization, do the following
in the Directory Assistance document for the directory:
On the Basics tab, next to Group Authorization, choose Yes.
The following figure illustrates looking up groups used for database

authorization in a remote secondary Domino Directory.
Document for Secondary Domino
Directory:
- Available to Notes clients and Internet
- "Group Authorization"enabled
Group in database ACL

called "Web Users"
Notes
Database
Web Client used by
Allen Kenny/AcmeWeb
Look up group members

Directory
Assistance
Database
Secondary
Domino
Directory
"Web Users" group that lists

Allen Kenny/AcmeWeb
as a member
Directory Server
Web Server
(Secondary Domino Directory could be on Web server)
Tip Enable Group Authorization for an Extended Directory Catalog

effectively enables you to store groups used for database authorization in
multiple secondary Domino Directories, as long as you aggregate the
directories into the directory catalog.
A server verifies a clients access to a database after the client
authentication process is complete. You can use different directories for
client authentication and group authorization. For example, you can use
a remote LDAP directory for client authentication, and an Extended
Directory Catalog to look up groups during database authorization.
Note When you enable Group Authorization for a remote LDAP
directory, you can select a custom search filter for servers to use for
searching the groups.
For more information, see the topic Configuring search filters in a
Directory Assistance document for a remote LDAP directory later in the
chapter.
If you enable Group Authorization for a secondary Domino Directory

or an Extended Directory Catalog, a server always searches nested
groups in the directory. If you enable Group Authorization for a
remote LDAP directory, use the Nested group expansion option to
control whether a server searches nested groups. Choose Yes (the
default) to search nested groups, or No to prevent nested group searches.
Directory Services
Nesting groups used for database authorization

When authorizing database access, a server can search a group that is
nested in a group listed in a database ACL, and search a group nested in
the nested group, and so on, as long as all of the groups are located in the
same directory.
If there are many nested groups, selecting No can improve search

performance.
The restrictions on the location for groups used for database
authorization do not apply to groups used for other purposes. For
example, the Router can search groups in any directory configured for
directory assistance, and can search nested groups even when the nested
groups are located in different directories than their parents.
Directory assistance and Notes mail addressing

You can set up directory assistance on Notes users mail servers or
directory servers to enable the users to address mail easily to users in a
directory that is not the Domino Directory for their Domino domain. To
enable a directory to be used for Notes mail addressing, on the Basic tab
of the Directory Assistance document for the directory, next to Make
this domain available to, select Notes clients and Internet
Authentication/Authorization.
Notes mail addressing using a Domino Directory or Extended
Directory Catalog
To enable Notes users to address mail easily to Notes users registered in
a secondary Domino Directory or to users that have entries aggregated
into an Extended Directory Catalog, you can set up directory assistance
for the directory on the users mail servers or directory servers. Then, a
Notes user can:
Use the Select Addresses dialog to browse and select names from
the directory, if the Mail file location field in the active Location
document is set to On server.
Enter a name of a user or group from the directory and have

type-ahead use directory assistance to find a matching name if the
Recipient name type-ahead field in the users active Location
document is set to Local then server.
Press F9 to resolve the address of a user name from the directory; if

the Notes user doesnt resolve the address, either the Notes client
uses directory assistance to resolve the address when the user sends
the mail or, if the client doesnt resolve the address, the Router uses
directory assistance to resolve the address.
The Router also uses directory assistance when routing mail.

For more information on Location documents, see Notes 6 Help.
Note that if a Notes user uses a local Mobile Directory Catalog that
aggregates secondary Domino Directories, name and address lookups of
users in a secondary Domino Directory can occur locally on the client
without the use of directory assistance. Note that type-ahead addressing

never extends to a server on a Notes client set up to use a Mobile
Directory Catalog.
Note A server can always use a Domino directory in the directory
assistance database for Notes mail addressing if the domain specified for
the directory is the same domain as the primary domain for the server;
this is true regardless if you select Make this domain available to: Notes
clients and Internet Authentication/Authorization.
Notes mail addressing using a remote LDAP directory
To enable Notes users to address mail easily to users registered in a
remote LDAP directory, you can set up directory assistance for the
directory on the users mail servers or directory servers. Then, a Notes
user can press F9 to resolve an address for a name from the LDAP
directory entered in an addressing field of a Notes message. If the user
doesnt resolve the address, either the Notes client uses directory
assistance to resolve the address when the user sends the mail or, if the
client doesnt resolve the address, the Router uses directory assistance to
resolve the address. A Notes client doesnt use type-ahead addressing to
find names in a remote LDAP directory, and Notes users cant use the
Select Addresses dialog box to browse and select names from a remote
LDAP directory.
LDAP accounts compared to directory assistance for Notes mail
addressing using a remote LDAP directory
A Notes client can use an LDAP account in the Personal Address Book to
connect directly to a remote LDAP directory server, without using
directory assistance. Using an LDAP account, a Notes user can search for
addresses in a remote LDAP directory using LDAP-style search queries.
For more information on creating accounts in the Personal Address Book,

see Notes 6 Help.
Choosing a preferred mail format for Notes mail addressing using a
If you set up directory assistance so that Notes users can address mail to
users in a remote LDAP directory, use the Preferred mail format
option on the LDAP tab of the Directory Assistance document for the
Directory Services
Configure directory assistance to use a remote LDAP directory for Notes

mail addressing, rather than use LDAP accounts if there are users with
Notes Release 4 clients, since these clients dont support LDAP Accounts.
You might also use directory assistance rather than LDAP Accounts to
avoid having to maintain the LDAP Accounts, for example, if the remote
LDAP directory configuration changes in some way.
LDAP directory to select the format of the mail address for Notes clients
to use:
Keep the default selection, Internet Mail Address, to use the

Internet mail format, for example, jdoe@acme.com, which is the
format used in previous Notes/Domino releases.
Select Notes Mail Address to use Notes-style addressing, for

example, John Doe/Acme@Acme.
If you select Notes Mail Address user entries in the remote LDAP
directory must have values for the mailDomain attribute. Typically the
Notes Mail Address option is used only in some cases if the remote
LDAP directory is a Domino Directory.
Directory assistance for the LDAP service

If a Domino server runs the LDAP service, you can:
Set up directory assistance for a Domino Directory or Extended

Directory Catalog so that the LDAP service uses the directory to
process LDAP client operations.
Set up directory assistance for a remote LDAP directory so that the

LDAP service can refer LDAP clients to the directory when a search
is unsuccessful in any Domino Directory or Extended Directory
Catalog.
Processing LDAP operations using a secondary Domino Directory

or Extended Directory Catalog
The LDAP service can use a secondary Domino Directory or an Extended
Directory Catalog to process LDAP client requests if there is a Directory
Assistance document for the directory in a directory assistance database
that the LDAP service uses, and LDAP Clients is selected in the Make
this domain available to field on the Basics tab of the document. To
prevent the LDAP service from using a Domino Directory or Extended
Directory Catalog when processing LDAP client requests, do not select
LDAP Clients in the Directory Assistance document for the directory.
Naming rules configured for the directories affect which of the
directories the LDAP service uses.
You control LDAP client access separately for each directory that the
LDAP services uses. For example, you can allow anonymous LDAP users
to access specific attributes in one directory, but not in another.
If the Domino Directory or Extended Directory Catalog is remote, the
remote server does not have to run the LDAP service. To process an
LDAP search request using a remote directory, the directory ACL on the
remote server must give the server running the LDAP service Reader
access through a Server group or Server user type entry if either of

the following is true:
The search request comes from an authenticated LDAP client
Extended access is enabled on the directory.
Servers typically have this required access through the

LocalDomainServers and OtherDomainServers groups default access in
the directory ACL.
The LDAP service does not process write operations to a remote Domino
Directory or Extended Directory Catalog. Instead, it returns the client an
LDAP referral to the administration server for the directory, or if there is
no administration server, the server that stores the remote replica
specified in the directory assistance database. This referral occurs
regardless if the remote server runs the LDAP service.
For more information on how naming rules for Domino Directories and
Extended Directory Catalogs configured in the directory assistance
database affect the LDAP service, see the topic Naming rules and the
LDAP service later in the chapter. For information on controlling LDAP
access to a directory, see the chapter Setting Up the LDAP Service.
Note You can also use directory assistance to prevent the LDAP service
from searching its primary Domino Directory.
For more information, see the topic Using directory assistance to
prevent the LDAP service from searching the primary Domino
Directory later in the chapter.
To return a referral, the Domino LDAP service uses information in the

Directory Assistance document for the remote LDAP directory. The
referral is compliant with LDAP v3 and includes:
The URL hostname for the LDAP directory server
The base distinguished name configured for the directory in the

Directory Assistance document.
The port the LDAP directory server uses

Directory Services
LDAP service referrals to a remote LDAP directory

If the LDAP service cant find information for which an LDAP client is
searching in the primary Domino Directory, a condensed Directory
Catalog, or a Domino Directory or Extended Directory Catalog
configured in a directory assistance database, it can refer the client to a
remote LDAP directory. In the Directory Assistance document for the
remote LDAP directory on the Basics tab, next to Make this domain
available to, select LDAP Clients. To prevent the LDAP service from
referring clients to the directory, do not select LDAP Clients.
Note that when returning a referral, the Domino server running the
LDAP service never connects to the remote LDAP directory server.
Some LDAP clients can accept more than one referral so that if the host
name specified in one referral is unavailable, the client can attempt to use
another. By default, for a given search, the LDAP service can refer an
LDAP client to only one remote LDAP directory host name. If there are
LDAP clients that use the LDAP service that can accept more than one
referral, you can use the LDAP service configuration setting Maximum
number of referrals to increase the number of referrals that the LDAP
service can return.
For information on how naming rules affect which host names the LDAP
service refers to clients, see the topic Naming rules and the LDAP
service later in the chapter.
Directory assistance concepts

Before you set up directory assistance, read about these directory
assistance concepts:
Naming contexts (rules)
Domain names
Directory failover
Directory assistance for an Extended Directory Catalog
Directory assistance in conjunction with a condensed Directory

Catalog
Directory assistance for the primary Domino Directory
Number of directory assistance databases
Directory assistance and naming rules

When you configure directory assistance for a directory, you define at
least one naming rule that corresponds to the names of users in the
directory. Naming rules are based on the X.500 distinguished name
model. This model uses a directory tree name hierarchy of country (c),
organization (o), and organizational unit (ou) to divide names into parts
that together represent unique locations in the directory tree. This is also
the naming model Domino and Notes have traditionally used.
Each directory assistance naming rule includes six parts, with each part
containing one of the following:
The name of a specific directory tree branch, for example, the

organization Acme or the organizational unit Sales.
An asterisk (*) to represent all branches at a specific level in the

directory tree name hierarchy
A null character (nothing or a single space) to exclude all branches at

a specific level in the directory tree name hierarchy
Its common to assign an all-asterisk rule to a directory (*/ */ */ */ */

*/ *) to represent all names in a directory. However if directories
configured in directory assistance use discrete name hierarchies, then its
useful to define rules for the directories that corresond to the hierarchies,
so servers can target a specific directory when searching for specific
names.
For example, assume Directory A and Directory B are both configured in
a directory assistance database. Names in Directory A fall under o=acme,
c=us so you specify the rule, */ */ */ */ acme/us for it, and the names
in Directory B fall under o=acme,c=fr so you specify the rule */ */ */ */
acme/fr for it. To find the name cn=jack brown,o=acme,c=fr, a server
searches only Directory B, and not Directory A, and to find the name
cn=joan brown,o=acme,c=us, a server searches only Directory A and not
Directory B.
This type of targeted directory search can occur when:
A server looks for a hierarchical name in a Notes message address
field to resolve the address
A server running the LDAP service processes an LDAP client search

operation that specifies a search base.
A server running the LDAP service processes an LDAP client add,

delete, modify, or compare operation.
A server looks for a hierarchical logon name an Internet client passes

when logging on to the server to initiate authentication.
For more information on how naming rules affect the LDAP service, see
the topic Naming rules and the LDAP service later in the chapter.
To find a flat name, a name without distinguishing parts, or to process an
LDAP search request that doesnt specify a search base, a server ignores
naming rules and, and searches directories according to search orders
specified for the directories in the Directory Assistance documents.
Directory Services
Note Some LDAP directories do not use the country (c), organization
(o), and organizational unit (ou) naming model. If you set up directory
assistance for an LDAP directory such as this, use an all-asterisk naming
rule for the directory.
Trusted naming rules

When an Internet client passes a logon name to a server to initiate
authentication, the server looks for the name in a directory configured in
the directory assistance database only if the directory has at least one
configured naming rule that is Trusted for Credentials known as a
trusted rule. If the client logon name is hierarchical, the server looks for
the name only in directories with a trusted rule that matches the client
logon name, in addition to the primary Domino Directory. If the client
logon name is flat, for example John Smith, then the server looks for the
name in all directories with a trusted rule.
When a server finds the client logon name in a user entry in a directory,
the server compares the distinguished name assigned to the user entry to
the trusted rule(s) defined for the directory. The server only
authenticates the client if the distinguished name matches a trusted rule.
If you use a remote LDAP directory for client authentication and add
Notes distinguished names to the directory, the Notes distinguished
names, not the original LDAP distinguished names, must match a trusted
rule for the directory.
For more information on using Notes names in a remote LDAP directory,
see the topic Using Notes distinguished names in a remote LDAP
directory later in the chapter.
Examples of naming rules

The following table provides examples of naming rules, illustrating how
each rule includes or excludes names such as:
Marilyn Jenkins/Omega
Alan Jones/Sales/East/Acme/US
Randi Bowker/Marketing/East/Acme/US
Cheryl Lordan/IS/West/Acme/US
Derek Malone/Accounting/West/Acme/US
Deborah Jones/West/Acme/US
Karen Lessing/West/Acme/DE
Rule
Includes
Excludes
*/*/*/*/*/*
All names in the directory
No names
/ / */ */Acme/*
Alan Jones/Sales/
East/Acme/US
Randi Bowker/Marketing/
East/Acme/US
Cheryl Lordan/IS/
West/Acme/US
Derek Malone/Accounting/
West/Acme/US
Deborah Jones/West/
Acme/US
Karen Lessing/West/
Acme/DE
/ / */West/
Acme/*
Cheryl Lordan/IS/West/
Acme/US
Derek
alone/Accounting/West/
Acme/US
Deborah Jones/West/
Acme/US
Karen Lessing/West/
Acme/DE
Alan Jones/Sales/East/
Acme/US
East/Acme/US
/ / /West/
Acme/*
Deborah Jones/West/
Acme/US
Karen Lessing/West/
Acme/DE
Acme/US
East/Acme/US
Acme/US
Derek Malone/Accounting
/West/Acme/US
continued
Directory Services
Rule
Includes
Excludes
/ / */West/
Acme/DE
Karen Lessing/West/
Acme/DE
Alan Jones/Sales/
East/Acme/US
East/Acme/US
Acme/US
West/Acme/US
Deborah Jones/West/
Acme/US
/ /IS/West/
Acme/*
Acme/US
Acme/US
East/Acme/US
West/Acme/US
Deborah Jones/West/
Acme/US
Karen Lessing/West/
Acme/DE
How naming rules relate to directory search orders

To look up a name that corresponds to a naming rule defined in more
than one Directory Assistance document, or to look up a flat name that
doesnt have distinguishing parts, directory assistance uses the
configured search orders for the directories to decide which directory to
use, or which directory to use first.
For example, if the Directory Assistance documents for directory A and
directory B are assigned search orders of 2 and 1, respectively, and both
documents contain only an all-asterisk rule, then directory assistance
searches directory B before directory A.
The Directory Assistance view in the directory assistance database sorts
Directory Assistance documents by their specified search order.
If you dont specify a search order, or if you assign the same search order
to two directories, directory assistance searches the directories in
alphabetical order, according to the value specified in the Domain
name field of the Directory Assistance document.
For more information on how Notes and Domino search multiple

directories, see the chapter Planning Directory Services.
Naming rules and the LDAP service

Naming rules affect how the LDAP service processes LDAP search
operations and LDAP write and compare operations. Naming rules also
define naming contexts for the LDAP service.
For information on directory assistance and the processing of LDAP
service write and compare operations, see the chapter Setting Up the
LDAP service. For more information on how the LDAP service uses
directory assistance, see the topic Directory assistance for the LDAP
service earlier in the chapter.
How naming rules affect LDAP search operations
An LDAP client can specify a search base when searching a directory. A
search base limits the scope of a search by specifying a point in the
directory tree at which to begin. You use naming rules to define a search
base for a directory. If an LDAP client specifies a search base, the LDAP
service searches a Domino Directory or Extended Directory Catalog
configured in the directory assistance only if the directory has a naming
rule that matches the search base. For example, if an LDAP client
specifies the search base ou=sales,o=acme, the LDAP service searches
only Notes directories that have rules such as:
*/ */ */ */ */ *
*/ */ */ */ acme/ *
*/ */ */ sales/ acme/ *
but not Notes directories with rules such as:
*/ */ */ mktg/ acme/ *
*/ */ */ */ org2/ *
*/ */ */ */ acme/ us
If the LDAP service cant find the information for which an LDAP client
is searching in its primary Domino Directory, a condensed Directory
Catalog, or a Domino Directory or Extended Directory Catalog
configured in a directory assistance database, it can refer the client to a
remote LDAP directory.
By default, the LDAP service can refer a client to one LDAP directory
only. If the client specifies a search base, the LDAP service refers the
client only to an LDAP directory that is enabled for LDAP clients and has
Directory Services
Note You cant define a search base for the primary Domino Directory.
a naming rule that matches the search base. If there is more than one
such directory, the LDAP service refers the client to the one with the
lowest search order.
If the client doesnt specify a search base, the LDAP service refers the
client to an LDAP directory that is enabled for LDAP clients, and if there
is more than one, it refers the client to the one assigned the lowest search
order.
If there is more than one host name specified in the Directory Assistance
document for the LDAP directory that the LDAP service picks for a
referral, the LDAP service refers the client to the first host name listed.
If you increase the number of referrals the LDAP service can return to a
client, the LDAP service follows the logic described above to pick the
first directory referral. If there is more than one host name specified in
the Directory Assistance document for this directory, the LDAP service
uses the additional host name(s) as the additional referral(s), up to the
maximum number of referrals the LDAP service configuration allows. If
there is no additional host name specified for the first directory picked
for referrals, then LDAP service can refer the client to an LDAP directory
with a different Directory Assistance document.
Naming rules as LDAP naming contexts
Some LDAP client applications, for example the IBM WebSphere
Application Server, can discover naming contexts configured for an
LDAP directory server by searching the directory servers root directory
server entry (DSE). When an LDAP user doesnt specify a search base,
these applications can use the naming contexts configured on the server
to contruct one to apply to the LDAP client searches.
The LDAP service uses naming rules configured in the directory
assistance database to define naming contexts in its root DSE.
Directory assistance and domain names

When you configure directory assistance for a directory you must
configure a domain name for the directory that is unique within the
directory assistance database. You use the Domain name field on the
Basics tab of a Directory Assistance document to configure a directorys
domain name.
If the directory is a remote LDAP directory, make up a unique domain
name for the directory that is not the name of any Domino domain.
If the directory is the Domino Directory for a Domino domain Domino

server setup created it specify the name of the directorys Domino
domain.
If you created the directory manually from the PUBNAMES.NTF
template, and so it is not associated with a Domino domain for
example the directory is an Extended Directory Catalog, or a Domino
Directory used to track Web user information do one of the following
to specify a domain name for the directory:
If you want servers with Configuration directories to use the

directory as their remote primary Domino Directory, specify the
Domino domain of the servers with the Configuration directories.
If servers wont use the directory as a remote primary Domino

Directory, make up a unique domain name for the directory.
Note If the domain name you specify for a Domino Directory or

Extended Directory Catalog is the same as the domain of the servers that
use the directory assistance database, the servers can use the directory
automatically for client authentication, group lookups for database
authorization, and Notes mail addressing, regardless if you select Make
this domain available to: Notes clients and Internet
Authentication/Authorization. In addition, servers search a directory in
the same domain first, regardless of the search order specified for the
directory.
Directory assistance and failover for a directory

When you set up directory assistance for a directory, you can configure
failover for the directory.
Failover for a Domino Directory or Extended Directory Catalog
Failover for a remote LDAP directory
Directory Services
Directory assistance and failover for a Domino Directory or

When you set up directory assistance for a Domino Directory or
Extended Directory Catalog, on the Replicas tab of the Directory
Assistance document you specify the replicas of the directory for
directory assistance to use. When you specify replicas in a Directory
Assistance document for a Domino Directory or Extended Directory
Catalog:
Configure directory failover, so that if one replica is unavailable,

directory assistance has at least one alternate replica it can try to use.
Directory assistance can use one of two methods to fail over to an
alternate replica of a Domino Directory or Extended Directory
Catalog: directory assistance failover, the failover method also
available in previous releases, or cluster failover, a failover capability
new in this release in the context of directory assistance.
Make sure servers that use the directory assistance database have
fast network access to the directory replicas you specify. Fast
network access to replicas is particularly important if servers use a
directory to look up groups for database authorization.
Make sure servers that do remote lookups to a replica have access to

the server that stores the replica, and have at least Reader access in
the directory access control list (ACL).
If a directory is used for Notes mail addressing, make sure the Notes
users that use the feature have at least Reader access in the directory
ACL, so they can browse the directory. If Extended Access is enabled
for a directory, then the users must also have at least Reader access
to use typeahead or F9 address resolution.
The directory assistance failover method

Servers can use the directory assistance failover method, rather than
cluster failover method, to find an available replica of a Domino
Directory or Extended Directory Catalog. To use the directory assistance
failover method, on the Replicas tab of the Directory Assistance
document for the directory, specify up to five replicas of the directory
that are potentially available for use.
When a server starts up, directory assistance searches for an available
replica among the replicas you have specified. If directory assistance
cannot find an available replica during server startup, in five minutes it
attempts to locate an available replica again, continuing this attempt at
five-minute intervals until successful.
Once directory assistance finds an available replica at server startup, it

continues to use the replica unless the replica becomes unavailable, at
which point failover occurs and directory assistance looks for an
alternate replica. When a replica is unavailable for any reason, directory
assistance continues to use the alternate replica, even after the previously
unavailable replica becomes available.
Directory assistance finds that a replica is unavailable if it attempts to
access the replica during server startup, or during normal server
operation when it processes a client lookup request. A directory replica is
unavailable to directory assistance if:
The server that stores the replica is unavailable, for example, the
server is down or there is a network connectivity problem.
A view in the replica required for directory lookups is locked

because the server that stores the replica is rebuilding the view.
A replica no longer exists because it has been deleted.
Note Directory assistance run on servers running Domino Release 5.0.9

or earlier do not fail over when locked out of a view. To have this
failover capability in a mixed Lotus Domino 6/Lotus Domino Release 5
environment, upgrade Domino Release 5 servers to at least Lotus
Domino Release 5.0.10.
At server startup and during failover, directory assistance looks for an
available replica from the list of replicas specified in the Directory
Assistance document as follows:
1. Looks for a local replica.
2. Looks for a replica within the same Notes named network; if there is
more than one, looks in the order in which the Directory Assistance
document lists them.
3. Looks for a replica within the same Domino Domain; if there is more
than one, looks in the order in which the Directory Assistance
document lists them.
4. Looks for a replica it hasnt looked for yet.
Directory Services
The cluster failover method for directory assistance

If replicas of a Domino Directory or Extended Directory Catalog
configured in the directory assistance database are on servers that are
members of a cluster, you can set up directory assistance to use cluster
failover and workload balancing instead of the directory assistance
failover method. To use cluster failover and workload balancing, in the
Replicas tab of the Directory Assistance document for the directory
specify only one of the directory replicas that is within the cluster. Be
sure to specify only one replica; if you specify more than one, directory
assistance ignores cluster failover, and instead uses the directory

assistance failover method described above to find an available replica.
Cluster failover is particularly useful in environments with centralized
directory services. For example, you can configure cluster failover in a
Directory Assistance document for a remote primary Domino Directory,
so that servers with Configuration Directories use cluster failover to find
an available replica of the remote primary directory.
Directory assistance and failover for a remote LDAP directory

To provide failover in the event that a remote LDAP directory configured
in directory assistance is unavailable, on the LDAP tab of the Directory
Assistance document for the remote LDAP directory, enter more than
one host name in the Hostname field. Separate hostnames with commas.
If the first LDAP directory server specified is unavailable, a Domino
server attempts to use the next one listed, and so on.
The configuration selections made in the Directory Assistance document
apply to each host name specified in the Hostname field except for the
value specified in the Port field. You can specify a port for a hostname
that is different than the port specified in the Port field by adding a colon
(:) followed by a port number after the hostname. For example, you can
enter the following in the Hostname field:
ldap1.acme.com:390, ldap2.acme.com:391
Directory assistance for an Extended Directory Catalog

Unless you integrate an Extended Directory Catalog directly into a
servers primary Domino Directory, a server uses directory assistance
look up information in an Extended Directory Catalog.
When you create a Directory Assistance document for an Extended
Directory Catalog, the following selections are the important ones to
consider:
1. On the Basics tab, next to Domain type, select Notes.
2. On the Basics tab, next to Domain name, make up a unique domain
name. Or, if the Extended Directory Catalog functions as a remote
primary Domino Directory used by servers with Configuration
Directories, specify the domain of the servers with the Configuration
Directories.
3. If there are other Directory Assistance documents in the database, on
the Basics tab, next to Search order, typically you should specify a
search order of 1.
4. On the Basics tab, next to Group Authorization, select Yes if you

want servers to use groups aggregated in the Extended Directory
Catalog for authorizing database access. You can choose this option
for only one directory in the directory assistance database. Choose
the option for an Extended Directory Catalog if you want serves to
be able to use groups from any of the aggregated directories for
5. To trust all the directories aggregated in the Extended Directory
Catalog for Internet client authentication, on the Naming contexts
(Rules) tab, include a rule that is Trusted for Credentials. If you
want to trust some Domino Directories for client authentication, but
not others, you can create one Extended Directory Catalog that
aggregates the trusted directories and a second that aggregates
untrusted directories. Then create a separate Directory Assistance
document for each Extended Directory Catalog, and enable Trusted
for Credentials only in the document for the directory catalog you
want servers to trust for authentication.
6. In the replicas tab, be sure to configure failover for the Extended
Directory Catalog.
For information on all the fields in a Directory Assistance document for a
Domino Directory or Extended Directory Catalog, see the topic Creating
a Directory Assistance document for a Domino Directory or Extended
Directory Catalog later in the chapter.
Note When servers use an Extended Directory Catalog, to optimize
lookup performance, remove any Directory Assistance documents that
exist for the directories aggregated in the directory catalog. For example,
if you aggregate Directory A into an Extended Directory Catalog, if there
is a Directory Assistance document for Directory A, remove the
document.
For more information on Extended Directory Catalogs, see the chapter
Setting Up Directory Catalogs.
Directory Services
Directory assistance in conjunction with a condensed Directory

Catalog
Condensed Directory Catalogs are optimized for small size and client
use. Although a server can use a condensed Directory Catalog, under
most circumstances its best for a server instead to use an Extended
Directory Catalog.
For information on the advantages to servers using an Extended
Directory Catalog rather than a condensed Directory Catalog, see the
chapter Setting Up Directory Catalogs.
If you do set up servers to use a condensed Directory Catalog, you may
also want to set up directory assistance for the individual Domino
Directories aggregated into the directory catalog, so that:
A server can use directory assistance to look up information not

aggregated in the condensed Directory Catalog.
A server can trust a particular aggregated directory, but not all

aggregated directories, for client authentication.
Note Do not create a Directory Assistance document for a condensed

Directory Catalog itself, only for the directories aggregated into the
directory catalog.
Using directory assistance to look up information not aggregated
into a condensed Directory Catalog
While you always aggregate fields containing mail addressing
information into a condensed Directory Catalog to support the common
task of looking up users mail addresses, typically you would not
aggregate fields containing information such as the following, because
this would make the directory catalog too large:
X.509 certificates used for client authentication
Information LDAP clients only occasionally search for
Notes users public keys used to send encrypted mail
Instead, set up directory assistance for a Domino Directory aggregated

into the directory catalog, so servers can use directory assistance to look
up the missing information directly in the Domino Directory. Each entry
in a condensed Directory Catalog includes the replica ID of the Domino
Directory from which the entry was derived and the UNID for the entry,
a unique ID associated with a replicated document. In the cases where
the condensed Directory Catalog doesnt aggregate a field being
searched for, a server uses this directory catalog information and
information available through directory assistance to access quickly the
complete entry in the Domino Directory. Searching a Domino Directory

by keying off entries in a condensed Directory Catalog is faster than
using directory assistance alone to locate and search the Domino
Directory.
If you aggregate a Domino Directory into a condensed Directory Catalog,
and you dont also set up directory assistance for the directory itself, a
server cant use the directory to look up information omitted from the
Directory Catalog.
If you set up directory assistance for a Domino Directory but do not
aggregate the directory into a condensed Directory Catalog, a server can
use directory assistance to search the Domino Directory after searching
the directory catalog.
Note If a Domino Directory is aggregated into a condensed Directory
Catalog, but particular entry from the directory is not aggregated, for
example a selection formula excludes the entry, servers cannot use
directory assistance to look up the missing entry directly in the Domino
Directory.
Using directory assistance trust for client authentication one or
some directories aggregated into a condensed Directory Catalog
To indicate that a server should trust for client authentication all
directories aggregated into a condensed Directory Catalog, select the
option Trust the server based condensed directory catalog for
authentication with internet protocols on the Basics tab of the servers
Server document in the Domino Directory. In this case, directory
assistance is not required to indicate trust.
However to tell a server to trust for client authentication only one or
some directories aggregated in a condensed Directory Catalog, create a
Directory Assistance document in a directory assistance database for
each of the aggregated Domino Directories to be trusted. In the Directory
Assistance document for each such directory, do the following:
On the Naming Contexts (Rules) tab enable at least one rule that
corresponds to the names to be authenticated, and select Trusted for
Credentials for the rule.
On the Replicas tab include the replica of the Domino Directory

that the Dircat task uses to aggregate the directory into the
condensed Directory Catalog. Note that you do not include the
replica of the directory catalog.
Directory Services
Note You are not required to store user passwords, and you shouldnt
store X.509 certificates, in a condensed Directory Catalog. Instead you
can set up directory assistance for the secondary Domino Directories that
are aggregated to enable servers to find the passwords/X.509 certificates.
Directory assistance for the primary Domino Directory

A server with a local replica of its primary Domino Directory searches
the directory automatically without the use of directory assistance. You
can configure directory assistance for the primary Domino Directory of
servers that use a directory assistance database to:
Tell servers with Configuration Directories that use the directory

assistance database how to locate a remote replica of the primary
Domino Directory.
Prevent the LDAP service from searching the primary Domino

Directory.
If multiple domains use replicas of one directory assistance database, you

might also create a Directory Assistance document for the primary
Domino Directory so that servers in other domains that use the directory
assistance database can do lookups in the directory.
Note You cannot prevent a server from using its primary Domino
Directory for Notes mail addressing, client authentication, or group
lookups for database authorization. A server can always use a primary
Domino Directory for these purposes, regardless of the options you select
for the directory in the Directory Assistance document.
Using directory assistance to control which remote replicas of a

primary Domino Directory servers with Configuration Directories
can use
A Configuration Directory is a small, selective replica of a domain
Domino Directory that contains only Domino configuration information.
A server with a Configuration Directory looks up information related to
directory services, such as information in user and group documents, in a
full replica of the domain primary Domino Directory on a remote server.
You can create a Directory Assistance document for the primary Domino
Directory in a directory assistance database used by servers with
Configuration Directories. Do this to specify which replicas of a remote
primary Domino Directory the servers potentially can use. This step isnt
required if you do not use directory assistance, a server with a
Configuration Directory uses a default, built-in logic, to find a remote
replica of a primary Domino Directory to use.
For more information on Configuration Directories and on the default

logic used to find a remote primary Domino Directory, see the chapter
Setting Up the Domino Directory.
If you set up directory assistance to control which remote replicas of the
primary Domino Directory servers with Configuration Directories can
use, the key options to select in the Directory Assistance document are
the following ones.
On the Basics tab:
Next to Domain Type select Notes.
Next to Domain Name enter the domain of the servers with the
Configuration Directories.
Next to Group Authorization select No. A server can use groups

located in a primary Domino Directory replica to authorize database
access even when you select No because a primary Domino
Directory is always trusted for this purpose. Since you can select Yes
for only one directory in the directory assistance database, select No
to reserve the use of Group Authorization for another directory in
the directory assistance database.
For more information on the Group Authorization feature, see the

topic Directory assistance and group lookups for database
authorization earlier in this chapter.
On the Replicas tab, make sure to configure failover for the directory.
For more information, see the topic Directory assistance and failover for
a Domino Directory or Extended Directory Catalog later in this chapter.
For complete information on all the configuration fields in a Directory
Assistance document for a Domino Directory or Extended Directory
Catalog, see the topic Creating a Directory Assistance document for a
Domino Directory or Extended Directory Catalog later in this chapter.
You can set up directory assistance for the primary Domino Directory to
prevent a server that runs the LDAP service from using the primary
Domino Directory when processing LDAP requests. For example, you
might want the LDAP service to use a secondary Domino Directory, but
not the primary Domino Directory.
The primary Domino Directory from which you exclude LDAP searches
can be local, or can be remote if the server running the LDAP service has
a Configuration Directory.
Directory Services
Using directory assistance to prevent the LDAP service from

searching the primary Domino Directory
If you set up directory assistance to prevent LDAP searches of the

primary Domino Directory, the key options to select in the Directory
Assistance document are the following ones.
For complete information on all the configuration fields in a Directory
Assistance document for a Domino Directory, see the topic Creating a
Directory Assistance document for a Domino Directory or Extended
Directory Catalog later in the chapter.
On the Basics tab:
1. Next to Domain Type select Notes.
2. Next to Domain Name enter the domain of the servers that run the
LDAP service.
3. Next to Make this domain available to deselect LDAP Clients.
4. Next to Group Authorization select No to reserve the use of
Group Authorization for another directory in the directory
assistance database.
For more information on the Group Authorization feature, see the
topic Directory assistance and group lookups for database
authorization earlier in this chapter.
On the Replicas tab, do one of the following:
If all the servers that use the directory assistance database are within
one domain and use a local primary Domino Directory, you have to
specify only one replica. Directory assistance requires the replica
specification to load properly, but the servers always do lookups in
their local primary Domino Directory replicas, regardless of the
replica you specify. An easy method is specifying an asterisk in the
(*) in the Server Name field, and a file name in the Domino Directory
File Name field, for example, NAMES.NSF
If the server running the LDAP service has a Configuration

Directory, complete the Replicas tab to indicate which replicas of the
remote primary Domino Directories to use.
For more information on specifying replicas, see the topic Directory

assistance and failover for a Domino Directory or Extended Directory
Catalog earlier in the chapter.
Number of directory assistance databases

Before you set up directory assistance, plan how many directory
assistance databases to use. You can create and configure one directory
assistance database that all or most servers use. Or you can create more
than one directory assistance database, with groups of servers for
example servers within a domain each using specific ones. All the
servers that use a particular directory assistance database must use a
directory configured in the database for the same services. If groups of
servers require the use of different directories or services, create a
separate directory assistance database for each group of servers to use.
For example, suppose all servers use an Extended Directory Catalog, but
one group of servers only use, in addition, a remote LDAP directory for
client authentication. You would set up a separate directory assistance
for that group of servers that contains Directory Assistance documents
for both the directory catalog and the LDAP directory. For the other
servers, create a directory assistance database configured for the
directory catalog only.
Setting up directory assistance

To set up directory assistance in a Domino domain, complete these
procedures.
1. Create and replicate a directory assistance database.
2. Set up servers to use the directory assistance database.
3. Create a Directory Assistance document for each Domino Directory
or Extended Directory Catalog for which you want to provide
4. Create a Directory Assistance document for each remote LDAP
directory for which you want to provide directory assistance.
Directory Services
For information on troubleshooting problems with directory assistance,

see the chapter Troubleshooting.
Creating and replicating a directory assistance database

Create a directory assistance database on one server, and then create a
replica of the database on each server in the domain that will use it for
directory assistance. A server can use one directory assistance database
only.
1. From the Domino Administrator, create the database:
a. Choose File - Database - New to open the New Database dialog
box.
b. Enter the name of the server on which to create the database.
c. Enter a title for the database for example, Directory
Assistance. You can enter any title.
d. Enter a file name for the database for example, DA.NSF. You
can enter any file name with the extension .NSF.
e. Click Show advanced templates.
f. Click Template Server and select a server that stores the
Directory Assistance template (DA50.NTF).
g. Select the Directory Assistance template (DA50.NTF) from the
list of templates.
h. Keep Inherit future design changes selected.
i. Click OK.
2. Create a replica of the directory assistance database on each server
that will use it.
Tip Using the same file name and path for the replicas on each
server makes it easy to use the Administration Process to add the file
name and path to Server documents.
For more information on replication, see the chapter Creating
Replicas and Scheduling Replication.
3. Create Connection documents to schedule replication of the database
to all the servers that will use it.
4. Continue to the procedure Setting up servers to use a directory
Setting up servers to use a directory assistance database

After you create a directory assistance database and replicate it to
servers, set up the servers to use the database. To set up a server to use a
directory assistance database, add the file name of the servers replica of
the database to the Directory assistance database name field of the
servers Server document in the primary Domino Directory.
Use the Administration Process to automate adding a directory

assistance database file name to multiple Server documents the
Administration Process creates a Set Directory Assistance Field request
to add the file name. Or enter the file name of the directory assistance
database to Server documents manually.
Using the Administration Process to add the directory assistance
database file name to multiple Server documents
To use the Administration Process to add a directory assistance database
file name to multiple Server documents:
Created and replicated the directory assistance database
Have either Author access and the ServerModifier role, or Editor
access in the ACL of the Domino Directory to which you will add
the file names.
Have set up the Administration Process
3. Next to Use Directory on, select the administration server for the
Domino Directory.
4. In the left pane, expand Server - All Server Documents.
5. Select the Server documents for all servers that use the same file
name for the directory assistance database. A check mark appears
next to each document.
6. Choose Actions - Set Directory Assistance Information.
7. Enter the file name that you gave to the directory assistance database
on these servers for example, DA.NSF. If the directory assistance
database is in a subdirectory under the data directory, include the
path relative to the data directory for example,
DIRECTORIES\DA.NSF.
8. Click OK.
10. Use the command tell adminp process interval to force processing
of the Set Directory Assistance Field request, or wait until the
Administration Process processes the request when it next processes
interval requests.
For more information, see the appendix Server Commands.
11. Replicate the modifed Domino Directory to the servers that will use
Directory Services
9. When you see the dialog box stating Request has been submitted,
click OK again.
12. Restart the servers so they detect the directory assistance database
file names in their Server documents.
13. Continue to one or both of these procedures:
Creating a Directory Assistance document for a Domino directory
Creating a Directory Assistance document for a remote LDAP
directory
Entering the directory assistance database file name to a Server
document manually
Created and replicated the directory assistance database
Have either Author access and the ServerModifier role, or Editor
access in the ACL of the Domino Directory to which you will add
the file names.
3. Next to Use Directory on, select the server whose Domino
Directory you want to modify.
4. In the left pane, choose Server - All Server Document.
5. Select a specific Server document, and then click Edit Server.
6. In the Directory Assistance database name field in the Directory
Info section on the Basics tab, enter the file name that you gave to
the replica of the directory assistance database on this server for
example, DA.NSF. If the directory assistance database is in a
subdirectory under the data directory, include the path relative to
the data directory for example, DIRECTORIES\DA.NSF.
8. If the Domino Directory you changed is not the replica of the server
whose directory assistance database file name you specified,
replicate the updated Domino Directory to the server.
9. Restart the server so it detects the directory assistance database file
name now in its Server document.
10. Continue to one or both of these procedures:
Creating a Directory Assistance document for a Domino directory
directory
Creating a Directory Assistance document for a Domino Directory or

To set up directory assistance for a Domino Directory or an Extended
Directory Catalog, create a Directory Assistance document for the
directory in the directory assistance database as follows:
Note Do not create a Directory Assistance document for a condensed
Directory Catalog.
1. Make sure you have read about directory assistance services and
concepts.
2. Make sure that you have created and replicated a directory
assistance database and have set up servers to use it.
3. From the Domino Administrator, choose File - Open Server, and
select a server that you have set up to use the directory assistance
database.
5. In the left pane, expand Directory - Directory Assistance. If you see
Server Error: File does not exist, the server you selected in step 3 is
not set up to use the directory assistance database.
Field
Enter
Domain type Choose Notes.

Domain name The name of the Domino domain associated with the
directory. If the directory isnt associated with a Domino
domain because you created it manually rather than
through server setup, make up a unique domain name for it.
For more information, see the topic Directory assistance
and domain names.
(Optional) The name of the company associated with this
directory. Multiple Directory Assistance documents can use
the same company name.
Search order
(Optional) A number affecting the order in which servers

search this directory relative to other directories configured
in the directory assistance database. For more information,
see the topic How naming rules relate to
directory searcher orders.
continued
Directory Services
Company
name
Field
Enter
Make this
domain
available to
Choose one or both:

Notes Clients and Internet
LDAP Clients
Choose Notes Clients and Internet
Authentication/Authorization to use the directory for
Notes mail addressing, Internet client authentication, or to
look up the members of groups for database authorization.
By default, the option is enabled. To prevent servers from
using the directory for these services, do not choose this
option.
If the domain specified in the Domain name field is the
same Domino domain (the primary domain) of the servers
that use directory assistance, the servers use the directory
for these three services automatically, even if you do not
choose this option.
Choose LDAP Clients to enable the LDAP service
running on servers to search the directory when processing
LDAP requests. By default, the option is enabled. To
prevent the LDAP service from searching the directory, do
not choose this option.
Fore more information, see the topic Directory assistance
services.
Choose one:
Group
Authorization Yes to search the members of groups in the directory
when authorizing database access. You must also select
Make this domain available to: Notes Clients and
Internet Authentication/Authorization.
No (default) to prevent searching the members of groups
in the directory when authorizing database access.
You do not have to enable a rule that is Trusted for
Credentials.
Enable this option in only one Directory Assistance
document, Notes or LDAP, in the directory assistance
database.
If the domain specified in the Domain name field is the
same Domino domain (the primary domain) of the servers
that use directory assistance, the servers use the directory
to look up groups for database authorization automatically,
even if you choose No for this option.
and group lookups for database authorization.
Enabled
Choose Yes to enable directory assistance for this directory.
8. Click the Naming Contexts (Rules) tab, and for each rule you want to
define, complete the following fields. By default, an all-asterisk rule
is enabled with Trusted for Credentials set to No.
Field
Enter
N.C. #
A naming context (rule) that describes names in the

directory. For more information, see the topic Directory
assistance and naming rules.
Enabled
Choose one:
Yes to enable a rule
No to disable a rule
Trusted for Choose one:

Credentials Yes to allow servers to use credentials in this directory to
authenticate Internet clients whose distinguished names in
the directory correspond to the rule.
No (default) to prevent servers from using this directory to
authenticate Internet clients whose distinguished names
correspond to the rule.
For more information, see the topic Trusted naming rules.
If the domain specified in the Domain name field on the
Basics tab is the same Domino domain (the primary domain)
of the servers that use directory assistance, the servers trust
all user names in the directory for client authentication, even
if you do not choose this option.
9. Click the Replicas tab. Use either the Database links field or the
Replica# fields to specify replicas of the directory for servers to
use. If you make any entry in a Replica# field, then directory
assistance ignores all entries in the Database links field.
To set up directory assistance to use cluster failover to locate an
available replica of the directory, specify only one replica of the
directory within the cluster.
For more information on failover, see the topic Directory assistance
and failover for a Domino Directory or Extended Directory Catalog.
Directory Services
Field
Enter
Databas For each replica you want to specify:

e links
Open the replica of the directory, and choose Edit - Copy As
Link - Database Link.
Select the Database links field, and choose Edit - Paste.
Using database links may delay server startup. When you restart
a server that uses directory assistance, server tasks retrieve
database information from the remote servers to which the links
refer. Use database links only if the servers to which the links
refer are consistently available.
Replica# The server name and file name of a replica of the directory for
example:
Server Name: Mail1/West/Acme
Domino Directory File Name: EASTNAMES.NSF
Selected Enabled next to each replica you specify.

Shortcut for specifying local replicas of a Domino Directory or
Extended Directory Catalog in a Directory Assistance document
You can enter an asterisk (*) in the Server Name field on the Replicas tab
of a Directory Assistance document for a Domino Directory or Extended
Directory Catalog to indicate that directory assistance should first look
on its local server for a replica of the directory. This feature is useful in
an environment where multiple servers use directory assistance to search
local replicas of a directory with the same file name. Use an asterisk to
represent all the servers that have local replicas of the directory with the
same file name, rather than specifying each server individually in its own
Server Name field.
For example, if servers A, B, C, and D each store local replicas of the
directory ACMEWEST.NSF configured for directory assistance, use an
asterisk to specify only one Server Name/Directory Filename entry in the
Directory Assistance document for ACMEWEST.NSF:
Server Name
Directory Filename
ACMEWEST.NSF
If you do not enter an asterisk, you muse make these four Server
Name/Directory Filename entries:
Server Name
Directory Filename
Server A
ACMEWEST.NSF
Server B
ACMEWEST.NSF
Server C
ACMEWEST.NSF
Server D
ACMEWEST.NSF
If some servers use directory assistance but dont have local replicas of
the directory, add at least one explicit Server Name/Directory Filename
entry in the Directory Assistance document for these servers to use. If
you use the directory assistance failover method, specify at least one
explicit Server Name/Directory Filename entry for servers with local
replicas to use as an alternate in the event the replica is unavailable.
Note Do not use * in the Server Name field in a Directory Assistance
database that Lotus Domino Release 4 servers use. Instead, create a
separate Directory Assistance database that uses explicit server names
for Release 4 servers to use.

directory
To set up directory assistance for a remote LDAP directory, create a
Directory Assistance document for the directory in a directory assistance
database as follows: Make sure you have read about directory assistance
services and concepts.
1. Make sure you have created and replicated a directory assistance
database, and have set up servers to use it.
2. If you are using the remote LDAP directory for any purpose other
than LDAP service referrals, use the TCP/IP ping utility to test that
the Domino servers that will use the LDAP directory can connect to
the remote LDAP directory server.
Directory Services
3. From the Domino Administrator, choose File - Open Server, select a

server that you have set up to use the directory assistance database,
and click OK.
5. In the left pane, expand Directory - Directory Assistance. If you see

Server Error: File does not exist, the server you selected in step 4 is
not set up to use the directory assistance database.
Field
Enter
Domain type
Choose LDAP.
Domain name A domain name of your choice that is different from the
domain name specified for any other Directory Assistance
document - Notes or LDAP - in the directory assistance
database. For more information, see the topic Directory
assistance and domain names.
Company
name
(Optional) The name of the company associated with this

directory. Multiple Directory Assistance documents can use
the same company name.
Search order
(Optional) A number affecting the order in which servers

search or refer LDAP clients to this directory relative to
other directories configured in the directory assistance
database. For more information, see the topic How
naming rules relate to directory search orders.
Make this
domain
available to
Choose one or both:

Notes clients and Internet
Authentication/Authorization to use this LDAP
directory for Notes mail addressing, Internet client
authentication, or to look up the members of groups for
LDAP Clients to enable a server running the LDAP
service to refer LDAP clients to this LDAP directory.
services.
continued
Field
Enter
Choose one:
Group
Authorization Yes to search the members of groups in this LDAP
directory when authorizing database access.
No (default) to prevent searching the member of groups
in the directory when authorizing database access.
Choose Yes for only one directory, Notes or LDAP,
configured in the directory assistance database.
You do not have to enable a rule that is Trusted for
Credentials.
If you select Yes, in the Nested group expansion field
that appears choose one:
Yes (default) to search nested groups groups that are
members of groups listed in database ACLs.
No to search only the members of groups listed in
database ACLs, and not the members of groups nested
within those groups.
For more information on group authorization, see the topic
Directory assistance and group lookups for database
authorization.
Enabled
Choose Yes to enable directory assistance for this LDAP

directory.
8. On the Naming Contexts (Rules) tab, for each rule you want to define
for the directory, complete the following fields. By default, an
all-asterisk rule is enabled with Trusted for Credentials set to No.
Field
Enter
N.C. #
Enter a naming context (rule) that describes the user names

in the LDAP directory. For more information, see the topic
Directory assistance and naming rules.
Enabled
Choose one:
Yes to enable a rule
No (default) to disable a rule
Choose one:
Yes to allow servers to use credentials in the LDAP
directory to authenticate Internet clients whose
distinguished names in the directory correspond to the
rule.
No (default) to prevent servers from using this directory
to authenticate Internet clients whose distinguished
names in the directory correspond to the rule.
For more information, see the topic Trusted naming
rules.
Directory Services
Trusted for
Credentials
9. On the LDAP tab, complete these fields:

Field
Enter
Hostname
The host name for the remote LDAP directory server for
example, ldap.acme.com. A Domino server uses this host
name to connect to the remote LDAP directory server, or
to refer LDAP clients to the LDAP directory.
Enter an additional host name or host names so that a
Domino server can use an alternate LDAP directory server
if the directory server represented by the first host name
specified is unavailable. Separate host names with
commas.
If you specify more than one directory server and each
listens on a different port, specify the ports after the host
names. For example:
ldap1.acme.com:390, ldap2.acme.com:391

and failover for a remote LDAP directory.
Optional
(Optional) Below Optional Authentication Credential
Authentication enter a user name and a password for a Domino server to
present when it connects to the remote LDAP directory
Credential
server. The LDAP directory server uses the name and
password to authenticate the Domino server. If you dont
specify a name and password, a Domino server attempts
to connect anonymously.
For more information, see the topic Specifying a name
and password for Domino servers in a Directory
Assistance document for a remote LDAP directory.
Base DN for
search
A search base, if the LDAP directory server requires one.

For example:
o=Ace Industry
o=Ace Industry,c=US
continued
Field
Enter
Channel
encryption
Choose one:
SSL (the default) to use SSL when a Domino server
connects to the remote LDAP directory server
None to prevent SSL from being used.
Keep SSL selected in the Channel encryption field if you
use the remote LDAP directory for client authentication or
to look up the members of groups for database
authorization.
If you choose SSL, make selections in these associated
fields:
Accept expired SSL certificates
SSL protocol version
Verify server name with remote servers certificate
For more information, see the next topic Configuring SSL
in a Directory Assistance document for a remote LDAP
directory.
Port
The port number Domino servers use to connect to the

remote LDAP directory server.
If you choose SSL in the Channel encryption field, the
default port is 636.
If you choose None in the Channel encryption field,
the default port is 389.
If the LDAP directory server doesnt use one of these
default ports, enter a different port number manually.
The maximum number of seconds allowed for a search of
the remote LDAP directory; default is 60 seconds.
If the remote LDAP directory server also has a timeout
setting, the lower setting takes precedence.
Maximum
number of
entries
returned
The maximum number of entries the LDAP directory

server can return for a name for which a Domino server
searches. If the LDAP directory server also has a
maximum setting, the lower setting takes precedence. If
the LDAP directory server times out, it returns the number
of names found up to that point.
Default is 100.
continued
Directory Services
Timeout
Field
Enter
Dereference
Choose one to control the extent to which alias
alias on search dereferencing occurs during searches of the remote LDAP
directory:
Never
Only for subordinate entries
Only for search base entries
Always (default)
If aliases arent used in the LDAP directory, selecting
Never can improve search performance.
For more information, see the topic Configuring alias
dereferencing in a Directory Assistance document for a
remote LDAP directory.
Preferred mail To specify the format of addresses from the directory to be
format
used in Notes mail, choose one:
Notes Mail Address
Internet Mail Address (default)
For more information, see the earlier topic Notes mail
addressing using a remote LDAP directory.
Attribute to be
used as Notes
Distinguished
Name
(Optional) If a Domino server uses the remote LDAP

directory for client authentication or for database
authorization, optionally map users LDAP directory
distinguished names to corresponding Notes
distinguished names. For information, see the topic Using
Notes distinguished names in a remote LDAP directory.
Type of search Choose one to control which LDAP search filters are used
filter to use
to search the directory:
Standard LDAP (default)
Active Directory
Custom
Standard LDAP works in most situations.
For more information, see the topic Configuring search
filters in a Directory Assistance document for a remote
LDAP directory.

11. If you changed the Group Authorization field:
a. Wait for the change to replicate to all the servers that use the
directory assistance database, or force the replication.
b. Use the Restart Server console command to stop and restart each
server that uses directory assistance for group authorization, so
each server detects the change.
Configuring SSL in a Directory Assistance document for a remote

LDAP directory
If a Domino server uses a remote LDAP directory to look up credentials
during Internet client authentication, or to look up the members of
groups during database authorization, specify that the server use SSL to
connect to the LDAP directory server. Specify SSL so there are secure
communications between the Domino server and the LDAP server, and
so that the Domino server can use an X.509 certificate to verify the
remote LDAP directory servers identity.
To use SSL, select SSL in the Channel encryption field on the LDAP tab
of the Directory Assistance document for the remote LDAP directory.
When you select SSL, you must also make selections for three associated
fields:
Accept expired SSL certificates
"Accept expired SSL certificates"

In the Accept expired SSL certificates field choose one:
Yes (the default) to accept a certificate from the LDAP directory

server, even if the certificate has expired.
No, to reject an expired certificate, to provide tighter security.
"SSL protocol version"

In the SSL protocol version field, select the version number of the SSL
protocol to use, as follows:
Description
V2.0 only
Allows only SSL 2.0 connections.
V3.0 handshake
Attempts an SSL 3.0 connection. If the connection fails

and the requestor detects SSL 2.0, attempts to use SSL 2.0
to connect.
V3.0 only
Allows only SSL 3.0 connections.
V3.0 with V2.0

handshake
Attempts an SSL 3.0 connection, but starts with an SSL 2.0

handshake, which displays relevant error messages.
Makes an SSL 3.0 connection if possible. Choose V3.0
and V2.0 handshake to receive V2.0 error messages that
may occur during a connection attempt. These error
messages can provide information about compatibility
problems found during the connection.
Negotiated
Allows SSL to determine the protocol version and

handshake.
Directory Services

In the Verify server name with remote servers certificate field, choose
one:
Enabled (the default)
Disabled
Choose Enabled to require that the subject line of the remote servers
certificate include the LDAP directory server host name. For this option
to work properly, the subject line in the remote servers certificate must
include its DNS host name. Keep the option enabled if you are sure that
the X.509 certificate of the remote LDAP directory server contains the
remote servers host name in the appropriate format.
The Domino CA and some other CAs provide a dialog box into which
users enter the subject line when requesting a certificate. For example,
the Domino CA prompts each user to enter the remote servers
information such as, the common name, organizational unit name,
organization name, state (or province), and country name. The Domino
CA places this information in the subject line and adds the appropriate
prefix (cn=, ou=, o=, and so on) to each field. If you used a Domino CA to
create the remote servers certificate, enter the remote servers host name
in the common name field when using the Verify server name with
remote servers certificate option. For example, the Domino CA allows
users to enter the following valid subject lines (mailserver.acme.com is
the servers DNS host name):
cn=mailserver.acme.com, ou=sales, ou=marketing, o=acme, st=mass,
c=us
cn=mailserver, ou=sales - mailserver.acme.com o=acme, st=mass,
c=us
To ensure that users enter the DNS host name properly, recommend that
they enter it as the common name (cn=) when they request a certificate
from the Domino CA. Other CAs may have different dialog boxes for
entering the subject line; users must follow these dialog boxes to enter
the remote servers DNS host name.
Specifying a name and password for Domino servers in a Directory
Assistance document for a remote LDAP directory
In the Optional Authentication Credential section on the LDAP tab of a
Directory Assistance document for a remote LDAP directory you can
enter a distinguished user name and a password. If a Domino server
connects to the remote LDAP directory server, it presents the name and
password so the remote LDAP directory server can authenticate the
Domino server.
If you dont specify a name and password, a Domino server attempts to

connect to a remote LDAP directory server anonymously. You must
specify a name and password if the remote LDAP directory server does
not allow anonymous access.
Enter a distinguished name in the Username field, and a password in the
Password field. The name and password must correspond to a valid
name and password in the remote LDAP directory. Enter the
distinguished name in LDAP format, for example cn=domino
server,o=acme.
The Username and Password fields are encryptable fields. Do the
following to encrypt the fields to limit which Domino administrators and
servers can read their contents:
1. Create a secret encryption key.
2. Use the secret encryption key to encrypt the Directory Assistance
document.
3. Distribute and merge the encryption key only into the ID files of
administrators and Domino servers who should read the user name
and password.
Only administrators and servers with the secret encryption key can read
the user name and password. Any Domino server that connects to the
remote LDAP directory server or that replicates changes to the directory
assistance database requires the encryption key.
For information on creating and using secret encryption keys, see the
book Application Development with Domino Designer.
Directory Services
Configuring search filters in a Directory Assistance document for a

If servers use directory assistance to search a remote LDAP directory, you
can use the field Type of search filter to use in the Directory Assistance
document for the directory to control which LDAP search filters are used
to search the directory. The following choices are available.
Search filter option Description
Standard LDAP
(Default)
Uses standard LDAP search filters that work with most

LDAP directory servers, including Domino, IBM Directory
Server, Netscape/iPlanet Directory Server
Active Directory
Uses predefined search filters that work with Active

Directory servers. Select this option if the remote LDAP
directory is Active Directory.
Custom
Use to define your own search filters.
Note The Active Directory search filter option replaces the Release 5
NOTES.INI setting WebAuth_AD_Group, which allowed for searches of
Active Directory groups.
Defining custom search filters
You might need to define custom search filters if searches are not
returning results or are returning results for the wrong entries. This
situation can occur if the remote LDAP directory server uses a
non-standard schema.
Selecting Custom in the Type of search filter to use field displays the
following three fields used to define the custom search filters.
Custom search
filter field
Description
Mail Filter
If directory assistance is set up so that Notes users can look

up mail addresses in the directory, specify a search filter to
use to look up the names in the directory. Leave the field
blank to use the following default search filter:
(|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(sn=%z)
(givenname=%a))))
Authentication
Filter
Specify a search filter to use to search for the names of users

when using the remote LDAP directory for client
authentication. Leave the field blank to use the following
default search filter:
(|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(sn=%z)
(givenname=%a))))
continued
Custom search
filter field
Description
Authorization
Filter
Specify a search filter to use to look up the members of

groups for Notes database authorization. Leave the field
blank to use the following default search filter:
(|(&(objectclass=groupOfUniqueNames)(UniqueMember=%*
))(&(objectclass=groupOfNames)(Member=%*)))
To define custom search filters, you should be familiar with valid search
filter syntax described in RFCs 2251 and 2254.
Syntax for custom LDAP search filters
To define a custom search filter, insert parameters into standard LDAP
search filters to represent a part of the names being searched for.
Name part
Defined as
Example of name
part (in bold)
Parameter to insert to
represent name part
First name
The set of characters

Alex M Davidson
from the first character
to the first space or
punctuation
%a
Last name
The set of characters

from the last space or
punctuation to the last
character
Alex M Davidson
%z
Whole
name
The entire name
Alex M Davidson
%*
Local part
Local part of an RFC

822 mail address
amd@acme.com
%l
Domain
part
Domain part of an RFC amd@acme.com

822 mail address
%d
Examples of custom LDAP search filters

Search filter used to search for the
name
Alex M Davidson (|(gn=%a)(sn=%z)(cn=%*)( (|(gn=Alex)(sn=Davidson)(cn=

mail=%l))
Alex M Davidson)(mail=))
amd
(EmpID=%*)
(EmpID=amd)
amd
(EmpID=%z)
(EmpID=)
amd
(mail=%*@acme.com)
(mail=amd@acme.com)
continued
Directory Services
Name searched for Search filter formula in

Directory Assistance
document
Name searched for Search filter formula in

document
Search filter used to search for the

name
amd
(mail=%*@*)
(mail=amd@*)
amd@acme.com
(mail=*@%d)
(mail=*@acme.com)
amd@acme.com
(mail=%*)
(mail=amd@acme.com)
amd@acme.com
(uid=%l)
(uid=amd)
blue
(color=%*)
(color=blue)
Configuring alias dereferencing in a Directory Assistance document

for a remote LDAP directory
An alias entry in an LDAP directory is an entry that points to another
entry. Searching the entry an alias entry points to is known as
dereferencing an alias. Dereferencing aliases can cause poor search
performance for some LDAP directories. Select one of the following
options in the Dereference alias on search field in a Directory Assistance
document for an LDAP directory to control the extent to which alias
dereferencing occurs when searching the remote LDAP directory.
Option
Description
Never
Never dereference alias entries. If there are no alias

entries in the LDAP directory that require dereferencing,
choose this option to improve search performance.
Only for subordinate Dereference alias entries subordinate to a specified

search base, but do not dereference an alias search base
entries
entry.
Only for search base
entries
Deference an alias entry for a specified search base, but

do not dereference alias entries subordinate to the search
base.
Always
Always dereference aliases. This selection is the default,

and the Release 5 behavior.
Example of alias dereferencing

Suppose an LDAP directory has these entries:
o=Acme1
o=Acme2 (alias entry that points to o=Acme1)
cn=John Doe, o=Acme1
cn=John Doe, o=Acme2 (alias entry that points to cn=John Doe,
o=Acme1)
The following table describes which of these entries are returned for a
subtree search of o=Acme 2 (o=Acme2 and subordinate entries) for each
Dereference alias on search option.
Option
Entries returned
Never
o=Acme2
Only for subordinate entries
o=Acme2
Only for search base entries
o=Acme1
Always
o=Acme1
Using Notes distinguished names in a remote LDAP directory

You can set up directory assistance for a remote LDAP directory so that a
Domino server:
Uses a Notes distinguished name rather than an LDAP distinguished

name for Internet client authentication
Accepts the Notes distinguished name in database ACLs, and in

groups used in database ACLs, for database access authorization.
This feature allows organizations that migrate users from a Domino

Directory to a remote LDAP directory to continue to use the original
Notes distinguished names for users. This feature is also useful as a way
to hide complex LDAP distinguished names from users.
To set up this feature, you add an attribute for storing Notes name values
to the user entries in the LDAP directory, and then add the Notes
distinguished names as values for the attributes. Then you specify the
attribute you use for the Notes names in a Directory Assistance
document for the LDAP directory.
Directory Services
Once you have set up this feature, clients can authenticate using either
their Notes distinguished names or their original LDAP distinguished
names. Database ACLs, Server document access control fields, access
control groups, and Web server File Protection documents can use only
the Notes distinguished names.
To set up the use of Notes distinguished names:

1. Add the Notes distinguished names to the LDAP directory:
a. In the remote LDAP directory, choose an attribute for storing the
values of the Notes names in the LDAP directory user entries.
The syntax for the attribute must be DN. You can create a new
attribute, or use an existing one already defined in the schema.
b. Add Notes names as values for the selected attribute to the
remote LDAP directory user entries.
Domino doesnt provide a tool to add the names use a tool
that is available to you.
Use the LDAP format for the Notes name value. For example,
use cn=John Doe,o=Acme and not John Doe/Acme or cn=John
Doe/o=Acme.
You can use any distinguished name value, although a
distinguished name with multiple parts is recommended
because it provides better security.
2. Set up directory assistance to use the Notes distinguished names:
a. If you havent created a Directory Assistance document for the
LDAP directory, create one.
b. On the LDAP tab of the Directory Assistance document, in the
Attribute to be used as Notes distinguished name field, add
the name of the attribute used in the LDAP directory to store the
Notes names.
c. On the Naming contexts (rules) tab of the Directory Assistance
document, make sure there are rules that are Trusted for
Credentials that match the Notes distinguished names and the
LDAP distinguished names. If you do not use an all-asterisk
trusted rule and the Notes and LDAP names use different name
hierarchies, configure a trusted rule to represent each hierarchy.
d. Save the Directory Assistance document.
3. Add the Notes distinguished names as necessary to database ACLs,
Server document access control fields, access control groups, and
Web server File Protection documents. Use the Notes format for the
name, for example John Doe/Acme or cn=John Doe/o=Acme and
not the LDAP format cn=John Doe,o=Acme.
Note If you enable this feature and some user entries in the LDAP
directory do not have a value for the Notes distinguished name attribute,
then the users must specify their LDAP distinguished names to
authenticate, and Domino database ACLs and other access control lists
must use the LDAP distinguished names.
Example of using Notes distinguished names in a remote LDAP

directory
Acme corporation uses the LDAP distinguished name
uid=675894,ou=boston,o=airius.com for a particular user in a remote
LDAP directory. For the same user Acme uses the name Jack
Johnson/Boston/Acme in Notes database ACLs and in groups used in
database ACLs. The Domino server uses directory assistance to look up
user credentials for client authentication in the remote LDAP directory.
An Acme administrator does the following to configure the use of the
Notes distinguished name for client authentication and for database
access control:
1. In the remote LDAP directory, the administrator adds an attribute
called notesname to the user entry for uid=675894,ou=boston,o=airius,
and gives the attribute the value cn=Jack
Johnson,ou=Boston,o=Acme.
2. On the LDAP tab of the Directory Assistance document for the LDAP
directory, the administrator adds the attribute notesname to the field
Attribute to be used as Notes distinguished name.
3. On the Naming contexts (rules) tab of the Directory Assistance
document, the administrator specifies an all-asterisk trusted rule.
The user can then use any of the following names as the client logon
name for authentication:
cn=Jack Johnson/ou=Boston/o=Acme
cn=Jack Johnson,ou=Boston,o=Acme
Jack Johnson/Boston/Acme
uid=675894,ou=boston,o=airius
675894
The Notes name Jack Johnson/Boston/Acme is used in database ACLs

and groups.
Example of directory assistance for one secondary Domino Directory
Example of directory assistance for an Extended Directory Catalog

and a remote LDAP directory
Directory Services
Directory assistance examples
Example of directory assistance for one secondary Domino

Directory
Company X uses two domains, Domain A and Domain B. Each domain
creates its own directory assistance database that has a Directory
Assistance document for the other domains Domino Directory, so that
users from each domain can address mail easily to users in the other
domain, and so servers in each domain can search groups in the other
domains directory when authorizing database access. If servers in both
domains instead used replicas of one directory assistance database that
included documents for both directories, they could enable only one of
the domain directories for group authorization.
Network connections between domains are slow, so the company creates
replicas of the Domain B directory on two Domain A servers for servers
in Domain A to use, and creates replicas of the Domain A directory on
two Domain B servers for servers in Domain B to use.
The following table shows the settings for the Domain B Directory
Assistance document in the directory assistance database that servers in
Domain A use. Domain B uses a similar document for the Domain A
directory in its directory assistance database.
Contents
Comments
Domain type
Notes
Domain name
Domain B
Basics tab
Company name Company A
Search order
None
Make this
domain
available to
Selected for:
Enables Domain A
servers to use the Domain
B directory for all
services.
Notes Clients & Internet

LDAP Clients
Group
Authorization
Yes
Allows Domain A servers

to to look up groups in
the Domain B directory
when authorizing
database access.
Enabled
Yes
continued
Contents
Comments
Naming contexts (rules) tab

*/ */ */ */ */ *
Enabled - Yes
Trusted for Credentials - Yes
Enables Domain A
servers to search all
names in the directory.
Trusted for Credentials
selected to allow servers
to authenticate all Internet
users registered in the
directory.
Replica1:
Server Name: Server1/DomainA

Directory Filename:
DOMANAMES.NSF
More than one replica of

the Domain A directory is
specified, indicating that
the directory assistance
method of failover is used
to find an available
replica.
Replica2
Server Name: Server2/DomainA

Directory Filename:
DOMANAMES.NSF
Same comments as above.
N.C.1:
Replicas tab

Company Y uses three domains, Domain A, Domain B, and Domain C.
Rather than setting up directory assistance to search each domain
Domino Directory individually, the company builds an Extended
Directory Catalog that aggregates all three domain directories. Using this
approach, Notes users can use one directory to browse for names
registered in any domain directory, servers can use one directory to look
up names from any domain, for example, when routing mail, and servers
can look up the members of groups aggregated from any of the three
directories when authorizing database access.
Administrators from each domain want local control of the directory

assistance database, so each domain creates and uses its own directory
Directory Services
The company creates replicas of the Extended Directory Catalog on two

servers in Domain A that are members of a cluster. Network connections
between domains are fast, so servers in Domains B and C use the replicas
of the directory catalog on the Domain A servers.
The following table shows the settings for the Directory Assistance
document for the Extended Directory Catalog that is in each domains
directory assistance database.
Contents
Comments
Domain type
Notes
Domain name
EDC
Made-up name that does

not correspond to an actual
domain name.
Company name
Company Y
Search order
None
Make this domain

available to

Authentication/
Authorization
Allows servers to use the

Extended Directory
Catalog for all directory
assistance services.
Basics tab
LDAP Clients
Group
Authorization
Yes
Allows servers to look up

groups in the Extended
Directory Catalog when
authorizing database
access.
Enabled
Yes

N.C.1:
*/ */ */ */ */ *
Enabled - Yes
Allows servers to search all

names in the Extended
Directory Catalog.
selected to allow servers to
authenticate all Internet
users with Person
documents that are
aggregated in the directory
catalog.
Replicas tab
Replica1:
Server1/DomainA is a
Server Name:
member of a cluster. Only
Server1/DomainA
Directory Filename: EDC.NSF one replica of the Extended
Directory Catalog in the
cluster is specified so that
cluster failover is used to
find an available replica.

and a remote LDAP directory
Company Z uses three domains, Domain A, Domain B, and Domain C.
The company builds an Extended Directory Catalog that aggregates all
three domain Domino Directories. Network connections between
domains are slow, so Company Z replicates the Extended Directory
Catalog to strategic servers in each domain. In Domain A, the directory
catalog is replicated to two servers that are members of a cluster.
Domino servers in Domain A register Internet users in a remote Active
Directory server which they use to authenticate the users. Domain A
creates its own directory assistance database because only Domain A
servers use the remote Active Directory.
The following tables show the settings in the Directory Assistance
documents for the Extended Directory Catalog and for the remote Active
Directory server in the directory assistance database that Domain A
servers use.
Directory Assistance document for the Extended Directory Catalog
Contents
Comments
Domain type
Notes
Domain name
EDC

domain name in Domino.
Company name
Company Z
Search order
Causes Domain A servers

to search the Extended
Directory Catalog before
the remote Active
Directory.
Make this domain

available to

Authenticatoin/
Authorization
Basics tab
Group Authorization Yes
Allows servers to use

groups from any of the
directories aggregated into
the directory catalog for
Enabled
Yes
continued
Directory Services
LDAP Clients
Contents
Comments

N.C.1:
*/ */ */ */ */ *
Enabled - Yes
Trusted for Credentials No
Allows servers to search all

entries in the directory.
set to No to prevent the
from being used for
Internet client
authentication, and allow
only the remote Active
Directory to be used for this
purpose.
Server Name:
Server1/DomainA
Directory Filename:
EDC.NSF
Server1/DomainA is a
member of a cluster. Only
one replica of the Extended
Directory Catalog in the
cluster is specified so that
cluster failover is used to
find an available replica.
Replicas tab
Replica1:
Directory Assistance document for the remote LDAP Directory

Contents
Comments
Domain type
LDAP
Domain name
ActiveDir

domain name in Domino.
Company name
Company Z
Search order
Causes Domain A servers

to search the remote Active
Directory after the
Extended Directory
Catalog.
Basics tab
Make this domain Notes Clients & Internet

Domain A does not want its
available to
Authentication/Authorization LDAP service to refer
LDAP clients to the Active
Directory, so it does not
select the LDAP Clients
option.
continued
Contents
Comments
Group
Authorization
No.
Since Domain A servers

look up groups used for
database authorization in
the Extended Directory
Catalog, they cannot use
the remote Active Directory
for this purpose too. All
groups used for database
authorization are stored in
the Domain A primary
Domino Directory and in
the domain directories that
are aggregated into the
Extended Directory
Catalog.
Enabled
Yes.

N.C.1:
*/ */ */ */ */ *
Enabled - Yes
continued
Directory Services
The distinguished names of

the users registered in the
Active Directory do not
correspond to the Notes
naming convention of
organizational unit (ou),
organization (o), and
country (c). So Company Z
must use an all-asterisk rule
to represent the
distinguished names of
these users.
Trusted for Credentials is
enabled for the naming
context (rule) so that
Domain A can use the user
entries in Active Directory
for Internet client
authentication.
Contents
Comments
Hostname
ldap1.companyz.com,
ldap2.companyz.com
To provide failover, two

Active Directory servers are
specified, each with
replicas of the directory
and with the same LDAP
configurations.
Optional
Authentication
Credential
Username: cn=john doe,

cn=recipients, dc=east,
dc=acme, dc=com
Password: adminspass
Base DN for
search
cn=recipients, dc=east,
dc=acme, dc=com
Channel
encryption
Yes
Since DomainA servers use

the Active Directory for
client authentication,
Company Z selects the
Channel Encryption so
that Domino servers can
use a Secure Sockets Layer
(SSL) certificate to verify
the Active Directory
servers identity.
Port
636
Necessary for SSL

connections.
Accept expired
SSL certificates
Yes
SSL protocol
version
Negotiated
LDAP tab
Verify server
Yes
name with remote
servers certificate
Timeout
60
Maximum
100
number of entries
returned
continued
Contents
Comments
Dereference alias
on search
Never
The Active Directory server

does not use alias
dereferencing so Company
Z selects Never to improve
search performance.
Preferred mail
format
Internet Mail Address
Attribute to be
used as Notes
Distinguished
Name
notesname
Company Z uses
Notes-style distinguished
names, rather than the
original LDAP names of the
users in the Active
Directory, for client
authentication and in Notes
database ACLs. The
specified attribute,
notesname, is defined in
Active Directory as the
attribute to store the Notes
name. Company Z uses its
own tool to add Notes-style
distinguished names as
values for the notesname
attribute in user entries.
Type of search
filter to use
Active Directory
Ensures that the Domain A

servers use LDAP search
filters that are customized
for Active Directory
searches.
Directory Services
Monitoring directory assistance

To monitor directory assistance:
Use the Show Xdir command to display information about all the
directories a server uses for directory services.
View these directory assistance statistics, which a server begins

calculating at startup:
Statisic
Description
Database.DAReloadCount
Number of times directory assistance

reloaded because of changes to the directory
Database.DARefreshServer Number of times directory assistance

InfoCount
refreshed because of changes to Server
Database.DAFailoverCount Number of times directory assistance failed
over to an available replica.
Chapter 24
Setting Up Directory Catalogs
This chapter describes how to set up and manage directory catalogs.
Directory catalogs
A directory catalog is an optional directory database that typically
contains information aggregated from multiple Domino Directories.
Clients and servers can use a directory catalog to look up mail addresses
and other information about the people, groups, mail-in databases, and
resources throughout an organization, regardless of the number of
Domino domains and Domino Directories the organization uses. A
directory catalog includes the type of information that is important for
directory services, and excludes other types of information that are part
of a Domino Directory, for example Domino configuration information,
such as information in Connection documents.
You use a directory catalog in conjunction with, rather than instead of,
the primary Domino Directory and the Personal Address Book. A server
searches its primary Domino Directory, and a Notes client searches its
Personal Address Book, before searching a directory catalog.
There are two types of directory catalogs: condensed Directory Catalogs
and Extended Directory Catalogs. Condensed Directory Catalogs use a
unique design based on the DIRCAT5.NTF template that enables them to
be extremely small. Condensed Directory Catalogs are designed for use
on Notes clients. A condensed Directory Catalog on a Notes client is also
known as a Mobile Directory Catalog.
Servers can use a directory catalog for mail addressing, for processing
LDAP service operations, to look up client authentication credentials,
and to look up the members of groups in database ACLs when
authorizing users database access.
24-1
Directory Services
Extended Directory Catalogs use the same design as the Domino

Directory, which is based on the PUBNAMES.NTF. They are larger than
condensed Directory Catalogs, but are the recommended directory
catalog for server use because they allow faster and more flexible
directory lookups.
Condensed Directory Catalogs

You create a condensed Directory Catalog from the Directory Catalog
template (DIRCAT5.NTF). Condensed Directory Catalogs are designed
to be small enough to fit on Notes clients. For example, several Domino
directories that together contain more than 350,000 users and total 3GB in
size, when aggregated in a condensed Directory Catalog are likely to be
only about 50MB. In general, each user and group entry is slightly more
than 100 bytes. Condensed directory catalog are designed primarily for
use on Notes clients.
To achieve its small size, a condensed Directory Catalog uses a unique
design that combines multiple documents from the Domino Directories
into single documents in the directory catalog, and that limits the number
of sorted views available for lookups.
Aggregate documents
One reason a condensed Directory Catalog is small is it combines many
entries from the source Domino Directories into single aggregate
documents. A single Directory Catalog aggregate document can contain
up to 250 source directory entries, although on average the maximum is
about 200. This means that a condensed Directory Catalog needs to use
only about 1000 aggregate documents to store information from 200,000
documents in the source Domino Directories.
Limited number of views
A condensed Directory Catalog is also small because it contains only a
few, small views. By contrast a Domino Directory and an Extended
Directory Catalog have multiple, typically large views.
$Users view This is the one view used in a condensed Directory
Catalog for name lookups. When you configure the directory catalog
you choose how to sort this view, either by distinguished name, by
last name, or by alternate name. To find names that dont correspond
to the selected sort order, a full-text search is done of the directory
catalog rather than a view lookup.
You shouldnt open the aggregate documents in the $Users view
manually; these documents are not intended for viewing, and it can
take a considerable amount of time to format them for that purpose.
$Unid view This view contains information needed by the Dircat
task to replicate the source directory entries into the directory
catalog. The $Unid view isnt created on replicas of the directory
catalog, which further reduces the directory catalog size.
$PeopleGroupsFlat view This view displays directory names when
Notes users click the Address button to browse directories.
Configuration view This view shows the Configuration document

that contains the directory catalog configuration settings.
Users view This is a view that users can open and programs can
access to see the names included in the directory catalog. This view is
not stored on disk but is instead built as needed.
Design changes
In general, you should not change the database design of a condensed
Directory Catalog. One exception is changing the name of the Users
view; you can change the name of this view, as long as you keep the
original view name, Users, as an alias.
Application access
Notes applications can use these methods to access a condensed
Directory Catalog programmatically:
NAMELookup calls to the $Users view
NAMEGetAddressBooks calls, if you use the NOTES.INI setting

Name_Include_Ed=1.
NIFFindByKey, NIFReadEntries, and NIFOpenNote calls.* You cant

use NSFNoteOpen to open notes passed back from NIFReadEntries;
you must call NIFOpenNote instead.
LotusScript methods*
@NameLookup function
*Can access the Users view but not the $Users view.
In addition, LDAP applications can search a condensed Directory
Catalog used by a server that runs the LDAP service.
Benefits of condensed Directory Catalogs on clients (Mobile

Directory Catalogs)
Notes users have access to one local, corporate-wide directory, even

when their clients are disconnected from the network.
When they address mail, users can press F9 to verify quickly the
address of anyone in the organization.
Setting Up Directory Catalogs 24-3
Directory Services
Condensed Directory Catalogs on Notes clients, also called Mobile

Directory Catalogs, are useful to organizations that use one or multiple
Domino Directories. Although Notes users mail or directory servers can
do lookups in Domino Directories on behalf of Notes users, using
condensed Directory Catalogs on Notes clients instead offers these
benefits:
Users can flag mail for encryption when using clients that are
disconnected from the network. The clients look up the public key
and encrypt the mail when the users connect to the network and
send the mail.
Groups are included in a directory catalog by default, so users can

send mail to groups. However, to minimize the size of the directory
catalog, the members of the groups are not included by default, so
users mail servers or directory servers must be able to look up the
members of the groups.
Type-ahead name resolution it instantaneous because type-ahead

searches the local directory catalog. Type-ahead searches never
extend to a server when there is a directory catalog configured
locally on the client.
Users can use the detailed search feature available for Local Address
Books to search the directory catalog. For example, if a user wants to
send mail to someone by the name of Robin at the Los Angeles
location but doesnt remember Robins last name, the user can search
for First name Robin and Location Los Angeles to retrieve the
name from the directory catalog.
Users can use the Mail Address dialog box to open and scroll
through the names in the directory catalog.
Using Soundex, users can enter phonetic spellings to search for

names they dont know how to spell.
Network traffic is reduced because name resolution occurs locally on

the client, rather than on a server.
Directory catalogs on servers compared to directory assistance for

individual Domino Directories
A server can do lookups directly in a secondary Domino Directory using
directory assistance, or can do lookups in a directory catalog that
aggregates information from the secondary Domino Directory. There are
several advantages to servers doing lookups in a directory catalog, rather
than in individual Domino Directories:
A server can look up information more quickly by searching one

directory database rather than multiple databases the more
secondary directories you aggregate in a directory catalog, the
greater this advantage.
If there are multiple Person documents with the same name in one
directory or across directories, you can remove the duplicates from
the directory catalog. The Dircat task then aggregates the first Person
document with the name that is encountered, which avoids name
ambiguity problems, for example, the Router failing to deliver mail
because it finds more than one occurrence of a name.
A directory catalog excludes most or all Domino administration

information that is part of a Domino Directory that is not of interest
to users. You can also filter out other information in a Domino
Directory from a directory catalog. For example, an administrator
can exclude specific fields, or use a selection formula to exclude
documents that dont match specified criteria.
Notes users without local condensed Directory Catalogs, can browse

one directory, rather than multiple, individual secondary Domino
Directories.
The advantage to doing lookups in individual secondary Domino

Directories is there is no need to build, maintain, and replicate a
directory catalog. Instead you create and replicate only a small directory
Setting up servers to use directory catalogs is useful for organizations
that use multiple Domino Directories, for example, organizations with
multiple Domino domains.
Although you can set up servers to use a condensed Directory Catalog,

there are several advantages to using an Extended Directory Catalog
instead.
Multiple views
The Extended Directory Catalog uses the same design as the Domino
Directory, so it includes multiple views that sort names in different ways.
Regardless of the format of a name, theres a view in the Extended
Directory Services
You can set up servers to use an Extended Directory Catalog. You create
an Extended Directory Catalog from the PUBNAMES.NTF template, the
same template used to create the Domino Directory. An Extended
Directory Catalog combines advantages of a Domino Directory and a
condensed Directory Catalog. It aggregates entries from multiple
Domino directories into a single directory database as does the
condensed Directory Catalog, but it retains the individual documents
and the multiple, sorted views available in the Domino Directory to
facilitate quick name lookups.
Directory Catalog that a server can use to quickly find the name. A
condensed Directory Catalog has one view used for lookups, which you
choose how to sort when you configure it. To look up a name in a
condensed Directory Catalog that doesnt correspond to the selected sort
order, the server uses the full-text index to search for the name, which
takes longer than a view search.
Using an Extended Directory Catalog on servers that route mail is a
particular advantage, because a mail server can use views to quickly find
an address regardless of the address format. When a mail server uses a
condensed Directory Catalog, mail routing can back up if the Router uses
the full-text index to look up addresses, for example, some Internet
addresses, that dont correspond to the selected sort order.
When a Notes user with a condensed Directory Catalog on the client
sends mail to a group, if the clients directory catalog doesnt contain the
members of the group, there can be a delay while a server does a full-text
search of a condensed Directory Catalog to look up the members. Delays
when sending mail to groups are not an issue if mail servers use
Extended Directory Catalogs.
Ease of application access
Applications can access information in an Extended Directory Catalog as
easily as they can in a Domino Directory. Application access to a
condensed Directory Catalog however is restricted by the nature of the
aggregate documents and the number of views.
Multiple-view, enterprise directory
Users can open an Extended Directory Catalog and see an enterprise-wide
directory with multiple views that sort by entry type. In a condensed
Directory Catalog, there is only one view to display the different types of
entries.
Groups for database authorization
Servers can use groups in only one directory configured in a directory
assistance database, in addition to the primary Domino Directory for
authorizing database access. Using an Extended Directory Catalog for
this purpose, effectively allows servers to use groups in any secondary
Domino Directory aggregated in the directory catalog for database access
control.
Remote lookups
Servers use Directory Assistance to locate an Extended Directory
Catalog, so you need to replicate the Extended Directory Catalog only to
two or a few strategic servers to which the Directory Assistance database
then points. You can configure failover so that if one replica of the
directory catalog is unavailable, servers can use an alternate.
Each server that uses a condensed Directory Catalog requires a local

replica of the directory catalog, which makes its smaller size less of an
advantage overall.
Administrator control over rebuilds
Rebuilding a directory catalog removes all of the existing aggregated
information, and then re-aggregates the information from the source
Domino Directories. Since this process is time consuming, the Dircat task
only rebuilds an Extended Directory Catalog when an administrator
indicates. Changing almost any field in the configuration document for a
condensed Directory Catalog, by contrast, triggers the Dircat task to
rebuild the directory catalog automatically.
Extended ACL and LDAP access control settings
You can use an extended ACL to refine the overall database access to an
Extended Directory Catalog. For example, you can deny access to
sensitive fields, to entire documents associated with a particular part of a
name hierarchy, and so forth. An extended ACL on an Extended
Directory Catalog is independent of any Extended ACLs set on the
individual source Domino Directories.
You can also create a Configuration Settings document in an Extended
Directory Catalog and use access control settings on the LDAP tab of the
document to control anonymous LDAP search access to the directory
catalog.
These access control features are not available for a condensed Directory
Catalog.
Native documents
You can add documents manually to an Extended Directory Catalog, in
addition to aggregating documents through Dircat task processing. These
native documents that originate in the database are not affected by
Dircat task processing. You cannot add native documents to a condensed
Directory Catalog.
A full-text index is always required for a condensed Directory Catalog.
Directory Services
Full-text index advantages

An Extended Directory Catalog has multiple, sorted views, so in general
no full-text index is required for lookups, which helps minimize disk
space usage. A full-text index is required, however, if you want the
LDAP service to use an Extended Directory Catalog to process searches
that use search filters based on something other than names or mail
addresses.
If you choose to create a full-text index on an Extended Directory

Catalog, users can do full-text searches of it from the Notes client. Users
cant do full-text searches of a condensed Directory Catalog from the
Notes client.
One server using more than one
A server can use more than one Extended Directory Catalog, for example
one that aggregates directories that are trusted for Internet client
authentication, and another that aggregates directories that are not
trusted for client authentication.
A server can use one condensed Directory Catalog only.
Integration into a primary Domino Directory
Because an Extended Directory Catalog uses the same design as a
Domino Directory, you can build an Extended Directory Catalog directly
into the primary Domino Directory for a domain, so that one directory
contains the information for an entire enterprise.
Server documents
You can aggregate Server documents into an Extended Directory
Catalog, but not a condensed Directory Catalog.
Overview of directory catalog setup

To set up a directory catalog, you first create a directory catalog
database. You use the PUBNAMES.NTF template to create an Extended
Directory Catalog and the DIRCAT5.NTF template to create a condensed
Directory Catalog. In the directory catalog database you create a
configuration document in which you indicate which Domino Directories
known as the source Domino Directories to aggregate, which
information from them to aggregate, and other options.
For information on creating and completing a directory catalog
configuration document, see the next topic Planning directory catalogs
as well as the topics Setting up a condensed Directory Catalog and
Setting up an Extended Directory Catalog later in the chapter.
After you complete the configuration document, you run the Directory
Cataloger task (Dircat task) to build the directory catalog. A server that
runs the Dircat task is referred to as a Dircat server, and typically there is
one Dircat server dedicated to aggregating directory catalogs. The Dircat
task replicates information from the Domino Directories indicated in the
configuration document, and then combines aggregates the entries
into the directory catalog. After the directory catalog is built, you then
continue to run the Dircat task at regular intervals to keep the

information in the directory catalog current with the information in the
source Domino Directories. The Dircat task can build and maintain
multiple directory catalogs.
After the Dircat task has built a directory catalog, you set up clients
and/or servers to use the directory catalog. You can automate setting up
a condensed Directory Catalog on clients by using a Setup policy settings
document or a Desktop policy settings document. This process replicates
the directory catalog to the client, and adds the directory catalog file
name to Local address books field in the User Preferences dialog for
mail.
To set up a server to use an Extended Directory Catalog, you set up the
server to use a directory assistance database, and then create a Directory
Assistance document in the database for the Extended Directory Catalog.
To set up a server to use a condensed Directory Catalog, you specify the
file name of the directory catalog in either the servers Server document,
or in the Domino Directory Profile.
Planning directory catalogs

When planning directory catalogs, consider the following issues:
Directory catalogs and client authentication
Directory catalogs and Notes mail encryption
Picking the server(s) to run the Dircat task
Specifying the Domino Directories for the Dircat task to aggregate
Controlling which information is aggregated in a directory catalog
Planning issues specific to Extended Directory Catalogs
Planning issues specific to condensed Directory Catalogs
Directory catalogs and client authentication

When an Internet client logs on to a server to authenticate, the server can
look up the client name in the directory catalog to find the client
credentials for authentication.
Directory Services
Using an Extended Directory Catalog for client authentication

To allow a server to use an Extended Directory Catalog to look up client
names for authentication, in the Directory Assistance document for the
Extended Directory Catalog, enable a rule that is trusted for credentials.
In addition, if you dont aggregate all fields from documents as
recommended, you must make sure to aggregate the fields required for
the authentication. For example, to use name-and-password security,
aggregate the HTTPPassword field from Person documents. Or to use
X.509 certificate security, aggregate the userCertificate field.
If you want servers to use some secondary Domino Directories for
Internet client authentication but not others, you can create one Extended
Directory Catalog that aggregates the Domino Directories to use for
authentication, and another that aggregates the other Domino
Directories. Then create a Directory Assistance document for each
Extended Directory Catalog, and enable a rule that is trusted for
credentials only in the one that aggregates the directories to be used for
authentication.
Using a condensed Directory Catalog for client authentication
To enable a server to look up authentication credentials for any user
name aggregated in a condensed Directory Catalog, select the option
Trust the server based condensed directory catalog for authentication
with internet protocols on the Basics tab of the servers Server document
in the Domino Directory.
To allow a server to look up credentials for user names from only one or
some of the source Domino Directories aggregated into a condensed
Directory Catalog, do not select the above option. Instead, create a
directory assistance database on the server. In the database, create a
Directory Assistance document for each aggregated Domino Directory
you want to use for authentication. In each Directory Assistance
document, enable a rule that is trusted for credentials.
If you use name-and-password security for Internet client authentication,
you can store the passwords in the condensed Directory Catalog. To do
this, aggregate the HTTPPassword field from Person documents. In this
case, a server looks up the passwords in the directory catalog, and
doesnt require directory assistance to look them up in the source
Domino Directories.
If you use X.509 certificates for client authentication, storing the
certificates in a condensed Directory Catalog isnt recommended due to
their size. Instead, set up directory assistance to look up the certificates
directly in the source Domino Directories. Similarly, servers can use
directory assistance to look up passwords in the source Domino
Directories, rather than aggregating the passwords into the directory

catalog, as a way to keep the condensed Directory Catalog small.
When you dont store passwords and X.509 certificates in a directory
catalog, using the directory catalog and directory assistance in
conjunction is quicker than using directory assistance alone, because only
one database, the directory catalog, needs to be used to find a name.
For more information on using directory assistance in conjunction with a
directory catalog for client authentication, see the chapter Setting Up
Directory catalogs and Notes client authentication
By default, when a Notes client logs on to a server, the server does not
look up information in Domino Directory Person documents during the
client authentication process. However, if the option Compare Notes
public keys against those stored in Directory is enabled in the servers
Server document, then the server must be able to look up public key
information in Person documents to authenticate Notes clients. If there
are Notes users who use a server with this option enabled who are not
registered in the servers primary Domino Directory, servers can use a
directory catalog that it trusts for credentials, to look up names to do the
public key comparison.
Scenarios for using directory catalogs for client authentication

The following table describes various ways to configure directory
catalogs on servers to support client authentication, depending on the
type of directory catalog you are using and the extent to which you want
servers to trust the aggregated Domino Directories for authentication.
The scenarios assume the following:
S1, S2, S3, and S4 are the names of the servers in a domain
A, B, C, and D are the names of the Domino Directories for each of

the organizations four domains.
Each name in A, B, C, and D is part of one of the following

namespaces: west/acme, east/acme, north/acme, south/acme.
Namespaces overlap across A, B, C, and D.
DA = Directory Assistance
EDC = Extended Directory Catalog
CDC = Condensed Directory Catalog on server
Directory Services
Authentication goal
How to accomplish with

Extended Directory
Catalog(s)

condensed Directory Catalog(s)
S1, S2, S3, S4 trust

all names in A, B,
C, D for
authentication.
Aggregate A, B, C, and
D into one EDC. Create
one DA database used
by all servers. Create
one DA document for
the EDC with the
*/*/*/*/*/* naming
rule enabled and
trusted for credentials.
Aggregate A, B, C, and D
into one CDC used by all
servers. In the Server
documents for each server,
enable the option Trust the
server based condensed
directory catalog for
authentication with internet
protocols.

no names in A, B,
C, D for
authentication.
Same as above except

do no enable a rule that
is trusted for credentials
in the DA document for
the EDC.
Same as above except do not

enable Trust the server
based condensed directory
catalog for authentication
with internet protocols in
the Server documents.

all names in A and
B for
authentication, but
no names in C and
D.
Aggregate A and B into

EDC1, and aggregate C
and D into EDC2.
Create one DA database
used by all servers.
Create a DA document
for EDC1 with the
*/*/*/*/*/* naming
rule enabled and
Create a DA document
for EDC2 with the
*/*/*/*/*/* naming
rule enabled but not
servers. Do not enable the
option Trust the server
used by all the servers.
Create separate DA
documents for A, B, C, and
D. In the DA documents for
A and B, enable the rule
*/*/*/*/*/* and trust the
rule for credentials. In the
DA documents for C and D,
do not trust any rule for
credentials.
continued

Extended Directory
Catalog(s)

condensed Directory Catalog(s)

only names ending
in west/acme or
east/acme,
regardless of which
Domino Directory
contains the name.
Aggregate A, B, C, and
D into one EDC. Create
one DA database used
by all servers and create
one DA document for
the EDC. In the DA
document, create the
rule
*/*/*/west/acme/*
and the rule
*/*/*/east/acme/* and
enable trusted for
credentials for both
rules. Do not trust any
other naming rule for
credentials.
servers. Do not enable the
used by all the servers.
Create separate DA
documents for A, B, C, and
D. In each DA document,
create the rule
*/*/*/west/acme/* and the
rule */*/*/east/acme/* and
enable trusted for
credentials for both rules.
Do not trust any other
naming rule in any of the
DA documents for
credentials.
S1 & S2 trust and

use only names in
A and B.
S3 & S4 trust and
use only names in
C and D.

EDC1. Create a DA
database, DA1, and in it
create a DA document
for EDC1 with the
*/*/*/*/*/* naming
rule enabled and
Set up S1 and S2 to use
DA1.
Aggregate C and D into
EDC2. Create another
DA database, DA2, and
in it create a DA
document for EDC2
with the */*/*/*/*/*
naming rule enabled
and trusted for
credentials. Set up S3
and S4 to use DA2.

CDC1 and set up S1 and S2
to use CDC1. Enable the
the S1 and S2 Server
documents.
Aggregate C and D into
CDC2 and set up S3 and S4
to use CDC2. Enable the
the S3 and S4 Server
documents.
Directory Services
Authentication goal
Directory catalogs and Notes mail encryption

When Notes users send encrypted mail to users registered in secondary
Domino Directories, servers can use an Extended Directory Catalog to
look up the public keys of the recipients to encrypt the mail. Even off-line
Notes users with condensed Directory Catalogs can flag mail for
encryption; then when they reconnect to the network to send the mail,
the clients look up the public keys in the Extended Directory Catalog.
Storing public keys in a condensed Directory Catalog isnt recommended
because it greatly increases its size. Instead, set up directory assistance
for the aggregated Domino Directories so servers can look up the public
keys in them.
Servers do not have to trust a directory catalog or a Domino Directory for
credentials to use the directory to look up public keys for mail
encryption.
Picking the server(s) to run the Dircat task

The Dircat task (Directory Cataloger) is the server task that initially
aggregates information from source Domino Directories into a directory
catalog, and then continues to run at scheduled intervals to update the
directory catalog to reflect changes to the source Domino Directories, or
to the directory catalog configuration. The Dircat task aggregates both
condensed Directory Catalogs and Extended Directory Catalogs.
A server that runs the Dircat task (a Dircat server) should:
Have enough disk space to store local replicas of the source Domino
Directories that are aggregated, if you choose to store the directories
locally on the server, rather than have the server access them over
the network.
Have enough disk space to store the resulting aggregated directory

catalog(s) and full-text indexes. Only condensed Directory Catalogs
have full-text indexes by default.
Be able to replicate the directory catalog(s) it aggregates to any

servers and clients that will use them.
Typically its best to run the Dircat task to build and maintain a directory
catalog on a server in one domain, and then replicate the directory
catalog to servers throughout an organization that need to use the
directory catalog. Using this approach, rather than having each domain
build an maintain its own version of the directory catalog, is beneficial
because only one server then does the CPU-intensive Dircat processing of
the directory catalog. Aggregate the primary Domino Directory of the

domain in which you build the directory catalog so that servers in other
domains can use the directory catalog to look up information from the
directory.
The Dircat task on one server can process more than one directory
catalog. The Dircat task is single-threaded so it processes directory
catalogs sequentially rather than simultaneously. Because Dircat is a
CPU-intensive task, its often beneficial to dedicate one server solely to
Dircat processing.
Allowing only one server to aggregate a directory catalog

You can run the Dircat task on more than one server, with each server
aggregating separate directory catalogs. Dircat tasks running on separate
servers should never aggregate the same directory catalog, however,
because doing so causes replication conflicts in the directory catalog.
When you configure a directory catalog, choose the option Restrict
aggregation to server in the configuration document for the directory
catalog to specify the name of the one server that can aggregate that
directory catalog. If you complete this field, when someone tries to run
the Dircat task against a replica of the directory catalog on a server not
specified in the configuration document, the server aborts the Dircat task
and returns the message Aggregation of this catalog can only be done
by servername.
Specifying the Domino Directories for the Dircat task to aggregate

The Directories to include field in a directory catalog configuration
document is the field you use to indicate which source Domino
Directories the Dircat task aggregates. The Dircat task runs on the
replicas of the directories specified in the order in which you list them in
the Directories to include field. Use commas to separate source
directory file names.
As the following table shows, you can store a source Domino Directory
locally on a Dircat server, or on a remote server that the Dircat server
accesses over the network. Its best to store the source directory replicas
locally for high availability and quick access. If you store replicas of the
Directory Services
If you enable the option Remove duplicate users, if a users

distinguished name is found in more than one Person document, the
Dircat task aggregates information from only the first Person document
with the name the Dircat task encounters, according to the order in
which the source directories are listed in the Directories to include
field.
source directories locally, make sure to keep them up-to-date by

regularly replicating with the replicas on the remote servers.
If a Dircat server accesses the source Domino Directories over the
network, it must have certifiers in common with the servers that store the
remote directories, or must be cross-certified with those servers.
Location of source Domino
Directory
Enter
Locally
The file name for example, EASTNAMES.NSF
Locally in a linked
directory
The file name, preceded by the linked directory

for example, DIRECTORIES\EASTNAMES.NSF
Over the network on a

mapped drive
The file name and path for example,

U:\DIRSERVER\NAMES.NSF
Over the network

through Domino
The file name in this syntax:

portname!!!servername!!filename
where:
portname is the name you gave to the port
servername is the hierarchical name of the server
that stores the directory
filename is the file name for the directory on the
server
For example:
TCPIP!!!DIRSERV/EAST/ACME!!NAMES.NSF
If you dont care which port is used, omit the port,
for example:
DIRSERV/EAST/ACME!!NAMES.NSF
Note The server running the Dircat task must have
a certifier in common with the remote server, or be
cross-certified with that server.
Controlling which information is aggregated into a directory catalog

Read these topics to learn about controlling which information the Dircat
task aggregates into a directory catalog:
Types of documents the Dircat task can aggregate
Removing duplicate user entries
Choosing the types of groups to aggregate
Using a selection formula
Choosing the fields to aggregate
Types of documents the Dircat task can aggregate

The Dircat task can aggregate information only from the following
Domino Directory documents:
Document type
Aggregated by default?
Option(s) in configuration
document that affect aggregation of
the document
Person
Yes
Additional fields to include

Remove duplicate users
Selection Formula
Group
Yes (Mail and

Multi-purpose types
only, by default)

Group types
Selection Formula
Mail-in Database
Yes

Include Mail-in Databases
Selection Formula
Resource*
Yes

Selection Formula
Server (Extended
Directory Catalog
only)
No

Include Servers
Selection Formula
Custom documents No
youve added to a
Domino Directory

Selection Formula
*Users cant use a condensed Directory Catalog to reserve resources, only to

view them.
Note The Dircat task does not aggregate documents that contain
Readers lists by default. Use the NOTES.INI setting
Dircat_Include_Readerslist_Notes to aggregate documents that contain
Readers lists.
Directory Services
Removing duplicate user entries from a directory catalog

If there are multiple Person documents with the same distinguished
name in the source Domino Directories that are aggregated into a
directory catalog, the Remove duplicate users field in a directory
catalog configuration document controls whether to aggregate
information from all of the Person documents, or just the first one the
Dircat task encounters. Choose one:
Yes (default) to aggregate information from only the first Person

document encountered by the Dircat task, according to the order in
which you list the directories in the Directories to include field in
the directory catalog configuration document.
No to aggregate information from multiple Person documents with

the same name.
If there are occurrences of more than one Person document with the
same distinguished name, and the multiple documents really represent
one user, keep Remove duplicate users selected so that:
Notes users arent required to choose between duplicate entries in

the Ambiguous Name dialog box when they resolve the mail
address for the name.
The Router doesnt encounter duplicates names that prevents it from

delivering mail.
The Remove duplicate users field does not apply to Group documents.
To distinguish between different groups with the same name in multiple
directories, the Dircat task uses the Domain defined by this Domino
Directory field in the Directory Profile of the source Domino Directories
to append the domain to all group names.
Removing duplicate user entries from an Extended Directory
Catalog to improve Dircat performance
You can reduce the time it takes the Dircat task to run on an Extended
Directory Catalog by selecting No to retain all entries with duplicate
names. Doing so keeps the Dircat task from building a particular view
required for the removal of entries with duplicate names. Retaining
entries with duplicate names does not result in a similar performance
gain for a condensed Directory Catalog.
Deleting Person documents from the source Domino Directories
when Remove duplicate users is selected
If you choose the Remove duplicate users option, and later remove a
Person document from a source Domino Directory that is the one
aggregated into the directory catalog, the Dircat task removes the
corresponding user entry from the directory catalog the next time it runs,
so the name is longer be found in the directory catalog.
To cause the Dircat task to add the user entry back into the directory
catalog, make a minor change to a remaining Person document in one of
the source Domino Directories for the user. The next time Dircat runs, it
then aggregates information from the remaining Person document into to
the directory catalog. You can also correct the problem by clicking the
Clear History button in the directory catalog configuration document,
although this approach isnt recommended because it causes a rebuild
the entire directory catalog.
For example, if Source Directory A and Source Directory B both contain a
Person document with the name Phyllis Spera/Acme, if Remove
duplicate users is enabled and Directory A is listed first in the
Directories to include field, when the Dircat tasks runs, it includes only
the entry from Directory A. If someone then removes the Person
document from Directory A, the name Phyllis Spera/Acme is removed
from the directory catalog the next time Dircat runs. To add the name
back, make a small change to the remaining Person document in
Directory B, so the Dircat task adds the name back to the directory
catalog the next time it runs.
Choosing the types of groups to aggregate in a directory catalog

The Group types directory catalog configuration option controls which
types of groups the Dircat task aggregates. Choose one of the following:
Mail and Multi-purpose (default) to aggregate only these two
types of groups from all of the directories listed in the Directories to
include field.
Mail Only to aggregate only Mail only groups from all of the
directories listed in the Directories to include field.
All to aggregate all types of groups from all the directories listed in
the Directories to include field.
All in first directory only to aggregate all types of groups, but only
those from the first directory listed in the Directories to include
field.
None to exclude all groups.
If your organization uses a Notes application to look up the members of

Access Control List only, Servers only, or Deny List Only groups
in an Extended Directory Catalog or a condensed Directory Catalog used
by servers, choose All or All in first directory only to add these types
of groups to the directory catalog.
Directory Services
If the directory catalog you are configuring is an Extended Directory

Catalog servers use to look up groups to authorize users database
access, and these groups in the source Domino Directories are defined as
ACL only groups, choose All or All in first directory only to
ensure the groups are aggregated.
LocalDomainServers and OtherDomainServers groups
The Dircat task doesnt aggregate the LocalDomainServers and
OtherDomainServers groups into a directory catalog because the servers
listed in these groups cant be used for mail addressing, and because
excluding them improves performance of the Dircat task.
All groups aggregated as Multi-purpose groups, by default
By default, all groups aggregated into a directory catalog are assigned
the type Multi-purpose. For example, by default, a Mail only group
in a Domino Directory becomes a Multi-purpose group in the directory
catalog. To keep the correct group type definition for groups in a
directory catalog, add the GroupType field to the directory catalog
configuration.
For more information, see Choosing which fields to aggregate in a
directory catalog.
Using a selection formula in a directory catalog configuration

document
Use the Selection Formula field in a directory catalog configuration
document to aggregate only documents defined by a selection formula.
For example, to aggregate only Person documents with a value of
Atlanta in the Location field, aggregate all Group documents, and
exclude all other documents, use the following selection formula:
SELECT (Form = Person & Location = Atlanta) | (Form = Group)
Or to aggregate only Person documents for people assigned to a specific
mail server, use a selection formula such as:
SELECT (Form = Person & MailServer = MailServer1)
The Selection Formula field replaces the replication setting Receive
only a subset of the documents - Documents that meet a selection
formula used in other databases. Keep in mind that a selection formula
applies to all the aggregated directories, so the formula should be valid
for all of them. Note that you cant use a selection formula to aggregate
documents that are never aggregated into a directory catalog. For
example, you cant use a selection formula to aggregate Server
Configuration documents or Server Connection documents.
For more information on selection formulas, see Domino Designer 6

Help.
How a selection formula interacts with the Group types option
The Group types field in a directory catalog configuration document
controls the types of groups that the Dircat task aggregates into a
directory catalog. If you use a selection formula and you want to
aggregate groups, you must select the groups as part of the selection
formula as well as use the Group types field to indicate which types of
groups to aggregate. For example, to aggregate only Person documents
with a Location of Atlanta, and only Mail and Multipurpose groups:
Use this selection formula: SELECT (Form = Person & Location =

Atlanta) | (Form = Group)
Select the Group Type option Mail and Multi-purpose.
A selection formula can select only the types of groups indicated by the
Group types option.
How a selection formula interacts with the Include Servers option
The Include Servers field in a directory catalog configuration document
for an Extended Directory Catalog controls whether the Dircat task
aggregate Server documents. If you use a selection formula that includes
Server documents, you must select the Server documents as part of the
selection formula as well as select Yes in the Include Servers field.
You cannot aggregate Server documents into a condensed Directory
Catalog.
Directory Services
How a selection formula interacts with the Include Mail-In

Databases option
The Include Mail-In Databases option in a directory catalog
configuration document controls whether to aggregate Mail-In Database
documents. If you use a selection formula that includes Mail-In
Databases documents, you must select the Mail-In Database documents
as part of the selection formula, as well as select Yes for the Include
Mail-In Databases option.
Choosing which fields to aggregate in a directory catalog

By default, a directory catalog aggregates the following fields from the
documents supported for aggregation.
Field aggregated by default
Person, Mail-In Database, Resource
Group
FullName
ListName
Type
Documents that use the field
All
FirstName
Person
MiddleInitial
Person
LastName
LastName
Location
Person
MailAddress
Person
Shortname
Person
MailDomain
Person, Group, Mail-In Database, Resource
InternetAddress
Person, Group, Mail-In Database, Resource
MessageStorage
Person, Mail-In Database
Members
Group
2
AltFullName
AltFullNameLanguage
Person
2
Person
Required fields that ensure that each document aggregated in the directory
catalog has a known name and type
Aggregated by default only in an Extended Directory Catalog
Use the Additional fields to include field in a directory catalog

configuration document to aggregate additional fields into a directory
catalog. To avoid making a mistake, use Domino Designer to copy and
paste the fields from forms in the Domino Directory template. Be sure to
copy the field itself, not the field label for example, copy the field
OfficePhoneNumber, not the label Office phone.
If you use a directory catalog configuration option to exclude a particular
type of document, that document isnt aggregated even if you specify a
field from the document in the Additional fields to include field. For
example, if you choose None next to the Group types option, the
Dircat task does not aggregate group documents, even if the Members
field is listed in the Additional fields to include field.
Guidelines for modifying the Additional fields to include field

Follow these general guidelines when modifying the Additional fields
to include configuration field:
Do not remove the fields aggregated by default because these field

selections are the optimum ones for mail addressing.
In an Extended Directory Catalog, aggregating all fields is

recommended, since there is no way for servers to use directory
assistance to look up missing information directly in the full Domino
Directories themselves that are aggregated. To aggregate all fields
from the aggregated documents, including custom documents added
to a Domino Directory, leave the Additional fields to include field
blank. If you dont aggregate all fields, then follow the guidelines
described in the following table.
In a condensed Directory Catalog, aggregate as few fields as

possible, to keep the directory catalog small. When possible avoid
aggregating fields that change frequently, since doing so requires
Domino frequently to update entries in the directory catalog and
replicate the changes to other replicas of the directory catalog.
If the LDAP service searches an Extended Directory Catalog or

condensed Directory Catalog on a server, consider aggregating fields
that are not part of the default configuration if LDAP clients
frequently search for these fields.
If you use a subform to customize a Domino Directory template, you

can add fields from the subform to the Additional fields to include
field. If you are adding custom fields to a condensed Directory
Catalog, you must first copy and paste the subform from the Domino
Directory into the Directory Catalog database that the Dircat task
runs against.
Directory Services
In addition to the above general guidelines, follow these more specific

guidelines:
Field to add
Condensed Directory Extended

Condensed
Catalog used by
Directory Catalog Directory Catalog
clients
used by servers
Members field (from

Group documents)
(Optional) Add
only to allow Notes
users who are not
connected to the
network to look up
free time schedules
of other users. Note
that adding the
Members fields is
not generally
recommended
because it increases
the directory
catalog size and
requires more
replication. Use a
server directory
catalog or directory
assistance to
provide a way for
servers to look up
the members of
groups from a
secondary Domino
Directory.
(Required)
Allows Notes
clients and
servers to look
up the members
of groups from
secondary
Domino
Directories.
AltFullName,
AltFullNameLanguage
(from Person
documents)
(Optional) Add if
users in the
directory catalog
use alternate names
in their certificates.
(Recommended) (Recommended)
Include this field
Include this
field even if no even if no
certified alternate
certified
alternate names names are used in
are used in your your
organization; then
organization;
then if alternate if alternate
certified names certified names
are put into use are put in use
later, no directory
later, no
catalog rebuild is
directory
catalog rebuild necessary.
is necessary.
(Required) Allows
Notes clients and
servers to look up
the members of
groups from
secondary
Domino
Directories.
continued
Field to add
Condensed Directory Extended

Condensed
Catalog used by
Directory Catalog Directory Catalog
clients
used by servers
HTTPPassword (from Not recommended (Optional) Add

to enable
Person documents)
servers to look
up Internet
passwords in
the directory
catalog for
Internet client
authentication.
UserCertificate (from
Person documents)
(Optional) Add to
enable servers to
look up Internet
passwords in the
directory catalog
for Internet client
authentication.
Not recommended (Optional) Add Not

to enable
recommended
servers to look
up X.509
certificates in
the directory
catalog for
Internet client
authentication.

A condensed Directory Catalog should have a full-text index, but a
full-text index on an Extended Directory Catalog is optional.
Full-text indexing condensed Directory Catalogs
Since a server uses full-text searches rather than view lookups to find any
of the following information in a condensed Directory Catalog, its
important that the directory catalog has a full-text index:
Names that dont correspond to the selected sort order for the
directory catalog
Any information requested by an LDAP search when the LDAP

service searches a condensed Directory Catalog
Soundex fields
When you replicate a condensed Directory Catalog, the replica you

create is full-text indexed automatically. However, if you use the file
system to make a copy of a condensed Directory Catalog, the copy is not
full-text indexed. If you delete a full-text index from a condensed
Directory Catalog, you must re-create the index manually.
Directory Services
If only clients use a condensed Directory Catalog, conserve disk space by

deleting full-text indexes on any server replicas.
Users cannot directly full-text search condensed Directory Catalogs.
Full-text indexing Extended Directory Catalogs
Its generally not necessary to full-text index Extended Directory
Catalogs, because servers rely primarily on view searches to look up
information in them. An exception is if a server running the LDAP
service uses an Extended Directory Catalog; in this case, create a full-text
index for the directory catalog if LDAP users use something other than
names in search filters, since these types of LDAP searches use the
full-text index.
Planning issues specific to Extended Directory Catalogs

Consider these issues when planning an Extended Directory Catalog:
Extended Directory Catalog size
Extended Directory Catalogs and directory assistance
Extended Directory Catalogs and group lookups for database

authorization
Integrating an Extended Directory Catalog into a primary Domino

Directory
Extended Directory Catalog size

Since the Extended Directory Catalog contains the views that are in a
standard Domino Directory and combines multiple Domino Directories
into one database, it typically is very large. If you aggregate all fields as
recommended, an Extended Directory Catalog is about the size of all the
aggregated Domino Directories combined. Dont replicate the database
to Notes clients and use as few replicas on servers as feasible.
Extended Directory Catalogs and directory assistance

Unless you integrate an Extended Directory Catalog into a servers
primary Domino Directory, a server must use directory assistance to look
up information in an Extended Directory Catalog, and to determine
whether to use an Extended Directory Catalog for client authentication
and/or group lookups for database authorization.
After you create a Directory Assistance document for an Extended

Directory Catalog in a directory assistance database, to optimize look up
performance, remove any Directory Assistance documents for the
individual Domino Directories aggregated into the directory catalog.
Make sure to aggregate all the fields that need to be searched because
once servers search an Extended Directory Catalog they cannot use
directory assistance to access the source Domino Directories directly to
retrieve field values that are not aggregated, as can occur with a
condensed Directory Catalog.
You can set up a server to use more than one Extended Directory Catalog
by creating a Directory Assistance document for each one.
For more information on setting up directory assistance for an Extended
Directory Catalog, see the chapter Setting Up Directory Assistance
Extended Directory Catalogs and group lookups for database

authorization
You can use the groups in one directory configured in a Directory
Assistance database, in addition to the primary Domino Directory, to
authorize database access for Internet and Notes clients. When group
authorization is enabled for a directory, if a server finds groups in a
database ACL, it can look up the members of the groups to verify a
users access to a database. The one directory enabled for group
authorization can be an Extended Directory Catalog, which effectively
allows servers to use groups from any of the source Domino Directories
for database access control.
Select the option Group authorization in the Directory Assistance
document for the Extended Directory Catalog to enable this feature. If
you enable group authorization for an Extended Directory Catalog, you
cannot enable it for any other directory, Notes or LDAP, configured in
Note A server cannot use groups aggregated in a condensed Directory

Catalog for database authorization.
Directory Services
If you enable Group authorization for an Extended Directory Catalog,

and groups used for database access control in the directory catalog
contain groups as members nested groups a server only looks up
names in the nested groups if the nested groups are located in the
Extended Directory Catalog.
Integrating an Extended Directory Catalog into a primary Domino

Directory
You can build an Extended Directory Catalog into an existing primary
Domino Directory so that servers and users within the domain can use
one, integrated corporate directory. Rather than create a new database
from the PUBNAMES.NTF template in which to add the directory
catalog configuration document and aggregate documents, instead create
the configuration document in the primary Domino Directory
(NAMES.NSF). All the original documents in the NAMES.NSF are
retained, and the Dircat task adds documents aggregated from other
Domino Directories into the database.
When you integrate an Extended Directory Catalog into a primary
Domino Directory, a server within the domain of the primary Domino
Directory searches the aggregated information automatically as part of
its primary Domino Directory search, and so the use of directory
assistance isnt required. Person documents that the Dircat task
aggregates are trusted for client authentication, and Groups documents
that are aggregated can be used automatically for database authorization.
Servers outside the domain of the Domino Directory into which the
Extended Directory Catalog is aggregated can use directory assistance to
access the integrated directory. From the perspective of these servers, the
integrated directory is a secondary directory that is searched after their
primary Domino Directory; these servers only trust the integrated
directory for client authentication, and can only use groups in the
integrated directory for database authorization, if you set up the
Directory Assistance document for the directory to allow this.
Dircat task processing affects only the documents the Dircat task
aggregates from other Domino Directories, and not native documents
that originate in NAMES.NSF. For example, rebuilding an Extended
Directory Catalog that is integrated into a primary Domino Directory
does not have any effect on the native documents.
You can remove an Extended Directory Catalog that is integrated into a
primary Domino Directory by deleting the directory catalog
configuration document, and then rebuilding the Extended Directory
Catalog by running the dircat on it with the -r switch. Any native
documents created outside of the aggregation process remain.
Planning issues specific to condensed Directory Catalogs

Consider these issues that are specific to planning a condensed Directory
Catalog:
Deciding how to sort entries
Deciding whether to support Soundex seaches
Using performance settings
Replicating a condensed Directory Catalog
You can set up a condensed Directory Catalog on a server to work in

conjunction with directory assistance. For example, you can set up
directory assistance to look up information directly in a Domino
Directory when the information isnt aggregated into a condensed
Directory Catalog. For information, see the chapter Setting Up Directory
Assistance.
Deciding how to sort entries in a condensed Directory Catalog

One of the reasons condensed Directory Catalogs are small is they dont
contain multiple, sorted views for lookups as a Domino Directory and an
Extended Directory Catalog do. Instead, these types of directory catalogs
provide only one option for sorting names, determined by the Sort by
field in a Directory Catalog Configuration document. The choices are:
Distinguished name (default) - sorts entries by the Notes

distinguished name, first name, followed by last name.
Last name - sorts entries by last name
Alternate Fullname - sorts entries by certified alternate names
The Sort by option is unnecessary and isnt available for an Extended

Directory Catalog because this type of directory catalog retains the
multiple sorted views available in a Domino Directory.
Note Always keep the default Sort by selection, Distinguished
name, if servers use the condensed Directory Catalog.
The Notes client only uses type-ahead addressing to look up a name in a

condensed Directory Catalog if the user types the name in a way that
corresponds to the Sort by selection. For example, if the selected Sort
Directory Services
How the Sort by selection affects type-ahead addressing on Notes

clients
Type-ahead addressing is a feature that assists Notes users with mail
addressing. As a user begins typing a name when addressing mail,
type-ahead searches for the name in order to fill in the name
automatically for the user.
by format is Distinguished name, type-ahead looks up the name in a

condensed Directory Catalog only when a user types the first name
before the last name. Or, if the Sort by format is set to Last name,
type-ahead looks up the name only when a user types the last name
before the first name.
Make sure your Sort by selection corresponds to the way in which
type-ahead is typically used in your organization. For example in large,
enterprise organizations, users often address mail by entering the
recipients last names, in which case the Sort by selection should be set to
Last name.
You can create more than one condensed Directory Catalog, each with a
different Sort by selection to accommodate different styles of
type-ahead use.
Note If there is a condensed Directory Catalog on a Notes client,
type-ahead never searches a directory on a server, even if the client
Location document is set to Recipient name type-ahead - Local then
Server.
How the Sort by selection affects browsing a directory catalog
The Sort by selection in a condensed Directory Catalog also determines
how names are sorted when users open the directory catalog, for
example when using the Select Addresses dialog box to browse the
directory catalog.
Supporting Soundex searches of a condensed Directory Catalog

Use the Use Soundex field in a directory catalog configuration
document for a condensed Directory Catalog to control whether the
directory catalog supports Soundex lookups. Choose Yes (default) to
support Soundex lookups, or No to omit support for Soundex lookups.
Soundex allows Notes users to use phonetic spellings to search for
names. Supporting Soundex lookups increases the size of the directory
catalog by about 4 bytes for every entry. Soundex is not effective for
finding names in non-Latin characters.
This field is not available in a configuration document for an Extended
Directory Catalog, since minimizing the size of an Extended Directory
Catalog is not a typical goal.
Using performance settings in a condensed Directory Catalog

Directory catalog performance settings in the Advanced tab of a
configuration document for a condensed Directory Catalog are Packing
density that is, how many source Domino Directory entries can be
combined in one directory catalog aggregate document and
Incremental fields that is, how and when the Dircat task updates
changes to fields in the aggregate documents. The default directory
catalog performance settings work fine in most situations.
Note Change these settings only on a condensed Directory Catalog used
only by servers, and not on a condensed Directory Catalog used by
clients.
These settings are irrelevant and unavailable for an Extended Directory
Catalog which doesnt combine multiple source Domino Directory
entries into aggregate documents.
Packing density
The packing density is the number of entries from a source Domino
Directory that can be stored in one aggregate document in the condensed
Directory Catalog. 255 is the maxium packing density and the default. If
full-text searching is frequently used to search a server directory catalog,
for example if the LDAP service uses the directory catalog, and these
searches of the directory catalog are slow, you can decrease the packing
density to improve performance of these searches.You might also
decrease the packing density to reduce the odds that a particular
aggregate document needs to replicate.
The alternative to incrementally merging fields is to make changes as

they occur directly in the original fields in aggregate documents.
Disabling incremental merging provides some modest gains in search
performance. However, if replication with the source Directory Catalog
occurs over dial-up connections, keep incremental merging enabled.
Directory Services
Incremental fields
Because a single field in an aggregate document contains values for the
field from many of the source Domino directories, its likely that at any
one time every field in the aggregate document might require updating
and, therefore, would need to replicate. To manage changes to fields in a
condensed Directory Catalog, the Dircat task, by default, uses an
incremental merge process that stores the changes in temporary fields in
aggregate documents until, by default, 5 percent of the total entries from
the source Domino Directories change. Then the Dircat task merges the
changes stored in the temporary fields into the permanent fields in the
aggregate documents and deletes the temporary fields. This process
occurs somewhat randomly over a period of time so that at any time,
only a few aggregate documents need to replicate. When the directory
catalog on the server running the Dircat task replicates, only the updated
fields replicate. This incremental replication results in improved
replication performance, especially when replication occurs over a
dial-up connection.
Next to the Incremental fields option in a configuration document for a

condensed Directory Catalog, Choose Yes (the default) to use
incremental merging and temporarily store field changes in duplicate
fields in aggregate documents to optimize replication performance. Or
choose No to immediately makes changes in the original fields in the
aggregate documents.
Merge factor
The Merge factor option in a configuration document for a condensed
Directory Catalog is a value representing the percent of total field
changes that must occur before Domino merges the changes stored in
duplicate fields into the original fields in aggregate documents; default is
5 percent.
This field applies only when Incremental fields is set to Yes.
Note We dont recommend changing this setting.
Replicating a condensed Directory Catalog

There are many fields combined in each aggregate document in a
condensed Directory Catalog, and for this reason aggregate documents
frequently change and require replication. Schedule replication between
a server that builds a directory catalog and other servers that have
replicas to occur at least several times a day to keep up with changes in
the aggregate documents.
Notes clients should replicate local condensed Directory Catalog with a
replica on a server either daily or weekly, depending on whether the
clients have fast connections to the server. Its best for clients that connect
on the road over dial-up connections to wait to replicate a directory
catalog until a fast connection is available.
Give all servers that are not Dircat servers, as well as all clients, only
Reader access (the default) to a condensed Directory Catalog, to prevent
the clients/servers from being able to replicate changes to the replica on
a Dircat server.

You can set up Notes clients to use more than one condensed Directory
Catalog, set up servers to use more than one Extended Directory Catalog,
and set up groups of clients or servers to use separate directory catalogs.
Setting up Notes clients to use more than one condensed Directory

Catalog
You can set up a Notes client to use more than one condensed Directory
Catalog. For example, you can set up two condensed Directory Catalogs
on Notes clients, one that sorts entries by distinguished name (first name,
then last name), and another that sorts entries by last name. Then,
type-ahead addressing can locate names regardless of whether users
begin addressing mail using first names or last names.
For more information on type-ahead addressing and directory catalogs,
see Deciding how to sort entries in a condensed Directory Catalog.
Setting up servers to use more than one Extended Directory Catalog

You can set up a server to use more than one Extended Directory
Catalog. For example, suppose you want all servers to use directories A,
B, C, D, and E, but to trust only directories A and B for client
authentication. You can aggregate A and B in an Extended Directory
Catalog that is trusted for authentication, and aggregate C, D, and E in
another Extended Directory Catalog that is not trusted it for
authentication.
Note A server can use one condensed Directory Catalog only.
Setting up groups of clients and servers to use different directory

catalogs
You can set up servers to use specific Extended Directory Catalogs or

condensed Directory Catalogs in a similar manner.
Directory Services
You can create multiple directory catalogs, and set up groups of clients
or servers to use specific ones. For example, if user group 1 sends mail
only to users registered in directories A, B, and C, and user group 2
sends mail only to users registered in directories D and E, you can create
a client-based condensed Directory Catalog that aggregates A, B, and C
for group 1 to use, and create another condensed Directory Catalog that
aggregates D and E for group 2 to use.
Overview of setting up a condensed Directory Catalog

The following tables describe the databases, documents, and fields you
use to set up a condensed Directory Catalog, in the order in which you
use them.
Used for an
Extended
Directory
Catalog too?
Document/ Database
Field(s)/Tab(s)
Purpose
Directory Profile of
each Domino
Directory to be
aggregated in the
directory catalog
Domain
defined by this
Domino
Directory on
the Basics tab
Associates groups in the

Yes
directory with a domain to
distinguish between
different groups with the
same name in more than
one Domino Directory
Directory Catalog
All fields
Configuration
document in
database created
from DIRCAT5.NTF
Used for directory catalog No

configuration
Domino Directory
Server document of
Dircat server that
builds the directory
catalog
Provides the Dircat task

Yes
with the file name(s) of the
local directory catalog(s)
to aggregate and a
schedule for running
All fields in the

Server Tasks Directory
Cataloger tab
Additional configuration to set up a condensed Directory Catalog

on clients
Document/Database
Field(s)/Tab(s)
Purpose
Used for an
Extended
Directory
Catalog too?
Desktop policy
settings document
and/or Setup policy
settings document
in Domino
Directory in which
clients are
registered
Mobile
directory
catalogs field
on the Databases
tab
Sets up a condensed
Directory Catalog
automatically on Notes
clients
No
Additional configuration to set up a condensed Directory Catalog

on servers
Document/ Database
Field(s)/Tab(s)
Purpose
Used for
Extended
Directory
Catalog too?
Domino Directory
Server document of
each server that
uses the condensed
Directory Catalog
Name of
Specifies the file name of a
condensed
servers local condensed
directory catalog Directory Catalog
on this server
field on Basics
tab
No
Directory Profile
document in the
Domino Directory
of the servers that
use the condensed
Directory Catalog
Directory
catalog file name
for domain
field on Basics
tab
Specifies the file name of

servers local condensed
Directory Catalogs if there
is no file name specified in
Server documents
No
Domino Directory
Server document of
each server that
uses the condensed
Directory Catalog
Trust the server

based condensed
directory catalog
for
authentication
with internet
protocols field
on the Basics tab
Indicates whether a server No

should trust all user entries
in its condensed Directory
Catalog for client
authentication1
Can use directory assistance instead to trust for client authentication only some
rather than all of the aggregated directories
Setting up a condensed Directory Catalog

When you finish planning a condensed Directory Catalog, follow these
steps to set it up:
Do the following for each Domino Directory you will aggregate into the
directory catalog:
1. Open a Domino Directory.
Directory Services
Step 1: Verify that each Domino Directory has a defined domain

Each Domino Directory aggregated in a directory catalog should have a
domain defined in its Directory Profile. The Dircat task appends the
domain name to the names of groups in the directory catalog, to
distinguish between groups in different directories with the same name.
3. Make sure the field Domain defined by this Domino Directory

contains a valid domain name. This field is usually filled in
automatically.
Step 2: Create the condensed Directory Catalog database
1. Choose File - Database - New.
2. Next to Server, select the Dircat server you picked to aggregate the
directory catalog.
3. Next to Title, enter a title for the directory catalog, for example
Condensed Directory Catalog.
4. Next to Filename, enter a file name for the catalog, for example
CDC.NSF.
5. Select Create full text index for searching.
6. Click Show advanced templates.
7. Below Template server, select a server that stores the Directory
Catalog template, and then click OK.
8. Select the Directory Catalog template (DIRCAT5.NTF). Do not select
the Catalog (V6) template (CATALOG.NTF).
9. Click OK.
Note Keep the - Default - entry in the database access control list
(ACL) set to Reader.
Step 3: Create the directory catalog configuration document and run
the Dircat task:
1. In the database you created, choose Create - Configuration.
2. Complete the following fields in the Directory Catalog Configuration
document:
Note The Directories to include field is the only field you must
complete. In many situations you can accept the default values in the
other fields. However, read the complete descriptions of the fields
before you run the Dircat task to build the directory catalog.
Fields in Basics tab
Description
Directories to include Specifies which Domino Directories the Dircat task

aggregates, and the order in which it processes the
directories. For more information, see the earlier
topic Specifying the Domino Directories for the
Dircat task to aggregate.
Specifies which fields from Domino Directories to
aggregate. For more information, see the earlier topic
Choosing which fields to aggregate in a directory
catalog.
Sort by
Specifies how to sort entries in the directory catalog.

For more information, see the earlier topic Deciding
how to sort entries in a condensed Directory
Catalog.
Use Soundex
Specifies whether to support Soundex lookups. For

more information, see the earlier topic Supporting
Soundex searches of a condensed Directory
Catalog.
Remove duplicate
users
Specifies whether to aggregate multiple user entries

with the same name. For more information, see the
earlier topic Removing duplicate user entries from
a directory catalog.
Group types
Specifies which types of groups to aggregate. For

more information, see the earlier topic Choosing
the types of groups to aggregate in a directory
catalog.
Include Mail-in
Databases
Specifies whether to aggregate Mail-In Database

documents. Default is Yes. Consider setting to No if
the directory catalog is used only on clients, since
Notes users dont typically send mail to Mail-In
Databases.
Restrict aggregation
to this server
(Recommended) Specifies the one Dircat server that

can aggregate this directory catalog. For more
information, see the earlier topic Allowing only one
server to aggregate a directory catalog.
Send Directory
Catalog reports to:
(Optional) Specifies the names of people to receive

Directory Catalog status reports. For more
information, see the later topic Mailing Directory
Catalog reports.
Directory Services
Additional fields to
include
Fields in Advanced tab Description

Version
Read only field that can increment after a Domino

upgrade.
Selection formula
(Optional) Specifies a selection formula to control

which documents are aggregated. For more
information, see the earlier topic Using a selection
formula in a directory catalog configuration
document.
Total number of
Read-only field that shows the total number of
people/group/mail-i entries aggregated from Domino Directories after the
n databases and
Dircat task runs.
resources
Packing density
Specifies the maximum number of Domino Directory

entries that can be aggregated into each aggregate
document.
You usually do not have to change the default
setting. Do not change the default setting if clients
use local replicas of the directory catalog.
For more information, see the earlier topic Using
performance settings in a condensed Directory
Catalog.
Incremental fields
Specifies whether changed fields are stored in a

temporary location.
Catalog.
Merge factor
If Incremental fields is enabled, controls the percent

of total field changes that must occur before original
fields in aggregate documents are updated.
Catalog.
Replication history
Shows the date and time when the Dircat task last
replicated the aggregated directories.
Click Clear History to do a full rebuild of the
directory catalog. Do not click Clear History unless
you understand Dircat rebuilds. For more
information, see the later topic The Dircat task.

4. Run the Dircat to build the condensed Directory Catalog. For more
information, see the topic Running the Dircat task.
Step 4: Set up clients to use the condensed Directory Catalog
Use Desktop policy settings or Setup policy settings to automate setup of
a condensed Directory Catalog on Notes clients. The automated setup
creates a replica stub (an empty replica) of the directory catalog on the
clients, with a replication schedule enabled to a replica of the directory
catalog on a server that you specify. When the client replicates with a
replica of the directory catalog on a server, a full-text index is created on
the client replica after replication is complete. The automated setup
process also adds the file name of the condensed Directory Catalog to the
Local address books field in user preferences for mail, after the file
name of the Person Address Book.
If you dont automate the directory catalog setup, you must create the
replica and add the file name to clients manually.
Note User Setup Profiles used in Lotus Domino Release 5 for automated
directory catalog setup continue to work in Lotus Domino 6.
To automate setup of a condensed Directory Catalog on clients:
1. (Optional) Create a replica of the condensed Directory Catalog on
other servers. Then users have more choice of servers to use when
they replicate to update their local replicas of the directory catalog.
Domino creates a full-text index automatically on the replicas you
create.
2. If you havent already done so, create a Desktop policy settings
document or a Setup policy settings document to use to use to
automate setup of the directory catalog. Make sure you understand
how to set up policies before you create a Desktop or Setup settings
document.
4. Choose Edit - Copy As Link - Database Link, then close the directory
catalog.
5. Open the Desktop policy settings document or Setup policy settings
document you want to use to automate setup of the condensed
Directory Catalog on clients.
6. Click the Databases tab, and then click the Mobile directory
catalogs field.
Directory Services
3. From the Domino Administrator, click the Files tab, and open a
replica of the directory catalog.
7. Choose Edit - Paste to past the directory catalog database link into
the Mobile directory catalogs field.
Note Notes users should do pull replications regularly with up-to-date
replicas of the directory catalog on servers.
Step 5: Set up servers to use the condensed Directory Catalog
Note In general its better for a server to use an Extended Directory
Catalog rather than a condensed Directory Catalog.
To set up a server to use a condensed Directory Catalog:
1. Create a replica of the built directory catalog on the server. Set up
replication between the server and the Dircat server so that this
servers replica of the directory catalog is kept up-to-date.
2. If necessary, from the Domino Administrator choose File - Open
Server, to open the server you are setting up to use the directory
catalog.
4. In the left pane, expand Server - Current Server Document.
6. On the Basics tab, in the Name of condensed directory catalog on
the server field, enter the file name of the directory catalog replica
you created on this server. If multiple servers use the same file name
for their local replicas of the directory catalog, see the Tip below for a
quick way to specify the file name.
7. (Optional) To allow the server to use all user names aggregated in
the condensed Directory Catalog for client authentication, on the
Basics tab of the Server document select Trust the server based
condensed directory catalog for authentication with internet
protocols. If you dont want to trust the entire directory catalog for
authentication, do not select this option.
Note To specify instead that the server trust for authentication
names from only one or some of the directories aggregated in the
directory catalog, in a directory assistance database used by the
server, create a Directory Assistance document for each aggregated
Domino Directory to trust that has a trusted rule enabled.
For more information, see the topic Using a condensed Directory
Catalog for client authentication earlier in the chapter, and also the
chapter Setting Up Directory Assistance.
8. Click Save & Close
9. If necessary, wait for the Domino Directory changes to replicate to

the server. Or force the replication.
10. Use the Restart Server command to Restart the server so it detects the
changes to the Server document.
Tip If multiple servers use the same file name for their local replicas of
the condensed Directory Catalog, you can specify that file name once in
the Directory Profile of the domain Domino Directory, rather than
multiple times in individual Server documents. To use the Directory
Profile method, from the Domino Directory for the servers that will use
the directory catalog, choose Actions - Edit Directory Profile and add the
directory catalog file name to the Directory catalog database name for
domain field. Then a server that doesnt have a directory catalog file
name entered in its Server document uses the Directory Profile to find its
local replica of the condensed Directory Catalog.
Overview of setting up an Extended Directory Catalog

The following table describes the databases, documents, and fields used
to set up an Extended Directory Catalog, in the order in which you use
them.
Used for a
condensed
Directory
Catalog
too?
Document/Database
Field(s)/Tab(s)
Purpose
Directory Profile of
each Domino
Directory to be
aggregated in the
Directory Catalog
Domain
defined by this
Domino
Directory
field on the
Basics tab
Associates groups in the

Yes
directory with a domain to
distinguish between
different groups with the
same name in more than one
Domino Directory
Used for directory catalog
configuration
Domino Directory
Server document of
the Dircat server that
builds and updates
the directory catalog
Provides the Dircat task with Yes

the file name(s) of the local
directory catalog(s) to
aggregate and a schedule for
running
All fields in
Server Tasks Directory
Catalog tab
No
continued
Directory Services
Extended Directory All

Catalog document in
Database created
from
PUBNAMES.NTF
Used for a
condensed
Directory
Catalog
too?
Document/Database
Field(s)/Tab(s)
Purpose
document in
database used by
each server that uses
the directory catalog
All fields
related to a
Notes
Directory
Assistance
document
Provides a server with the

No
location of the Extended
Directory Catalog and
indicates whether to trust the
lookups for client
authentication and group
authorization1
Server document in
the Domino
Directory of each
server that uses the
directory catalog
Directory
Allows a server to use
Assistance
directory assistance1
database
name field on
the Basics tab.
No
Unnecessary if the Extended Directory Catalog is built directly into the

Setting up an Extended Directory Catalog

When you finish planning an Extended Directory Catalog, follow these
steps to set it up:
Step 1: Verify that each Domino Directory has a defined domain
Each Domino Directory aggregated in a directory catalog should have a
domain defined in its Directory Profile. The Dircat task appends the
domain name to the names of groups in the directory catalog, to
distinguish between different groups with the same name in more than
one Domino Directory.
Do the following for each Domino Directory you will aggregate into the
directory catalog:
1. Open the Domino Directory.
3. Make sure the field Domain defined by this Domino Directory
contains a valid domain name. This field is usually filled in
automatically.
Step 2: Create the Extended Directory Catalog database:

Note If you will integrate an Extended Directory Catalog into a primary
Domino Directory, skip this step.
2. Next to Server, select the Dircat server you picked to aggregate the
directory catalog.
3. Next to Title, enter a title for the directory catalog, for example
Extended Directory Catalog.
4. Next to Filename, enter a file name for the directory catalog, for
example EDC.NSF. Do not use the file name NAMES.NSF.
5. Select Show advanced templates.
6. Below Template server, select a server that stores the Domino
Directory template.
7. Select the Domino Directory template (PUBNAMES.NTF).
8. Keep Inherit future design changes selected.
9. Click OK.
Step 3: Create the Extended Directory Catalog configuration
document and run the Dircat task:
1. Open the database you created in Step 2.
Note To integrate the Extended Directory Catalog into a primary
Domino Directory, open that primary Domino Directory instead.
2. Choose Create - Extended Directory Catalog. Complete the following
fields in the Configuration document. Read the complete descriptions
of the fields before you run the Dircat task to build the directory
catalog.
Description
Fields in Basics tab
Directories to
include
Additional fields to Specifies which fields from Domino Directories to

include
aggregate. Aggregating all fields is recommended.
To aggregate all fields, leave the Additional fields to
include field blank by deleting all fields from it. For
more information, see the earlier topic Choosing
which fields to aggregate in a directory catalog.
continued
Directory Services
Specifies which Domino Directories the Dircat task

aggregates, and the order in which it processes the
directories. For more information, see the earlier
topic Specifying the Domino Directories for the
Dircat task to aggregate.
Description
Remove duplicate
users
Specifies whether to aggregate multiple user

entries with the same name. For more information,
see the earlier topic Removing duplicate user
entries from a directory catalog.
Group types
Specifies which types of groups to aggregate.

For more information, see the earlier topic
Choosing the types of groups to aggregate in a
directory catalog.
Include Mail-in
Databases
Specifies whether to aggregate Mail-In Database

documents. Default is Yes.
Include Servers
Specifies whether to aggregate Server documents.

Default is No.
Restrict aggregation (Recommended) Specifies the one Dircat server

to server
that can aggregate this directory catalog. For more
information, see the earlier topic Allowing only
one server to aggregate a directory catalog.
Send Aggregation
reports to:
(Optional) Specifies the names of people to receive

Directory Catalog status reports. For more
information, see the later topic Mailing Directory
Catalog reports.
Fields in Advanced tab

Version
Read-only field that can increment after the

DIRCAT5.NTF template is upgraded. Used only for
internal purposes.
Selection formula
(Optional) Specifies a selection formula to control

which documents are aggregated. Click Check
Syntax to verify that the syntax specified in a
selection formula is valid.
a selection formula in a directory catalog
configuration document.
Replication history
Shows the date and time when the Dircat task last
replicated the aggregated directories
Click Clear History to do a full rebuild of the
directory catalog. Do not click Clear History unless
you understand Dircat rebuilds. For more
information, see the later topic The Dircat task.
3. Click Save & Close to save the configuration document.

4. Run the Dircat task to build the directory catalog. For information,
see the later topic Running the Dircat task.
Step 4: Create at least one replica of the Extended Directory Catalog
Create at least one replica of the directory catalog on another server for
performance and failover benefits. Make sure replication occurs between
the server(s) with the replica(s) and the Dircat server, so the replicas of
the directory catalog are kept up-to-date.
Step 5: Set up servers to use the Extended Directory Catalog
To set up a server to use an Extended Directory Catalog, create a
Directory Assistance document for the Extended Directory Catalog in a
directory assistance database the server uses.
For information, see the topic Extended Directory Catalogs and
directory assistance earlier in the chapter, and the chapter Setting Up
Note If you integrate the Extended Directory Catalog into a primary
Domino Directory, steps 4 and 5 are unnecessary.
The Dircat task

When the Dircat task runs it can do one of these things to a directory
catalog: build it, update it, partially rebuild it, or fully rebuild it. The first
time the Dircat task runs on a directory catalog it builds it. Subsequently,
the Dircat task usually updates a directory catalog, which means it checks
for changes to the contents of fields in the source Domino Directories, and
then makes the appropriate changes to the directory catalog.
Full rebuilds
Directories to include
Sort by (condensed directory catalog)
Use Soundex (condensed directory catalog)
Remove duplicate users
Group types
Directory Services
If you change any of the following fields in a directory catalog

configuration document, the Dircat task must do a full rebuild of the
directory catalog to incorporate the indicated changes into the directory
catalog:
Include Mail-in Databases
Include Servers (Extended Directory Catalog)
Selection Formula
When the Dircat task does a full rebuild, it completely re-aggregates of

all the configured source Domino Directories, similar to what occurs
during the initial build of the directory catalog. For example, if you add a
field to the Additional fields to include field to aggregate an additional
field, that field isnt aggregated until the Dircat task does a full rebuild of
the directory catalog. A full rebuild is a much longer process then an
update. After a full rebuild, there must also be a full replication of the
directory catalog to the servers and clients that use it, which can be time
consuming, especially for replication of condensed Directory Catalogs.
When you change one of the above fields in a configuration document
for a condensed Directory Catalog, the next time the Dircat task runs, it
automatically does a full rebuild. When you change one of these fields in
a configuration document for an Extended Directory Catalog, the Dircat
task does not do a rebuild automatically. Instead, you must initiate the
rebuild by running the Dircat task with the -r switch against the
Extended Directory Catalog, or by clicking the Clear History button on
the Advanced tab of the directory catalog configuration document.
Note Dircat processing of changes to the Directories to include field
in a configuration document for an Extended Directory Catalog causes a
partial rebuild, rather than a full rebuild, that processes only directories
affected by the change.
Partial rebuilds
If the replica of a source Domino Directory the Dircat task uses is deleted,
and then replaced with a file operating system copy with the same
replica ID, then the Dircat task does a partial rebuild, which involves
comparing all documents in the new file system copy of the Domino
Directory to the corresponding contents in the directory catalog to look
for changes. The Dircat task also does a partial rebuild if the Fixup task
deletes corrupted documents from a source Domino Directory which are
then replaced through replication. A partial rebuild is a longer process
than an update, but takes less time than a full rebuild.
Running the Dircat task

Run the Dircat task to build a directory catalog initially. Then continue to
run the task at scheduled intervals to keep the contents of the directory
catalog synchronized with the contents of the source Domino Directories
and to keep the directory catalog synchronized with the directory catalog
configuration selections.
Always run the Dircat task on one server to build and update a
particular directory catalog. If you run the Dircat task on more than one
server against the same directory catalog, replication conflicts occur. Use
the field Restrict aggregation to server in a directory catalog
configuration document to ensure that the Dircat task on only one server
can process a particular directory catalog.
Running the Dircat task on schedule
Schedule the Dircat task on a Dircat server to run at regular intervals by
doing the following:
1. Make sure there is a directory catalog database with a completed
3. Expand Directories - Directory Cataloger, and choose Settings.
4. Click the Server Tasks tab, then the Directory Cataloger tab.
Field
Enter
Directory Catalog The file name(s) of the directory catalog(s) the Dircat
filenames
task should process. Separate multiple file names with
commas.
Schedule
Select Enabled.
Run Directory
Catalog
aggregator at
A time range or one or more specific times to update

the source directory catalog. Separate multiple time
entries with commas (,).The default is the range
08:00 AM to 10:00 PM.
Days of week
The days of week to run the Dircat task. The default is

daily.
Directory Services
Repeat interval of A number representing the minutes between updates

that are scheduled during a time range. The default
is 360 minutes (every 6 hours). Consider reducing
this interval to have the Dircat task run every 60 or
120 minutes.
Running the Dircat task manually

To run the Dircat task manually on a Dircat server, issue this server
command:
load dircat dc.nsf
where dc.nsf is the file name of a local directory catalog on the server.
You can do a full rebuild of a directory catalog. Keep in mind that a full
rebuild removes and recreates all the aggregated documents so that the
first replication after the rebuild will require a full replication of the
database.
To do a full rebuild of a directory catalog, you can run the dircat task
against the directory catalog using the -r switch, for example:
load dircat dc.nsf -r
Or you can do a full rebuild by clicking the Clear History button on the
advanced tab of the directory catalog configuration document.
Pausing the Dircat task
Before you shut down a server that is in the middle of Dircat processing,
pause the Dircat task. When you pause the Dircat task, the Dircat task
finishes aggregating the directory catalog it is currently running on and
then goes idle. if you dont pause the Dircat task before server shutdown,
the Dircat task must reaggregate the directory catalog it was processing
at the time of server shutdown from the beginning.
To pause the Dircat task, enter this server command:
Tell Dircat Pause
You can then shut down the server. Or, to resume Dircat processing,
enter this server command:
Tell Dircat Resume
Opening the configuration document for a directory catalog

To open the configuration document for a directory catalog:
1. From the Domino Administrator, open the Dircat server or another
server with a replica of the directory catalog. To open a configuration
document for a condensed Directory Catalog, make sure the Basics
tab of the Server document includes the directory catalog file name.
3. Expand Directory in the left pane.

To see the configuration document for a condensed Directory
Catalog, choose Directory Catalog.
To see the configuration document for an Extended Directory
Catalog, choose Extended Directory Catalog.
Note Change a directory catalog configuration document on the Dircat
server that aggregates the directory catalog.
Monitoring directory catalogs
Mailing Directory Catalog reports
Using other directory catalog monitoring tools
Mailing Directory Catalog reports

A directory catalog stores an agent called Directory Catalog Status
Report. A server can use this agent to mail in your name a Directory
Catalog report once a week to users you specify in a directory catalog
A Directory Catalog report includes the following:
A database link to the replica of the directory catalog on the Dircat

server for the directory catalog, and information about this directory
catalog including its database title, server location and file path, size,
number of entries, and configuration settings; the agent derives this
information from the Dircat task.
A database link to each source Domino Directory used the Dircat

task uses to aggregate into the directory catalog, and information
about each directory including the database title, server location and
file path, size, and date last updated in the directory catalog.
The size of the directory catalog as a percentage of the combined size

of the Domino Directories aggregated into it.
1. Open the configuration document for the directory catalog.

2. Specify the name(s) of users to receive the reports; separate multiple
names with commas:
For a condensed Directory Catalog, enter the name(s) in the field
Send Directory Catalog reports to.
For an Extended Directory Catalog, enter the name(s) in the field
Send Aggregation reports to.
Directory Services
To mail Directory Catalog reports:
3. When prompted, select the name of the server that should run this
agent to mail the reports on your behalf. You must have Run
restricted LotusScript/Java agents access to the server you pick.
Using other directory catalog monitoring tools:
Use the NOTES.INI setting Log_DirCat=1 to display additional

information to the server console when the Dircat task runs. This
includes when the task starts and finishes, what directory its
aggregating, the domain name of the directory, and how many
entries were processed. For more verbose information, including the
names of all the entries that are processed, you can set log_dircat=3.
However, this setting may slow performance and fill up the server
log file, so its use is not recommended.
Use the Show Xdir command to show information about the

directory catalogs and other directories that a server uses.
If youve configured the Dircat task to run on schedule, use the Show
Schedule command to see when the task is next scheduled to run.
Chapter 25
Setting Up Extended ACLs
This chapter describes how to set up and manage an extended access
control list (ACL), which is an access control feature available for a
Domino Directory and an Extended Directory Catalog.
Extended ACL
An extended access control list (ACL) is an optional directory
access-control feature available for a directory created from the
PUBNAMES.NTF template a Domino Directory or an Extended
Directory Catalog. An extended ACL is tied to the database ACL, and
you access it through the Access Control List dialog box using a Notes 6
or Domino Administrator 6 client. You use an extended ACL to apply
restrictions to the overall access the database ACL allows a user you
cannot use it to increase the access the database ACL allows. Use an
extended ACL to set access to:
All documents with hierarchical names at a particular location in the

directory name hierarchy, for example all documents whose
names end in OU=West/O=Acme.
All documents of a specific type, for example all Person

documents
A specific field within a specific type of document
A specific document
An extended ACL allows you to:

Delegate your Domino administration, for example, allow a group of
administrators to manage only documents named under a particular
organizational unit.
Set access to precise portions of the directory contents.
25-1
Directory Services
Set access to documents and fields easily and globally at one source,
rather than requiring you to control access through features such as
multiple Readers and Authors fields.
Control the access of users who access the directory through any
supported protocol: Notes (NRPC), Web (HTTP), LDAP, POP3, and
IMAP.
For information on using Extended ACLs in a multi-release environment,

see the book Upgrade Guide.
Note Server processes such as the Router task do not enforce extended
ACL restrictions. However, in the case of the Router task specifically, you
can prevent some users from sending mail to a group by editing the
Readers field for the group and including only the names of users you
want to allow to send mail to the group. When users omitted from the
Readers field attempt to send mail to the group, the Router wont deliver
the mail.
For more information, see the chapter Customizing the Domino Mail
System.
How other database security features restrict extended ACL access

settings
The access set for a user in an extended ACL can never exceed the access
the database ACL, including the database ACL privileges and roles,
allows the user. For example, if the database ACL allows a user only
Reader access, you cant use the extended ACL to allow Write access. Or
if a user is omitted from the database ACL User Creator role, you cant
use the extended ACL to allow the user Create access to Person
documents.
Access set through a security feature in the database design also restricts
the access you can specify in an extended ACL. For example, if a Readers
field on a particular form prevents a user from reading fields in
documents created with that form, giving a user Browse access to the
form in the extended ACL does not override the access specified in the
Readers field.
Elements of an extended ACL

To set up an extended ACL, you use the Extended Access at target
dialog box, which you open from the database Access Control List dialog
box. The elements of an extended ACL are:
Access settings the allowed access
Subjects the users and groups whose access you control
Targets categories of documents or specific documents to which

access settings apply
Extended ACL access settings

There are several access settings you use to control a subjects access to
an extended ACL target. For each access setting you choose Allow or
Deny. You can leave an access setting unchecked, but if you do, other
subjects in the extended ACL or database ACL determine whether the
subject is allowed or denied the access. Its better to select Allow or Deny
to help ensure you get the access control results you expect.
Access settings apply to existing documents at a selected target. If the
selected target is a category of documents, access settings also apply to
documents added to the category in the future.
An extended ACL cannot restrict the access of a user with Manager
database access or an administrator with Full Access administrators
access to a server (controlled through the Server document in the
Domino Directory.) An extended ACL also cannot prevent a user with
Designer or Manager database access from modifying the directory
design.
Note For ease of reading, this topic uses the terms document, field, and
form. If an extended ACL will control LDAP access, apply the
LDAP-equivalent terms instead: entry, attribute, and object class.
Access setting
Tasks allowed
Browse
Allows a user to access a document.
Create
Allows a user to create a document.
Delete
Allows a user to delete a document.
Setting Up Extended ACLs 25-3
Directory Services
The following access settings control access to a document as a whole:
The following access settings control access to a field within a document:

Access setting
Read
Write
Tasks allowed
Allows a user to read a field. The user must also have Browse
access to the document.
Allows a user to modify a field.
When more than one type of document uses a particular field, you
control access to the field separately for each type of document.
If you are controlling the access of Notes and Web users, be aware of the
following issues. These issues do not apply to access through other
means, such as LDAP access or Notes application access, except where
indicated.
If you deny a Notes or Web user access to a field in a document,

when the user opens the document, the document does not show the
field and the text (TRUNCATED) shows in the tab of the document.
In addition, the user is unable to edit the document, even if the user
has write access to the fields in it.
If you deny a Notes or Web user access to a field in a document that

a view uses to sort the document, the name of the document is blank
in the view. The user can still select the document to open it.
To delete a document, a Notes or Web user must be able to see the

document in a view. To see a document requires Browse access to the
document.
To create a document, a Notes or Web user or a Notes application

must have Create access to the document as well as Write access to
the fields to which the user/application will add values.
Administer access
Grant Administer access to allow someone with Designer or Editor
access in the database ACL to modify access settings at an extended ACL
target. Someone with Manager access in the database ACL can modify an
extended ACL without having Administer access. Grant Administer
access to allow someone to manage access to documents under a target
category without granting the person Manager access in the database
ACL. A user with Editor or Designer access in the database ACL does
not have the Administer access by default; you must grant the user that
access explicitly. You grant someone Administer access to a target
category and not to a specific document.
Note You can give a Domino 6 server Administer access to a selected

target category. This access enables the server to be an extended
administration server whose Administration Process manages
documents below the selected target category.
For more information, see the chapter Setting Up the Administration
Process.
Default access compared to form-specific access

When you set a subjects access to a selected target, you specify default
access settings that generally apply to all types of documents at the
selected target. Then you can also set form-specific access settings that
are different than the default access settings. For example, by default you
can deny a subject Browse and Read access, but then allow Browse access
to Person and Group documents and Read access to the fields in those
documents.
Default access
You use the Extended Access at target dialog box to set a subjects
default access to a target. The following figure shows default access set to
Deny all for the -Default- subject at / (root):
Directory Services
Form-specific access
You click Form and Field Access from the Extended Access at target
dialog box to use the Form and Field access at target dialog box to set
form-specific access settings that are exceptions to the selected subjects
default access at the selected target. The following figure shows access
set for the Person form for the -Default- subject at / (root):
Note The Administer access setting is available only as a default access

setting, and not as a form-specific access setting.
Displaying LDAP attributes and object classes when setting
form-specific access
Use the Schema option in the Form and Field access at target dialog
box to control whether the dialog box shows the directory contents in
terms of LDAP object classes and attributes or in terms of Domino forms
and fields. Domino is selected by default, meaning the dialog box shows
Domino forms and fields. To show LDAP object classes and attributes,
select LDAP next to the Schema option.
When you set a subjects access to a form or field, the access setting
automatically applies to the corresponding LDAP object class or
attribute, if there is one. Similarly, if you set a subjects access to an object
class or attribute, the access also applies to the corresponding form or
field if there is one.
For example, if you deny a subject Read access to the InternetAddress

field of a Person form when Domino is selected as the Schema option, the
subject is also denied LDAP Read access to the mail attribute of the
dominoPerson object class that shows when LDAP is selected as the
Schema option. If the Schema option is set to LDAP and you deny a
subject Read access to the mail attribute of the dominoPerson object class,
the subject is also denied Read access to the InternetAddress field of a
Person form that shows when the Domino is selected as a Schema option.
Some object classes and attributes that the Form and Field access at
target dialog box displays when you select LDAP as the Schema option
do not correspond to forms and fields and are useful only for controlling
LDAP access. For example, the object class residentialPerson does not
correspond to a form. Similarly, some forms and fields that the dialog
box displays when you select Domino as the Schema option do not
correspond to LDAP object classes and attributes and are useful only for
controlling Notes or Web user access. For example, the form
DirectoryProfile does not correspond to an object class.
Note Domino uses the Domino LDAP Schema database
(SCHEMA.NSF) to generate the LDAP object classes and attributes that
display when you choose LDAP for the Schema option in the dialog box.
So to use the LDAP schema option, the directory for which you are
setting access must be located on a server that runs the LDAP service. If
you extend the schema, you can use the extended ACL to control access
to the new object classes and attributes.
For more information on the LDAP schema, see the chapter Managing
the LDAP Schema.
Precedence rules used to resolve access conflicts at a target
More than one subject that is shown at a selected target can apply to a
particular user. For example, a user might be a member of two groups,
both of which have access set to the target O=Acme. The following
precedence rules are applied to determine the access a user has to a
target when there are multiple subjects that apply to the user at the
target.
Note Even after precedence rules are applied, a users access can never
exceed the access the database ACL allows the user.
Directory Services
When you select a target in the Extended Access at: target dialog box,
by default the dialog box shows all the subjects in the extended ACL
with access settings to the target. Included are subjects whose access is
set at and inherited from a higher target through the scope This
container and all descendants. (You can select Show Modified to see
only the subjects with access set directly at the target.)
1. Access set for a subject with the scope This container only take
precedence over access set for a subject with the scope This
container and all descendants regardless of subject type. For
example, the access set for the subject */Acme and the scope This
container only takes precedence over the access set for the subject
Kathy Brown/Acme and the scope This container and all
descendants.
2. Among subjects with the same scope, access for a more-specific type
of subject take precedence over access for a less-specific type of
subject. The order of subject specificity, from most specific to least
specific, is:
a. Individual user or server
b. Self
c. Group
d. A wildcard, for example */Acme
e. -DefaultFor example, the access set for Kathy Brown/Acme with the scope
This container and all descendants takes precedence over the
access set for the group Admins/Acme with the scope This
container and all descendants.
3. When evaluating more than one group subject or more than one
wildcard subject, the access settings of the subjects are combined,
with Deny access taking precedence over Allow access. For example,
if the group Admins/Acme denies Write access and allows all other
access, and the group Managers/Acme denies Create access and
allows all other access, users that are members of both groups are
denied Write and Create access and allowed all other access.
Tip To determine a users effective access to an extended ACL target
after extended access settings and database access are evaluated, select
the target in the Extended Access at target dialog box, then click
Effective Access.
For more information on using the Effective Access tool, see the topic
Showing a subjects effective access to an extended ACL target later in
the chapter.
Examples of precedence rules

Combined access (can Rule
never exceed the access applied
granted in the database
ACL)
Subject 1
Subject 2
Subject: */Acme
Scope: This container
and all descendants
Allow: Read, Browse
Deny: Create, Delete,
Write
Subject: */Acme
Allow: Create, Delete, Rule 1
Scope: This container Write
only
Deny: Read, Browse
Allow: Create, Delete,
Write
Deny: Read, Browse
Subject: Admins/Acme
group
and all descendants.
Allow: All
Subject: */Acme
Allow: All
and all descendants
Deny: All
Rule 2
group
and all descendants
Allow: Read, Browse
Deny: Create, Delete,
Write
Subject:
Deny: All
Managers/Acme
group
and all descendants
Allow: Create, Delete,
Write
Deny: Read, Browse
Rule 3
Extended ACL subject

An extended ACL subject is a name for which you are setting access to a
selected extended ACL target. To add a subject to an extended ACL, you
select the target and then click Add below the People, Servers, Groups
box in the Extended Access at target dialog box.
Directory Services
The following figure shows an example of the -Default- subject selected

at the / (root) target.
You can specify any of the following as subjects in an extended ACL:
Individual user or server
Group
Wildcard that represents documents at a specific location in the

directory name hierarchy, for example, */West/Acme
Anonymous
-Default-
Self
With the exception of Self, these are the same types of entries that are
acceptable in a database ACL.
For more information on the database ACL, see the chapter Controlling
User Access to Domino Databases.
You specify more than one subject at a target to give each subject its own
access to the target. For example the group Admins/West/Acme and the
group Admins/East/Acme might each have access set at the / (root)
target. You can also add the same subject at multiple targets, to give the
subject different access to each target.
If the database ACL and an extended ACL both list a particular subject,
Administration Process requests can rename or delete the subject in the
extended ACL, as well as in the database ACL.
Anonymous as subject
As in the database ACL, the subject Anonymous controls the access of all
users and servers that access a server without first authenticating.
Anonymous access applies to access via all the supported protocols.
Self as a subject
The subject Self is available only for an extended ACL and not the
database ACL. At a target category only, you can use Self to define the
access that all users have to their own documents that fall under the
target category. A users own document is one with a distinguished
name that matches a distinguished name presented by the user. Use Self
so that you can use one subject to control all users access to their own
documents at a target category.
-Default- as a subject
Adding and setting access for the -Default- subject at a target is optional.
If you set access for -Default- at a target, all users and servers whose
access is not determined by another subject at the selected target get the
access set for -Default-. If you add the -Default- subject to a target and
you want some users to have different access to the target than the
-Default- access, add a subject or subjects that represent those users to the
target with the desired access.
Lotus Domino 6 servers as subjects

In general an extended ACL cant restrict the access of a Domino 6
server. The exception is granting a Domino 6 server Administer access to
a target category that represents a particular location in the directory
name hierarchy. Doing so allows the server to be an extended
administration server that can carry out Administration Process requests
for documents under the selected target category.
For more information, see the chapter Setting Up the Administration
Process.
When possible use subjects that represent groups of users -Default-,

Self, groups, wildcard subjects rather than use individual users as
subjects. For example, set access for the group Admins/Acme, rather
than setting access for Acme administrators individually. When you use
subjects that represent groups of users you minimize the number of
subjects in the extended ACL to add and manage and you optimize
access-checking performance.
Directory Services
Advantages to using subjects that represent a group of users
Extended ACL target

You select a target to specify either a category of documents or a specific
document to which you are controlling a subjects access. Selecting a
category of documents as a target is recommended because you can set
access to multiple documents at once and because the access applies to
documents added to the category in the future. You use the Target box in
the Extended Access at target dialog box to select a target. You can set
access for more than one subject at a target.
The following figure shows the / (root) target selected in the Extended
Access at target dialog box. By default you can see only the document
categories in the Target box and not individual documents. Deselect
Show only containers to see the documents below the categories.
How the Target box categorizes documents

The target box categorizes documents by their names. The top category
in the Target box is / (root). Access set at / (root) applies by default to all
the documents in the directory because documents subcategorized below
/ (root) inherit the access set at / (root) by default. The Target box
subcategorizes documents that have hierarchical names defined by a
FullName, ListName, or ServerName field below / (root) by their
location in the directory name hierarchy. For example, the Target box
categorizes Person documents containing the names CN=Alan
Jones/O=Acme, CN=Derek Malone/OU=East/O=Acme, and CN=Karen

Lessing/OU=West/O=Acme as follows:
/ (root)
O=Acme
Alan Jones/Acme
OU=East
Derek Malone/East/Acme
OU=West
Karen Lessing/West/Acme
For a document to be categorized by name hierarchy in a subcategory
below / (root) its name must contain more than just one part. For example
a Person document whose name is defined by a certifier is subcategorized
in a category below / (root). In addition, the name of the document must
be stored in a field called FullName, ListName, or ServerName. The
ListName field stores the names of Domino Group documents, the
ServerName field stores the names of Domino Server documents, and the
FullName field stores the names of other types of documents, for example
Domino Person, Certifier, and Policy documents.
A document with a flat name a name with only one part , or a
document with a name specified in a field other than FullName,
ListName, or Servername, is categorized directly under / (root). The
Target box does not show the documents under / (root) that are named
through a field other than FullName, ListName, or ServerName. You can
set access to these types of documents through the / (root) target, but
cannot set access to an individual one. For example, the names of
Holiday and Connection documents are not controlled through a
FullName, ListName, or ServerName field, so you cannot see or select
these documents under / (root). However, when you set access at /
(root), the access applies to the documents.
You can select a specific document as a target at which to set a subjects

access, however selecting a target category is recommended instead.
When you select a target category, by default you are automatically
setting access to all the documents immediately below the selected
category as well as to documents below subcategories of the selected
category so you minimize the number of times the subject appears in the
extended ACL. For example, by setting a subjects access at the target
Directory Services
Advantages to using categories rather than single documents as

targets
O=Acme, the access by default automatically applies to all documents

below O=ACME and any organizational units below, such as OU=West
and OU=East.
Domino can verify a subjects directory access more quickly when there
are fewer occurrences of the subject in an extended ACL than when there
are many. In addition, when you use categories as targets its easier to
manage the extended ACL because there are fewer subjects to track.
To take full advantage of using categories as targets, you may want to
specify hierarchical names for documents that have flat names in a
FullName, ListName, or ServerName field so the Target box can
subcategorize them under an appropriate location in the directory name
hierarchy. For example, Group documents often have flat names, and in
this case the Target box categorizes them directly below / (root), so you
may want to change the names of such Group documents to hierarchical.
The following documents usually have hierarchical names defined in a
FullName, ListName, or ServerName field and are therefore
subcategorized below / (root) under at the appropriate location in the
directory name hierarchy.
Person documents
Server documents
Certifier documents
Policy documents
Target scope
When you select a category as a target in the Target box, you use the
Scope of Target box to specify whether a subjects access settings apply
only to documents at that category or also to documents under
subcategories as well. Keep This container and all descendants (the
default) selected to apply the subjects access settings to documents
under the selected target category as well as to documents under
subcategories. Select This container only to apply the subjects access
settings to documents under the selected target category only.
The following figure shows the target scope This container and all
descendants selected for the subject Admins/Acme at the / (root) target.
You select a scope for each subject with access at a target category.
Example of using This container and all descendants as a target
scope
Suppose you want users who access the database through the -Defaultentry to see any Person and Group document in the directory but no
other type of document. You could do the following:
Give the -Default- subject Reader access in the database ACL.
In the extended ACL, add the -Default- as the subject at / (root) and
deny it all access by default, but allow it Browse and Read access to
the Person and Group forms.
Keep This container and all descendants as the scope to apply the
access settings to the entire directory.
Directory Services
The following figure illustrates these access settings.

Database ACL
-Default-: Reader
Target: / (root)
Subject: -DefaultScope: "This container
and all descendantts"
/ (root)
Default access:
Person form:
Group form:

O=Acme
Default access: B C D R W
BC D R W
Person form:
Group form:
BC D R W
OU=East
Person form: B C D R W
Group form:
BC D R W
OU=West
Person form: B C D R W
Group form:
BC D R W
= Deny
= target at which access is set

Example of using This container only as a target scope
Suppose the names of documents in your company fall under the
organization O=Acme or one of the organizational units OU=East or
OU=West. You want to deny the group Admins/Acme all access to
documents in the directory except documents at O=Acme. You want to
allow the group all access to documents at O=Acme. You could give the
group Admins/Acme Editor access in the database ACL with all
database ACL privileges and administration roles. At / (root) deny
Admins/Acme all access and select This container and all descendants.
At O=Acme allow Admins/Acme all access and select This container
only as the scope. Admins/Acme deny access set at / (root) continues to
apply to OU=East and OU=West.

Database ACL
Admins/Acme: Editor with all privileges and administration roles
Target: / (root)
Scope: "This container and
all descendantts"
/ (root)

O=Acme

OU=East
BC D R WA
Target: O=Acme
Scope: "This container only"
OU=West
BC D R WA
= Deny

Adding a subject twice to a target category with different target
scopes
Although not typically done, you can add one subject two times to one
target category with different access settings. Add the subject to the
target category and specify access for the scope This container only.
Add the subject again to the same target category and specify access for
the scope This container and all descendants. Using this approach, you
can use one subject entry to set a subjects access to multiple target
subcategories, rather than setting the subjects access separately at each
subcategory.
Add Admins/Acme to the database ACL with Editor access and all
privileges and administration roles.
Add Admins/Acme as a subject at / (root), deny all access and select

the scope This container and all descendants.
Add Admins/Acme to O=Acme, allow all access and select the scope
This container only.
Directory Services
For example, suppose you want to allow members of the group

Admins/Acme full access to documents categorized directly under
O=Acme. You also want to allow members of the group to browse and
read documents categorized under OU=East and OU=West, but want to
prevent them from creating, deleting, writing, and setting extended
access settings for these documents. You want to deny the group access
to all other documents. To accomplish this you could do the following:
Add Admins/Acme to O=Acme again, allow only Browse and Read

access and deny all other access and select the scope This container
and all descendants.
Assuming there are no other subjects in the extended ACL that control
access for the members of the Admins/Acme group, precedence rules
determine that the access set for Admins/Acme at O=Acme with the
scope This container only controls Admins/Acmes access to the
documents directly under O=Acme. The access set for Admins/Acme at
O=Acme with the scope This container and all descendants controls
Admins/Acmes access to the documents subcategorized under OU=East
and OU=West below O=Acme.
Database ACL
Admins/Acme: Editor with all privileges and administration roles
Target: / (root)
all descendants"
Target: O=Acme
all descendants"
Access:
/ (root)

O=Acme
B C D R WA
OU=East
BC D R WA
= Deny
Target: O=Acme
Scope: "This container only"
Access:
OU=West
BC D R WA
Extended ACL examples

Example 1
Example 2
Extended ACL: example 1

The Acme company uses this name hierarchy within its Domino
Directory: the organization O=Acme, and two organizational units below
it, OU=Sales and OU=Engineering. The Acme company wants to prevent
users registered under OU=Sales from accessing documents within
OU=Engineering, and wants to prevent users registered under
OU=Engineering from accessing documents within OU=Sales. Acme
does the following to accomplish these security goals:
1. Sets the -Default- access in the Domino Directory database ACL to
Reader.
2. Denies the subject */Sales/Acme all access to the target
OU=Engineering.
3. Denies the subject */Engineering/Acme all access to the target
OU=Sales.
Extended ACL: example 2

The Acme company uses one Domino domain. The directory name
hierarchy within the Domino Directory consists of the organization
O=Acme, and two organizational units below that, OU=West and
OU=East. The Acme Domino Directory includes three groups of
administrators:
The Admins/Acme group, responsible for managing documents
throughout the directory.
The Admins/West/Acme group, responsible for managing

documents that fall under OU=West and that have names ending in
West/Acme.
The Admins/East/Acme group, responsible for managing

documents that fall under OU=East and that have names ending in
East/Acme.
Security goals
To establish security, Acme has these goals:
1. Allow members of the Admins/Acme group to:
Have full access to all documents in the directory
Manage access at any target in the extended ACL
Directory Services
2. Allow members of the Admins/West/Acme group to:

Read all fields in all documents in the directory
Create, modify, and delete only documents that fall under OU=West
Manage the extended ACL at the OU=West target
3. Allow members of the the Admins/East/Acme group to:
Read all fields in all documents in the directory
Create, modify, and delete only documents that fall under the
OU=East
Manage the extended ACL for the OU=East target.
4. Allow authenticated users not in any of the administration groups to
browse and read only Person, Group, and Resource documents
throughout the database but not other documents, and prevent these
users from creating, deleting, and modifying any documents.
5. Prevent anonymous users from accessing the directory.
How Acme achieve its goals
The following tables describe how Acme sets up the Domino Directory
database ACL and the extended ACL to accomplish its security goals.
Database ACL
Subject
Access
Description
-Default-
Reader
Required to allow non-administrators

to browse and read Person, Group, and
Resource documents
Admins/Acme Manager
group
Delete
All administration
roles
Allows members of Admins/Acme to

manage all documents and the entire
extended ACL no extended ACL
settings needed
Admins/West Editor
/Acme group Create, Delete
All administration
roles
Required to allow members of

Admins/West/Acme to create, modify,
delete, and manage the extended ACL
for West/Acme documents
Admins/East/ Editor
Acme group
Create, Delete
All administration
roles
Required to allow members

Admins/East/Acme to create, modify,
delete, and manage the extended ACL
for East/Acme documents
Anonymous
Prevents anonymous users from

accessing any information in the
directory. No extended ACL settings
needed
No Access
/ (root) target in extended ACL

Subject
Access
This container and Description

all descendants?
-Default-
Default:
Yes
Allows
non-administrators to
read only Person,
Group, and Resource
documents
Yes
Prevents members of the

Admins/West/Acme
group from modifying
documents at the /
(root) and O=Acme
targets
Yes
Prevents members of the

Admins/East/Acme
group from modifying
documents at the /
(root) and O=Acme
targets
Deny all Person,

Group, and
Resources:
Allow: Browse,
Read
Deny: Create,
Delete, Write,
Administer
Admins/West/ Default:
Acme group
Allow: Browse,
Read
Deny: Create,
Delete, Write,
Administer
Admins/East/ Default:
Acme group
Allow: Browse,
Read
Deny: Create,
Delete, Write,
Administer
OU=West target in extended ACL

Subject
Access
Admins/West/ Default:
Acme group
Allow all

all descendants?
Yes
Allows members of
Admins/West/Acme to
have full access to
documents under
OU=West
Subject
Access
Admins/East/ Default:
Acme group
Allow all

all descendants?
Yes
Allows members of
Admins/East/Acme to
have full access to
documents under
OU=East
Directory Services
OU=East target in extended ACL
Extended ACL guidelines

Plan an extended ACL on paper before you implement it. After you have
planned the extended ACL on paper, test it in a non-production
environment before deploying it. When planning an extended ACL use a
sparse access control model that minimizes the number of extended ACL
subjects you specify:
Use categories as targets / (root) or subcategories below / (root)

rather than individual documents. To subcategorize documents
below / (root), you may have to give some documents, for example
Group documents, hierarchical names manually.
As a general rule use the default target scope This container and all
descendants as the target scope to extend subjects access to target
subcategories.
Use names that represent groups of users Self, groups, wildcard

subjects, -Default- as subjects rather than the names of
individuals.
When you use a sparse access control model Domino can check extended
ACL access settings quickly and you can manage extended ACL access
settings easily.
Setting up and managing an extended ACL

Follow these procedures to set up and manage an extended ACL:
Enable extended access
Set a subjects access to a target
Modify or remove a subjects access setting at a target
Show a subjects effective access to a target
Use the history log to monitor changes to an extended ACL
Disable extended access
For information on troubleshooting extended ACLs, see the chapter

Troubleshooting.
Enabling extended access

To set up an extended ACL for a Domino Directory or Extended
Directory Catalog, you must enable extended access for the database.
Before you enable extended access, make sure you understand the
implications of doing so:
Enabling extended access may take a few minutes on a very large
directory database. The Notes or Domino Administrator client is
unavailable for other purposes during this process.
To ensure that the database replicates properly, extended access

requires use of the advanced database ACL option Enforce a
consistent Access Control List across all replicas.
After you enable extended access, you cant make changes to the
database on a server running an earlier release because the changes
cant replicate to a Domino 6 server. If you enable extended access,
you must make directory changes only to a replica on a Domino 6
server.
Enabling extended access enforces the database ACL, extended ACL,

and Readers and Authors fields for Notes clients looking up names
in the directory. For example, if you enable extended access, then
Notes users who are addressing mail must have at least Reader
access in the database ACL to use type-ahead addressing or F9
address resolution against the directory. Or a Notes application that
calls NAMELookup functions to search the directory must have the
necessary database access to carry out the operation.
Enabling extended access enforces the database ACL and extended

ACL for anonymous LDAP searches of the directory. Enabling
extended access removes the anonymous LDAP access settings from
the domain Configuration Settings document, and they remain
removed unless you disable extended access at a later point. By
default the directory database ACL gives Anonymous users No
Access, so if you want LDAP users to search the directory
anonymously, you must change the access for the Anonymous entry
if you enable extended access.
For more information on converting anonymous LDAP access settings in

a domain Configuration Settings document to database ACL and
extended ACL settings, see the chapter Setting Up the LDAP Service.
Caution Do not enable extended access if you have any uncertainty
about doing so.
Directory Services
To enable extended access for a Domino Directory or Extended Directory

Catalog:
1. Open the database, and choose File - Database - Access Control.
2. Make sure you have Manager access in the database ACL.
3. Click Advanced, and then select Enable Extended Access.
4. At this prompt, click Yes to continue:
Enabling extended access control enforces additional security
checking. See Domino Administrator Help for more details. Do you
want to continue?
5. At this prompt, which appears only if the advanced database ACL
option Enforce a consistent Access Control List across all replicas is
not yet enabled, click Yes:
Consistent access control must be enabled first. Do you want to
enable it now?
6. At this prompt, click OK:
If more than one administrator manages extended access control
for this database, enable document locking on the database to avoid
conflicts.
7. Click OK in the Access Control List dialog box.
Enabling extended access control restrictions. This may take a
while.
9. Look at the status bar on the client to see the status of this process.
Setting a subjects access to an extended ACL target

To set a subjects access to an extended ACL target in a Domino
Directory or an Extended Directory Catalog, follow these steps:
1. Review the guidelines for setting up an extended ACL.
2. Open the Domino Directory or Extended Directory Catalog.
3. Make sure you have enabled extended access for the directory.
4. If more than one administrator manages the extended ACL, enable
the advanced database property Allow document locking.
Document-locking ensures that only one administrator can modify
the extended ACL at a time.
a. Choose File - Database - Properties
b. Select Allow document locking.
For more information on locking documents, see Notes 6 Help.
5. Choose File - Database - Access Control to open the Access Control

List dialog box. Make sure you have one of the following:
Manager access.
Editor or Designer access and the Administer extended ACL
access to the target for which you are setting the subjects access.
Either a database manager or someone with Administer access to
the target must give you this access.
6. With Basics selected, click Extended Access.
7. In the Target box at the left of the Extended Access at target dialog
box, expand target categories as necessary and select the target.
For information, see the topic Extended ACL target earlier in the
chapter.
Tip Below the Target box, deselect Show only containers to show
the documents under each target category. Select the option to show
only the target categories. You can choose a single document as a
target, but doing so is discouraged.
8. Next to People, Servers, Groups below the Access List box, select
one:
Show Modified to show only subjects whose access to the
selected target is set at the target.
Show All (default) to show subjects whose access to the
selected target is set at a higher target using the This container
and all descendants scope, as well as to show subjects whose
access to the selected target is set at the target.
9. To add the subject for which you are setting access to the selected
target, do one:
Click Add - Default to add the subject -Default-.

Click Add - Self to add the subject Self.
Click Add - Anonymous to add the subject Anonymous.
If a subjects access to the selected target is set at a higher target
through the scope This container and all descendants and you
add the subject to the selected target with new access settings, the
new access settings then control the subjects access to the selected
target.
Directory Services
Click Add - Name and type or select a subject name, then click
OK. If the subject is a user, server, or group that is not in the
directory for which you are controlling access, this prompt
appears: Subject can not be found in the directory. To continue,
please specify the subjects type: Person, Server, Group. Select
one of the options presented, then click OK.
For more information on extended ACL subjects, see the topic

Extended ACL subject earlier in the chapter.
10. Below the Scope of Target box at the top, right of the Extended
Access at target box, select one of the following to specify the scope
of the subjects access at the selected target.
This container and all descendants (default) to apply the
subjects access to the selected target and to all targets
subcategorized below it.
This container only to apply the subjects access to the selected
target only and not to targets subcategorized below it.
For more information, see the topic Target scope earlier in the
chapter.
Note If you selected a single document as a target in Step 7, the
This container and all descendants option is not available.
11. Below the Attributes section at the right of the Extended Access at
target box, for each of the following select Allow or Deny to set the
selected subjects default access to the selected target.
Browse
Create
Delete
Read
Write
Administer
For more information, see the topics Extended ACL access settings
and Default access compared to form-specific access earlier in the
chapter.
12. (Optional) Set form-specific access to make exceptions to the default
access.
13. Click OK to save the extended ACL changes and close the Extended
Access at target box.
Setting a subjects form-specific access to an extended ACL target
When you set a subjects access to an extended ACL target, you can use
this optional procedure to make exceptions to the subjects default access
to the selected target and set access differently to documents created
from a specific form.
For each form for which you want to set different access than the
subjects default access set for the selected target, do the following:
1. Select the subject for which you are setting access in the Extended
Access at target dialog box and click Form and Field Access to
open the Form and Field access at target dialog box. The dialog box
shows the forms in the directory in the Forms box. When you select a
form in the Forms box, the Fields box shows only the fields in the
selected form.
2. (Optional) To set the Form and Field Access at target dialog box to
display LDAP object classes and attributes rather than forms and
fields, next to Schema select LDAP. This option works only if you are
setting access to a directory on a server running the LDAP service.
For more information, see the topic Displaying LDAP attributes and
object classes when setting form-specific access earlier in the chapter.
3. (Optional) To look at the subjects default access to the selected target
you previously specified in the Extended access at target dialog box.
a. Below the Forms box, select the -Default- entry and look at the
default Browse, Create, and Delete access settings. Optionally,
modify these default access settings. The changes will show in
the Extended access at target dialog box when you close the
Form and Field Access at target dialog box.
b. With the -Default- entry still selected in the Forms box, look at the
-Default- entry in the Fields box to see the default Read and Write
access. Optionally, modify these default access settings . The
changes will show in the Extended access at target dialog box
when you close the Form and Field Access at target dialog box.
4. In the Forms box, select the form for which you want to set access.
Notice that the Fields box changes to show only the fields on the
selected form.
5. In the Forms box, set the desired Browse, Create, and Delete access
settings for the selected form.
a. Keep the form for which you are setting access selected in the
Forms box.
b. Select -Default- in the Fields box.
c. Set the subjects general Read and Write access to the fields on
the selected form.
Directory Services
6. To set the subjects Read and Write access to all fields in the selected
form:
7. To set the subjects Read and Write access to a specific field in the
selected form:
a. Keep the form for which you are setting access selected in the
Forms box.
b. Select the field in the Fields box.
c. Set the subjects Read and Write access to the selected field. These
settings take precedence over the settings specified in step 6.
8. (Optional) To show the form-specific access you have set:
a. Above the Forms box, select Show - Modified. Notice that Show Modified is also selected above the Fields box.
b. Select a form listed in the Forms box to see the access set
specifically for that form.
c. With the form still selected, look at the Fields box to see the fields
on the form for which youve set access.
9. When youve finished setting form-specific access, click OK to close
the Form and Field access at target dialog box.
10. Continue to Step 13 in the procedure Setting a subjects access to an
extended ACL target.
Modifying or removing a subjects access settings at an extended

ACL target
You can modify a subjects access to an extended ACL target. You can
also remove a subject from a target to remove the subjects access settings
for the target.
To modify a subjects access to an extended ACL target
To modify a subjects set at an extended ACL target, follow the steps
described in the topic Setting a subjects to an extended ACL target,
except in step 9 select the subject rather than add it.
Note that if you select a subject in the Extended access at target dialog
box and the subjects access settings are grayed out, check that you have
the access required to change the settings: Manager access in the
database ACL or Editor access in the database ACL with Administer
access to the selected target.
If you have the required access to make the change and the subjects
access settings are grayed out, the subjects access to the selected target is
set at a higher target with the scope This container and all descendants.
In this case you can do one of the following:
At the selected target, click Add to add the subject to the selected
target and set different access for the subject at the target. The new
access to the selected target overrides the access set at the higher
target. If you choose the scope This container and all descendants
the new access applies to all documents subcategorized below the
selected target as well. If you choose the scope This container only,
documents categorized immediately below the selected target get the
new access settings, but documents under subcategories of the selected
target continue to have the access settings specified at the higher
target.
Select the higher target, select the subject at the higher target, and
change the access. The changes apply to documents directly under the
higher target and to documents below all subcategories of the higher
target, including the target for which the subjects access is grayed out.
To remove a subjects access settings from an extended ACL target

Remove a subject from an extended ACL target to remove the access
settings specified for the subject at the target.
1. Make sure you have one of the following levels of access:
Manager access in the database ACL.
Editor or Designer access in the database ACL and Administer
extended ACL access to the target from which you are removing
the subject. A database manager or someone with the Administer
access to the target must give you this access.
2. Open the database with the extended ACL, and choose File Database - Access Control.
3. With Basics selected, click Extended Access.
For information, see the topic Extended ACL target earlier in the
chapter.
5. In the Access List box, select the subject that you want to remove,
and click Remove.
6. Click OK and when you see the prompt Save changes before
exiting? Click Yes to save the changes and close the Extended
access at target dialog box.
7. Click OK to close the Access Control List dialog box.
Directory Services
4. In the Target box at the left of the Extended Access at target box,
select the target from which you want to remove the subject.
Showing a subjects effective access to an extended ACL target

You can determine the effective access a subject has to a target in an
extended ACL. The effective access is the actual access a subject has to a
target after the database ACL and extended ACL access settings and
conflicts are evaluated.
1. Open the database that uses the extended ACL, and choose File Database - Access Control.
2. With Basics selected, click Extended Access. You see Extended
Access only if you have enabled extended access.
3. In the Target box to the left, expand the target categories as necessary
and select the target for which you want to determine a subjects
access.
4. Click Effective Access to open the Effective Access access at
target dialog box.
5. Below the People, Servers, Groups box at the top of the dialog box,
type or select the subject whose effective access you want to
determine. If the subject you cannot be found in the directory, this
prompt appears:
Name type cannot be determined. Is this a group? Click Yes if the
name is a group, or No if the name is not a group.
Note You cannot determine the effective access for the subject Self.
6. Click Calculate Access.
7. The Default Access section shows the subjects default access to the
selected target.
8. The Modified Forms section shows any forms for which the subjects
access is different than the default access for the selected target.
a. Select a form in the Modified Forms section to see the access set
for the form.
b. Look at the Modified Forms section to see the Browse, Create,
and Delete access set for the selected form.
c. Look at the Modified Fields section to see the field access set for
the selected form. -Default- shows the default field access for the
select form. If there are individual fields listed, select a field to
see how its access is different than the default field access.
9. The Database access section shows the access the database ACL
grants the subject.
10. The Access derived from box shows all the subjects that can
control the subjects access allowed in the database ACL and the
extended ACL and displays a check mark next to the subject or
subjects that determine the access.
11. When you are finished viewing the effective access, click Done.
Using the history log to monitor changes to an extended ACL

You can display a log of all changes made to an extended ACL and to the
database ACL. Each entry in the list shows when the change occurred,
who made the change, and what changed.
1. Open the database that uses the extended ACL, and choose File Database - Access Control.
Click Log from the Access Control List dialog box
Click Extended Access and then click Log from the Extended
Access at target box.
3. Select a line of log history. To see the complete text of the log history,
look in the field at the bottom of the dialog box.
4. (Optional) Click Copy to copy the log to the Clipboard so that you
can paste it into a document.
Note If you use a Macintosh client, you cannot do Step 4.
Disabling extended access

Disabling extended access takes effect immediately and irreversibly
removes any extended ACL restrictions that have been set and so will
alter security checking for the database. You will remove all restrictions
set on forms and fields, and the database ACL will no longer be
restricted by extended ACL access settings. In addition, the database
ACL will no longer be enforced for Notes client lookups to the directory,
and the domain Configuration Settings will resume as the access control
mechanism for anonymous LDAP searches of the directory.
Caution Do not disable extended access if you have any uncertainty

about doing so.
Note Disabling extended access may take a few minutes on a very large
directory database. The Notes client or Domino Administrator client is
unavailable for other purposes during this process.
Directory Services
Disabling extended access removes all evidence of extended ACL

settings, information that cannot be recovered unless you restore it from
a recent backup or archive of the directory, or unless you write down the
settings prior to disabling them and then reapply them manually later.
To disable extended access:

1. Open the database and choose File - Database - Access Control.
2. Make sure you have Manager access in the database ACL.
3. Click Advanced and then click the Enable Extended Access check
box to remove the selection.
4. At this prompt, click Yes if you are sure you want to disable
extended access; otherwise, click No:
Warning: Disabling extended access removes all extended access
control restrictions that have been set. Do you want to continue?
5. Click OK in the Access Control List dialog box.
Disabling extended access control restrictions. This may take a
while.
The status bar indicates when the process is complete.
Mail
Chapter 26
Overview of the Domino Mail System
This chapter describes how the Domino mail system works and provides
information that you need to consider before you deploy mail.
Messaging overview
The Domino mail system has three basic components: Domino mail
servers, Domino mail files, and mail clients. The Domino mail server is
the backbone of an organizations messaging infrastructure, acting both
as an Internet mail server and a Notes mail server. Domino provides
standards-based Internet messaging through its support of the Simple
Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3),
Internet Message Access Protocol (IMAP), and Multipurpose Internet
Mail Extensions (MIME). At the same time, Domino supports Lotus
Notes mail through the use of Notes routing protocols Notes remote
procedure calls (NRPC) and the Notes rich text message format.
Domino mail servers provide services that directly and indirectly
support messaging. These include specialized databases for locating
users and servers, for message storage and transit, and for collecting
statistics; and processes that initiate and receive connections between
servers, route messages, and allow users to retrieve mail.
Every mail user in a Domino system has a mail file on a Domino mail
server. You can create a replica of the mail file on other servers for
failover in case the primary server is unavailable. Users create mail
messages using a mail client, such as Lotus Notes, or a POP3 or IMAP
client, and send mail through the Domino mail server, which routes the
message to its recipient. The recipient then uses a mail client to read the
message. To protect confidential information in mail messages, Domino
supports Notes public key encryption and S/MIME encryption.
The Lotus Notes client and the Domino mail router (the Router) create
and send messages in the format (MIME or Notes rich text) appropriate
for each recipient, as determined from the address format and settings in
the recipients Person document. If conversion between formats is
necessary, Domino performs the conversion automatically.
26-1
The Router uses information in the Domino Directory to determine

where to send messages and what transfer protocol to use. For messages
sent over SMTP, the Router also uses information from the Domain
Name System (DNS).
Domino provides tools for monitoring mail, controlling unsolicited
commercial e-mail (UCE), and preventing unauthorized access to the
mail system. To reduce the space needed to store users mail, you can set
quotas on users mail files, restrict users from creating full-text indexes,
and implement Domino shared mail on the server. Domino provides
migration tools and message transfer agents to help you move from a
heterogeneous system to a Domino mail server, which combines support
for Notes mail alongside support for Internet mail standards.
This section includes overview information on the following topics:
Supported mail routing and mail access protocols
The Domino mail server and mail routing
The Domino Directory and mail routing
Domino mail files
Mail security
Mail clients
Working with other mail systems
Mail performance and monitoring
Supported routing, format, and access protocols

The Lotus Domino server and Lotus Notes client support both Internet
standards and Notes protocols for message routing, retrieval, and
formatting. On the server, the Domino mail router (the Router) can send
and receive messages using the Simple Mail Transfer Protocol (SMTP)
and Notes Remote Procedure Calls (NRPC), or Notes routing. To enable
users to retrieve mail, the server supports the Internet access protocols,
IMAP and POP3, as well as NRPC. In addition. the Domino HTTP
service interacts with Domino mail databases to provide mail service for
HTTP clients, such as the iNotes Web Access client.
Domino sends and stores messages in both MIME format and Notes rich
text format, and the Notes client creates and sends messages in either
format.
Mail routing protocols

When a new message arrives in MAIL.BOX, the Router determines
where and how to send the message. By default, the Router uses Notes
routing to transfer mail from one server to another. If the server has both
SMTP and Notes routing enabled for the local Internet domains, the
Router chooses the optimal protocol to use to move the message to its
destination. The protocol selection is based on the current message
format, the Domino version of the server that holds the recipients mail
file, and the format preference specified in the recipients Person
document. For example, the Router uses SMTP to route the MIME copy
of a message to a POP3 recipients server, and uses Notes protocols to
route the Notes rich text format copy of a message to a Notes recipients
server.
You can also configure Domino to use SMTP to route mail. SMTP routing
can be used instead of, or in addition to, Notes routing. You can
configure a Domino server to use SMTP when transferring mail to
destinations within the local Domino domain only, to external Internet
domains, or both.
Supported message formats

Domino transports and stores messages in both MIME format and Notes
rich text format. The transit format of a message depends in part on the
routing protocol used, and can differ from the format in which the
message is stored in the destination mail file. When transferring
messages over Notes routing the Router handles messages in either
MIME or Notes format. Messages sent over SMTP are always sent in
MIME format.
Overview of the Domino Mail System 26-3
Mail
Mail clients retrieve messages from the server using NRPC, IMAP and
POP3. In addition, Web clients, such as the iNotes Web Access client,
access mail through the Domino HTTP service. The Notes client sends
and retrieves mail using NRPC, or Internet protocols (SMTP, IMAP and
POP3).
The format used to store a message depends on the storage preference

specified in the users Person document. A mail file can store messages in
MIME format only, Notes rich text format only, or in both formats,
accepting messages as is, regardless of format. Administrators should
ensure that each users Person document specifies the format preference
appropriate to their mail client. For example, because IMAP clients
require messages in MIME format, the Person document of a user who
always accesses mail from an IMAP client should specify MIME as the
format preference for incoming mail.
To ensure that users receive messages in the format best suited to their
chosen mail clients, Domino converts messages between formats as
needed. The Router may convert a message during transfer between
servers or when delivering the message to a users mail file. Conversion
during transfer occurs when a message in Notes format must be sent
over SMTP, or when routing a MIME message to a Release 4.x or earlier
server that cannot process MIME. For example, The Domino IMAP and
POP3 services also convert messages, as when an IMAP or POP3 client
needs to retrieve a message stored in Notes format.
Because Notes routing can transport messages in MIME format, on
networks that support both Notes routing and SMTP, a MIME message
may travel over both protocols enroute to its destination.
POP3 and IMAP clients, which always send messages to the server over
SMTP, create messages in MIME format. The Notes client creates
messages in either Notes rich text or MIME format, depending on the
format required by the intended recipient. When a user sends a message
from a Notes client to another Domino mail user, the client software
looks up the format preference specified in the recipients Person
document to determine which format to send. If the Person document
indicates that the users mail file stores messages in MIME format (as
when a user accesses mail from an Internet mail client, such as an IMAP
client), the senders Notes client software sends messages to that
recipient in MIME format.
If a recipient is not listed in the Domino Directory, the client software
sends the message in the format that corresponds to the address type;
sending recipients with Internet-style addresses, such as
jane_doe@acme.com, messages in MIME format; and recipients with
Notes-style addresses (Jane Doe/Sales/Acme@Acme), Notes rich text.
By combining SMTP, Notes routing, and automatic message conversion,

Domino provides flexibility in setting up your mail infrastructure. For
example, you can set up a mail system that is based completely on
Internet standards and use the Router to route MIME messages over
SMTP. You can set up a mail system that is based completely on Notes
mail and use the Router to route Notes format messages over Notes
routing. Or you can set up a mail system that uses both SMTP and
Notesrouting, sends both MIME and Notes format messages, and uses
automatic message conversion to ensure that clients receive mail in the
proper format.
Mail access protocols

Domino supports Internet mail access protocols such as IMAP and POP3
and also offers mail access to Notes clients. IMAP and POP3 clients
connect to their respective protocol services to retrieve and send mail by
way of an SMTP server. The Notes client can use Notes protocols to
connect to a Domino mail server to read and send mail, and can also use
IMAP or POP3 to access mail on a Domino server or on non-Domino
mail servers for example, a UNIX sendmail server.
The Domino mail server and mail routing

To process incoming and outgoing mail, Domino mail servers run a
variety of server tasks and maintain a number of special databases. Some
components are required for all Domino messaging systems; others are
needed to support specific configurations only.
Mail
When sending messages to multiple recipients, the client software creates

the message in both MIME and Notes rich text formats if necessary. For
example, the client software creates a Notes rich text format message for
a recipient who uses a Release 4 Notes client and creates a MIME
message for a recipient who uses a POP3 client.
The following table lists some of the required and optional components
Domino uses to route mail:
Component Name
type
Description
Server tasks Router task
Monitors the MAIL.BOX database for new

messages. Responsible for transferring
messages to other servers and delivering
messages to local mail files. Can transfer mail
using Notes remote procedure calls (NRPC) as
well as SMTP. Converts message format
between Notes rich text and MIME as needed.
Maintains a routing table comprised of
information derived from the Domino
Directory and NOTES.INI file.
SMTP task
(Optional) Enables the SMTP listener, which

lets the server receive messages sent over
SMTP routing.
Server task
Listens for incoming messages sent by clients

and servers over Notes routing and for Notes
client requests.
IMAP task
(Optional) Enables IMAP clients to access

messages in user mail databases on the
Domino server.
Converter
(Optional) Enables mail files for IMAP access.
Message Tracking (Optional) Maintains the MTSTORE.NSF

Collector (MT
database used to perform message tracking.
Collector)
Object Store
Manager
(Optional) Performs maintenance activities on

databases and mail files that use shared mail.
POP3 task
(Optional) Enables POP3 clients to access

messages in user mail databases on the
Domino server.
HTTP task
(Optional) Allows the server to host Web

applications. Needed to provide Web clients
and iNotes users with access to their mail
databases on the Domino server.
DOLS
(Optional) Provides iNotes Web Access users

with offline access to their mail databases.
continued
Description
Databases
and
database
templates
Special Notes database that acts as a temporary

repository for all messages in transit to and
from mail clients, applications, other servers.
Created automatically at startup. The server
creates the number of MAIL.BOX databases
specified on the Configuration Settings
document.
Mail Router
Mailbox
(MAIL.BOX)
Domino Directory Repository for documents that mail clients and

(NAMES.NSF)
the Router use to determine where and how to
send messages. Server document,
Configuration Settings, Person documents security/message format, Domain,
Connection, Internet Site documents.
Mail file databases End-user mailbox for receiving and sending
electronic mail. Every user who accesses mail
on a Domino server has a mail file.
Object Store
(Shared mail)
databases
(SMXXXXXX.NSF)
(Optional) Repository for shared messages.

The Router automatically creates the number
of shared mail databases to meet the quantity
and directory locations you specify in the
Server document. Domino also creates an
associated database link in the Data directory.
Mail Journaling
database
(MAILJRN.NSF)
(Optional) Stores copies of messages that pass

through the Router Mailbox. A Mail journaling
database is automatically created at startup
after you enable journaling.
Mail Tracking
database
(MTSTORE.NSF)
Repository for summary information about

mail flowing through a server. Created and
written to by the MTC add-in task after you
enable message tracking. The Mail Tracking
database is read by the message tracking tool.
DOLADMIN.NTF Contains Security Policy documents and user

profile documents for DOLS and iNotes
applications. DOLADMIN.NSF is
automatically created at startup.
MAIL6EX.NTF
Template for Web mail and iNotes Web Access

for Microsoft Outlook mail files. iNotes Web
Access for Microsoft Outlook, using DOLS,
allows users to work in their Notes mail
through Microsoft Outlook.
Mail
Component Name
type
How mail routes in a Domino system

Domino Server
Transfer
Server
Task
Notes routing
Notes routing
Servers
Submission
MAIL
.BOX
Router
Servers
SMTP routing
SMTP routing
Delivery
SMTP
Listener
User
DB
IMAP
IMAP Client
POP3
POP3 Client
Server
Notes Client
These steps describe how mail routes in a Domino mail system.

1. Using a mail client, a user creates and addresses a mail message to a
recipient.
2. The user sends the message.
3. The users mail client does one of the following:
Uses Notes protocols to deposit the message into the MAIL.BOX
database on the users Domino mail server.
Uses SMTP to send the message to the users Domino mail server,
which must be running the SMTP listener task. The SMTP listener
task deposits the message into MAIL.BOX (Lotus Notes, IMAP
clients, POP3 clients).
Uses HTTP to send the message to the users Domino mail server,
which must be running the HTTP task. The HTTP task deposits
the message into MAIL.BOX (Web clients).
Using SMTP routing, the Router connects to the destination server

the recipients mail server, a relay host, a smart host, or one of
the servers in the recipients Internet domain and transfers the
message.
Using Notes routing, the Router moves the message to the
MAIL.BOX database on the server that is the next hop in the path
to the recipients mail server. The Router on that server transfers
the message to the next hop, until the message is deposited in the
MAIL.BOX database on the recipients home server.
5. The Router on the recipients server finds the message (in MAIL.BOX
on a Domino server) and delivers it to the recipients mail file.
6. Using a mail client, the user retrieves the message from the mail file.
Depending on the type of mail client, one of the following protocols
is used: Notes remote procedure calls, IMAP, POP3, or HTTP.
The Domino Directory and mail routing

The Domino Directory (NAMES.NSF) is the most important database on
a server. It defines the primary administrative unit in a Domino network,
the Domino domain, which is a group of servers that have the same
Domino Directory. The Domino Directory serves as the control center for
the domain. Administrators use it to manage users and connect and
configure servers and it contains almost all of the essential information
required for routing mail.
When you set up the first Domino server, the setup program creates your
Domino domains Domino Directory. Each server in the domain stores a
replica of the Domains Domino Directory. Domino replication
synchronizes the Domino Directories on each server.
In addition to the Domino Directory, Domino retrieves information from
the servers NOTES.INI file and, when routing mail over SMTP, from the
Domain Name System (DNS), which is maintained separately.
The Domino Directory supports LDAP so that Internet mail clients can
use LDAP to query and modify the directory if they have access to do so.
For more information on LDAP, see the chapter Setting Up the LDAP
Service.
Mail
4. The Router finds the message in MAIL.BOX and determines where to

send the message for each recipient. The Router checks its routing
table to calculate the next hop for the message on the path to its
recipients and determines the appropriate protocol either SMTP
or Notes routing to transfer the message.
Domino routing tables

A routing table is a list of connections from a Domino server to all other
servers it can contact. Domino uses the routing table to determine the
best, least-cost path to deliver mail. When you start the Router on a
server, it gathers information from the NOTES.INI file, and the
Configuration Settings, Connection, Domain, and Server documents in
the Domino Directory to build a dynamic routing table.
The Router automatically recalculates the routing table after you reboot
the server or restart the router task. In addition, the Router checks the
Domino Directory for changes at intervals of approximately five minutes.
If it detects changes in these source documents, it rebuilds the routing
table to incorporate the new information.
Note Changing routing information in the NOTES.INI file or in the
Domino Directory, does not force the Router to immediately recalculate
the routing table.
You can use a TELL command to refresh the routing table without
having to restart the Router. The ability to update the routing table on
demand is especially useful when testing new configuration settings. See
the chapter Setting Up Mail Routing for more information about using
the update configuration TELL command.
How the Router uses the Domino Directory to look up mail
recipients
When a user sends mail to a recipient in the local domain, the Router
looks up the complete address in the ($Users) view of the Domino
Directory (if you set up Directory Assistance, the Router can also look up
the address in a secondary directory) for the recipients Person
document, which lists the recipients home server. If the recipients home
server is the current server, the Router will deliver the message. If it is a
different server, the Router consults the routing table to determine the
best route, or least-cost path, for transferring the message to the
destination home server and routes the message along that path..
If the Router cannot find a match for the recipient in the specified
directories, it can forward the message to a smart host, which is a
server that has a directory of users who are in the local domain but who
are not listed in the Domino Directory. For example, if you are migrating
users from a UNIX sendmail system to a Domino mail system but you
have not migrated all users yet, you set up a UNIX server as a smart host
that can locate the sendmail users and route mail to them. Enter the name
of the smart host in the Local Internet domain smart host field on the
Router/SMTP-Basics tab of the Configuration Settings document.
Documents used for routing mail

The Domino Directory uses numerous documents to define the
messaging topology. Depending on your needs, you may need to create
or edit the following documents:
Documents
Description
Server
documents
Every Domino server requires a Server document. Server

documents specify the following for each server: Notes name;
IP address; fully-qualified Internet hostname; Domino domain;
the Notes Named networks it is a member of; Internet
messaging ports and services available, such as the IMAP,
POP, and SMTP ports; the security options for each port.
Configuration
Settings
documents
Configuration Settings documents provide additional

information that determines how servers process incoming
and outgoing mail. They define Router settings for SMTP and
Notes routing; set inbound SMTP restrictions; provide MIME
conversion information; configure mail access for IMAP and
iNotes Web Access clients.
Connection
documents
Connection documents define the routing path to servers

outside the current Domino domain or Notes Named
Network.
Global Domain Global Domain documents identify the Internet domains

documents
considered to be internal to a Domino domain and for which
the local domain can accept mail. Also provides instructions
for converting the senders Notes mail address to an SMTP
address.
Adjacent and
Non-adjacent
Domain
documents
Adjacent and Non-adjacent Domain documents specify the

domains from which the current domain will accept mail
destined for a specified adjacent or non-adjacent domain.
Non-adjacent Domain documents also define the intermediary
domain through which the local domain routes mail intended
for a Notes domain to which no direct connection exists.
Foreign SMTP
Domain
documents
Foreign SMTP Domain documents define the relationship

between Domino domains and SMTP mail systems.
Internet Site
documents
Internet Site documents provide protocol information for

IMAP, POP3 and SMTP ports. If configured, the information in
a Site document takes precedence over settings for the port in
the Server document.
continued
Mail
For more information setting up routing in the local Internet domain and
setting up a smart host, see the chapter Setting Up Mail Routing.
Documents
Description
File
Identification
documents
File Identifications documents define the relationships

between the file extensions and MIME types and subtypes of
various file types.
Person
documents
Person documents provide information about the location of

the users mail file; Notes and Internet mail addresses; Internet
passwords required for HTTP, POP3, and IMAP access; and
mail storage preferences.
Host names in the Domino system

For ease of maintenance, when entering server information in the
Domino Directory, refer to the server by its fully-qualified host name
rather than its IP address. Although Domino fully supports IP addresses,
host names are less subject to change than numeric addresses. For
example, for TCP/IP to work properly a servers numeric IP address
must change if you move the server to a new subnet, or have to merge
two networks as the result of reorganization. Using a host name in the
same documents, on the other hand, would not require any update.
Domino mail files

When you create a user account through the Domino registration
process, Domino creates a Notes database (NSF file) to serve as the users
personal message store. Each mail file database is created from a mail file
template on a Domino server. The server where the mail file resides is
known as the users home server or mail server. Users can access a
Domino mail file from a Notes client, a Web browser, a POP3 client or an
IMAP client or from multiple types of clients (for example, a user might
access mail from a Notes client while at work and from a POP3 client at
home). For users to access mail from the iNotes Web Access client, an
administrator must create the mail file using the iNotes Web Access
template (iNotes60.ntf).
Mail databases support full-text indexing, encryption, replication, soft
deletions, and archiving. Administrators can specify properties or
policies to limit the use of these features on mail files.
For users who access mail primarily or exclusively from the Notes mail
client, you must create User IDs during registration. A User ID is not
required if a user accesses mail only from a mail client other than the
Notes client. For example, although a user who accesses mail from an
iNotes Web Access, POP3, or IMAP client must have a Person document
and Internet passwords, a User ID is not required. However, a User ID is
required for iNotes Web Access users who wish to work offline or read
encrypted mail.
In environments where all users access mail from Notes mail clients, you
might specify rich text storage. For users who always access mail from
IMAP or POP3 clients, MIME storage eliminates the need to convert
messages before they can be read. If you set a users preferred storage
format to Keep in senders format, the Router does not change the
format of messages before placing them in the mail file, so the mail file is
likely to contain a mix of rich text and MIME messages.
By default, each user is considered to be the owner of their personal mail
file, and as such, is granted Manager access in the mail files Access
Control List (ACL). Users with Manager access can delegate subsidiary
access to their mail files to specified, trusted individuals from a Notes
client, iNotes Web access client, or Webmail client. For example,
executives in an organization may allow their secretaries to read and
send mail on their behalf.
To allow for mail delivery, the default ACL also grants Manager access
to a users mail server and other servers in the local Domino Domain.
The ACL provides no access to other users in the mail system.
During registration, the presiding administrator can assume Manager
access of a users mail file by resetting the mail file owner access from
Manager to Designer. Users require a minimum of Editor access to their
mail files to perform routine mail operations creating, sending,
replying to, and deleting messages. Other mail file operations require
greater access privileges. For example, users must have at least Designer
access to create a full-text index.
To help manage disk space, you can set database quotas to restrict the
mail file size. In the Configuration Settings document, you can enable the
Router to withhold delivery of new mail when a mail file reaches its
quota. The Router continues to withhold mail until the user reduces the
size of the mail file by deleting or archiving messages.
In addition to a users primary mail file, users and administrators can
replicate mail files to other locations. Administrators can create server
replicas to provide failover. A user can create a local replica on a
workstation or laptop and use it to work off-line.
Mail
The Router on a users home server delivers incoming messages for the
user to the mail file. Messages in a mail file may be stored in either Notes
rich text format (also known as Compound Document, or CD format) or
MIME format. The format used depends on settings in the users Person
document. If a users mail client opens or downloads a message that is
stored in a format it cannot read, Domino automatically converts the
message. For example, if an IMAP client opens a message stored in Notes
rich text format, the Domino IMAP service converts the message to
MIME before passing it to the client.
Notes client users can create mail filtering rules to manage inbound
messages. Administrators can use the Domino Administrator and other
standard Notes database tools, such as Compact and Fixup, to perform a
variety of maintenance tasks.
Mail security
To provide secure message transfer among clients and servers, the
Domino mail server supports name and password authentication and
Secure Sockets Layer (SSL) for SMTP mail routing, IMAP, and POP3
access, and supports Notes encryption when routing mail over Notes
routing.
To encrypt and sign messages, Notes clients can use Notes encryption
with User ID files and public-private keys or Internet mail security with
X.509 certificates. Internet mail clients can use X.509 certificates.
For more information, see the chapters Planning Security, Setting Up
SSL on a Domino Server, Encryption and Electronic Signatures, and
Setting up Clients for S/MIME and SSL.
Working with other mail systems in your organization

Domino interoperates with other mail servers and systems through its
support of Internet standards and message transfer agents (MTAs) for
X.400, cc:Mail, and other systems. Domino can exchange mail with other
SMTP servers and route mail to and from X.400 and cc:Mail systems
through the X.400 and cc:Mail MTAs. Additional third-party tools are
available to provide interoperability with and gateways to other mail
systems.
If you have some users who use Lotus cc:Mail, you need at least one
server running the cc:Mail message transfer agent (MTA) to connect your
Domino system to the cc:Mail system.
If you have some users who use an X.400 mail system, you need at least
one Release 4 server running the X.400 MTA to connect your Domino
system to the X.400 system.
If you have users in the local Internet domain who are not listed in the
Domino Directory, set up a smart host so the Router can forward
messages for users in other local mail systems.
Mail
Mail clients
Clients interact with mail files on the Domino server in different ways.
All clients can create, send, and receive mail. Some clients, such as Web
browsers, can only interact with mail on the server and cannot store mail
locally. Some clients, such as POP3 clients, can only download mail from
the server and work with it locally. Some clients, such as Lotus Notes,
iNotes Web Access, and IMAP clients, can download mail or work with
it on the server and can store mail locally. You can use the following
types of clients with the Domino mail server:
Lotus Notes clients
IMAP clients, such as Microsoft Outlook Express
POP3 clients, such as Netscape Messenger
Web browsers, such as Netscape Communicator and Microsoft

Internet Explorer
iNotes Web Access clients
iNotes Web Access for Microsoft Outlook clients
Lotus Notes clients

A Notes client can interact with a Domino server using either Notes
protocols or Internet protocols, such as IMAP, POP3, and SMTP. If your
organization uses Notes clients, select any of these protocols for server
access. Enable the protocol on the server that clients use for access.
Notes clients access the Domino Directory using either Notes protocols or
Lightweight Directory Access Protocol (LDAP). Users can create a local
replica of their mail file while maintaining a complete mail file on a
Domino server. Notes users can work off-line and then connect to their
server to replicate changes to documents and send mail.
IMAP clients
Users with IMAP clients can download mail to a local mail file or interact
with and manage mail directly on a Domino server that runs the IMAP
service. They use the IMAP protocol to read and manage mail, use SMTP
to send mail, and can use LDAP to access the Domino Directory.
Enable the IMAP service and enable the SMTP listener to let IMAP
clients use the Domino server for mail.
For more information, see the chapter Setting Up the IMAP Service.
POP3 clients
Users with POP3 clients can download mail to a local mail file and
interact with it there, as well as leave a copy of the mail in their file on
the Domino server. POP3 clients retrieve mail from a Domino server that
runs the POP3 service, use SMTP to send mail, and can use LDAP to
access the Domino Directory.
Enable the POP3 service and enable the SMTP listener so that POP3
clients can use the Domino server for mail.
For more information, see the chapter Setting Up the POP3 Service.
iNotes Web Access clients and Webmail clients
Users with mail files on a Domino server running the HTTP service can
retrieve and send mail from a Web browser. All mail-related tasks and
actions are transmitted to the server over HTTP and performed by the
server.
From a Web browser, a user accesses mail using either the standard mail
template or the iNotes Web Access template (iNotes60.ntf). Users whose
mail files are based on the standard mail template can interact with mail
on the server but cannot store mail locally.
Users whose mail files are based on the iNotes Web Access template and
who use Internet Explorer as their Web browser can use the iNotes Web
Access mail client. On servers running Domino Off-Line Services
(DOLS), iNotes Web Access users can create a local mail file replica and
work offline. Changes made to the offline mail file are replicated to the
server the next time the user connects. Users whose mail files are based
on the standard mail template cannot access a local mail file replica from
the browser.
Enable the HTTP service for Web clients to use the Domino server for
mail.
For more information, on setting up the HTTP service, see the chapter
Setting Up the Domino Web Server. For more information on
supporting iNotes Web Access, see the chapter Setting Up iNotes Web
Access.
iNotes Web Access for Microsoft Outlook
Users with mail files based on the Extended Mail template
(MAIL6EX.NTF) on a Domino server running Domino Off-Line Services
(DOLS), can use iNotes Web Access for Microsoft Outlook to access mail
from a Microsoft Outlook client.
Together with the iNotes Sync Manager, iNotes Web Access for
Microsoft Outlook lets a user create a local mail file replica and work
offline. Changes made to the offline mail file are replicated to the server
the next time the user connects.
For more information about iNotes Web Access for Microsoft Outlook,
see the chapter Setting up iNotes Web Access.
Mail performance and monitoring

Domino offers many performance-enhancing features, such as using
multiple MAIL.BOX databases and shared mail. Using multiple
MAIL.BOX databases allows multiple server processes to write mail at
once; the Router can operate on messages in one MAIL.BOX database,
while clients or other servers deposit mail to other MAIL.BOX databases.
Shared mail provides more efficient disk usage by storing a single copy
of a message addressed to multiple recipients on a server in a shared
mail database on the server. Each recipient receives a header for that
message, but the body of the message is stored in the shared mail
database to save disk space in users mail files. Users can still forward
and reply to mail as usual.
Domino and the Domino Administrator have a number of monitoring
features to help you plan, review, and troubleshoot your Domino system.
You can record server statistics, see which tasks are running on servers,
track mail messages, and make changes to multiple databases at once.
For more information, see the chapters Setting Up Shared Mail,
Monitoring the Domino System, and Monitoring Mail.
Overview of routing mail using Notes routing

By default, Domino uses Notes Remote Procedure Calls (NRPC) also
called Notes routing or the Notes routing protocol to transfer mail
between servers. Notes routing uses information in the Domino
Directory to determine where to send mail addressed to a given user.
Notes routing moves mail from the senders mail server to the recipients
mail server. The Router for the senders server determines the next server
Mail
iNotes Web Access for Microsoft Outlook communicates with the server
using the Notes MAPI service provider. Installing DOLS on the client
automatically creates and configures a MAPI profile. Data exchanged
between client and server travels over Notes routing protocols. Users can
send and receive Mail using Outlook, as well as create and update entries
in the mail files calendar view using calendaring and scheduling tools in
the Outlook client.
to move the message to or in other words, the next hop on the path
to the messages destination. Each server uses its routing table to
calculate the next hop along the route to the destination server. When the
message reaches the destination server, the Router delivers it to the
recipients mail file.
How Notes routing moves a message

When a user sends mail to a recipient with a Notes address for
example, Jane Doe/Acme the Router picks up a message in
MAIL.BOX to determine where to direct the message. The Router first
looks in the Domino Directory for a Person document for the recipient,
Jane Doe/Acme. The Person document contains the name of Jane Does
mail server. From this information the Router uses its knowledge of the
network (that is, the routing table) to determine the next stop for the
message. How the Router dispatches the message depends on whether
the recipients mail file is located:
On the same server
On a different server in the same Domino named network
On a server in a different Domino named network within the local

Domino domain
On a server in an external Domino domain
Moving a message to a recipient on the same server

After checking the recipients Person document, if the Router determines
that the recipients mail server is the same as the senders server, the
Router delivers the message to the recipients mail file.
Moving a message to a recipient on another server within a Notes
named network
If the sender and recipient dont share a mail server, the Router checks
the Domino Directory to determine whether the servers are in the same
Domino domain.
If the Server document for the destination server is found within the
Domino Directory, the Router checks that document to determine the
network information for the server. On the Ports - Notes Network Ports
tab of the Server document, the server is assigned to one or more Notes
named networks (NNNs). A Domino named network is a group of
servers in a given Domino domain that share a common protocol and are
connected by a LAN or modem connections.
Note Servers within the same domain may or may not be in the same
Notes named network. Servers that share a Notes named network are
always in the same Domino domain.
Moving a message to a recipient in a different NNN within the same

Domino domain
If the senders and recipients mail servers are in the same Domino
domain, but dont share either a mail server or a Domino named
network, for transfer to succeed there must be some connection between
the two networks. Connections between Domino named networks can be
achieved by two means:
Using a bridge server that is a member of multiple Domino named

networks
Using a Connection document
When a Connection document provides the information for routing mail

between NNNs, the source and destination networks can be in different
Domino domains. The document contains all of the information the
Router needs to locate the destination network.
Using a bridge server to connect two networks in the same

Domino domain
Two networks in the same domain can communicate with each other in
the absence of a Connection document if any one server is a member of
both networks. Servers that reside in multiple networks can act as a
bridge between networks running diverse protocols. For example, if you
have one Domino named network running TCP/IP and another running
SPX, you can set up a server that runs both protocols to be a member of
both Domino named networks. This server acts as a bridge between the
networks.
When a user in the TCP/IP network sends a message to someone in

the SPX network, the Router transfers the message from MAIL.BOX
on the senders server to MAIL.BOX on this bridge server. After
the message reaches a server in the destination Domino named
network, the Router on that server transfers the message to the
MAIL.BOX on the recipients server. The Router on the recipients
server delivers the message to the recipients mail file.
If the path between servers involves multiple server hops, the

Router transfers the message to MAIL.BOX on the next server in the
path. Each Router on the path transfers the message to the
MAIL.BOX on the next server in the path.
Mail
If the two servers share a Notes named network, the Router immediately
routes the message from the MAIL.BOX file on the senders server to the
MAIL.BOX file on the recipients server. The Router on the recipients
server then delivers the message to the recipients mail file. Because mail
routes automatically within a Notes named network, you do not need to
create any additional connections or documents.
Using Connection documents to connect networks and domains

When there is no common server to provide a bridge between networks,
the Router requires a Connection document to transfer mail between
them. A Connection document specifies the sending and receiving
servers, when and how to connect, and what tasks such as, replication
and mail routing to perform during the connection. The source, or
sending, server, and the receiving, or destination, server named in a
Connection document may reside within the same Domino domain, or in
different Domino domains.
After the Router finds a connection between the two Domino named
networks, it routes the mail to the next server along the connection path.
Connection documents for mail routing specify connections in one
direction and are generally found in pairs. For example, one Connection
document schedules a connection from Server A to Server B, and another
Connection document schedules a connection from Server B to Server A.
For more information about connecting servers in different Domino
named networks, see the chapter Setting Up Mail Routing.
Moving a message to a recipient in an external Domino domain
When a message in MAIL.BOX has a recipient address that points to a
destination outside of the local Domino domain, the Router checks the
Domino Directory for a Connection document that describes how the
local domain communicates with the destination domain. You can create
a Connection document between two domains whenever there is a direct
physical connection between them.
After finding the Connection document, the Router routes the message to
the server in the senders domain that connects to a server in the
recipients domain. When the servers connect, the message is transferred
to the other domain, where it routes to the recipients server and mail file.
Indirect connections between Domino domains
In organizations that have three or more Domino domains, you may not
be able to use Connection documents to connect certain domains,
because the network topology does not allow for direct physical
connections between them. However, if they both have Connection
documents to a common intermediate domain, you can route mail from
the source domain to the destination domain through the domain (or
domains) that bridge them. For example, if Domain A and Domain B do
not have any server connections but both have connections to Domain C,
mail between Domain A and Domain B can route through Domain C.
Addressing mail to users in a different domain

When sending mail within a Domino domain, the sender only has to
specify the users common name, for example, John Smith. Since John
Smith has a Person document in the same Domino Directory as the
sender, the Router finds Johns entry in the directory and determines the
location of his mail file. However, when sending mail to a user in a
different Domino domain, the Router does not have access to the
recipients Person document, since it is stored in a different Domino
Directory. When addressing mail to a user in a different Domino domain,
the sender must append the recipients domain to the recipients address.
For example, a user in the Lotus domain who wants to send mail to John
Smith in the Acme domain must address the message to jsmith@Acme,
not just jsmith or John Smith. The domain name in the address signals the
Router to look for a Connection document to this domain and transfer
the message to the server specified in that document.
To make it easier to address mail to users in other domains, users can
create an entry in their Personal Address Book to specify the recipients
complete address for example, jdoe@Acme. Alternatively, an
administrator can create an entry in the Domino Directory to specify the
recipients address in the Forwarding address field of the recipients
Person document, or use Directory Assistance or a Directory Catalog to
share Domino Directories across domains.
For information about setting up Directory Assistance and Directory
Catalogs, see the chapter Planning Directory Services. For information
on using LDAP directories, see the chapter Setting up the LDAP
Service.
Overview of routing mail using SMTP

By default, Domino uses the Notes routing protocol to transfer mail
between servers. You can configure Domino to use SMTP to route mail
instead of or in addition to using Notes routing.
Mail
To set up this routing path, you create Non-adjacent Domain documents

that specify the target domain and the domain through which to route
mail to reach that target domain.
Message transfer over SMTP routing is performed as a point-to-point

exchange between two servers. The sending SMTP server contacts the
receiving SMTP server directly and establishes a two-way transmission
channel with it. To send a message over SMTP:
1. The sending server checks the recipients address, which is in the
format localpart@domain, and looks up the domain in the Domain
Name System (DNS).
2. DNS returns the Mail Exchanger (MX) record for the domain,
indicating the IP address of the servers in the domain that accept
mail over SMTP.
3. The sending server connects to the destination server over TCP/IP,
establishes an SMTP connection on port 25, transfers the message,
and closes the connection.
Enabling SMTP on the Domino server

Domino supports sending and receiving mail over SMTP by means of the
SMTP listener task and SMTP Router, respectively, each of which you
enable separately. The SMTP listener task handles incoming SMTP
connections and delivers messages received over those connections to
MAIL.BOX. It does not handle subsequent delivery or transfer of those
messages. You configure the SMTP listener task for receiving mail on the
Basics tab of the Server document. For more information about
configuring Domino to receive SMTP mail from other servers in your
organization and/or from the Internet over SMTP, see the chapter
The Router task for SMTP is the same Router task that handles Notes
routing. When a message in MAIL.BOX requires transfer to another
server, the Router determines where to send it and whether to send it
over Notes routing or SMTP.
By default, SMTP is disabled. To configure Domino to use SMTP to send
mail, you must change settings on the Router/SMTP-Basics tab of the
Configuration Settings document. You can configure Domino to use
SMTP when sending mail to destinations:
Outside the local Internet domain
Within the local Internet domain
For more information, see the chapter Setting Up Mail Routing.
On servers that support both SMTP and Notes routing, each time the
Router detects a new message in MAIL.BOX, it chooses the protocol by
which to transfer the message. The routing decision is based on the
messages address and format, and whether the server is configured to
send SMTP within the local Domino domain, outside the local Internet
domain, or both.
Using SMTP to send mail to local domain addresses
Enabling SMTP within the local Domino domain allows the Router to
consider SMTP as an alternative routing protocol when transferring mail
to another Domino server in the same Domino domain. When
configuring servers to send SMTP within the local Domino domain, you
have the following options:
SMTP allowed for MIME messages only - If the destination is a

Domino server running the SMTP listener and the message
deposited in MAIL.BOX is already in MIME format, the Router sends
it using SMTP. Messages in Notes rich text format are sent over
Notes routing.
SMTP allowed for all messages - If the destination is a Domino server

running the SMTP listener, the Router always uses SMTP when
transferring a message to another Domino SMTP host, regardless of
the messages current format. If a message deposited in MAIL.BOX is
in Notes format, the Router converts the messages to MIME before
sending.
When the Router picks up a message in MAIL.BOX, it reads the address

to determine whether the recipient is in the local domain. If the recipient
is local, the Router looks in the ($Users) view of the Domino Directory for
a Person document containing that address. If SMTP is allowed within
the domain and the message format matches the format specified in this
setting, the Router uses TCP/IP to connect to the destination server,
establishes an SMTP connection, and transfers the message.
By default, enabling SMTP within the local Domino domain allows the
Router to use SMTP to transfer mail to any other Domino SMTP host in
the same Domino domain. You can restrict the use of SMTP within the
local domain so that SMTP is allowed only for message transfers that
take place between servers in the same Domino named network. To set
this restriction, use the field Servers within the local Domino domain
are reachable via SMTP over TCPIP on the Router/SMTP - Basics tab of
the Configuration Settings document.
Mail
How the Router determines when to use SMTP
If the receiving server is running the SMTP listener, servers configured to

send SMTP within the local Domino domain always use SMTP to send
MIME messages to destinations within the same Domino named
network. For messages in Notes format, the Router sends SMTP only if
the server is configured to send all messages over SMTP.
Sending SMTP outside the local Internet domain
Enabling Domino to send SMTP to external Internet domains allows the
server to transfer outbound Internet mail either directly to a host in the
receiving domain or indirectly to an Internet host.
If a message in MAIL.BOX has a recipient address that contains an @ sign
and a domain part (the part of the address to the right of the @ sign) that
does not resolve to the local Domino domain, the Router identifies the
message destination as non-local. A non-local address can be an RFC 821
Internet address (where the domain part contains a period and is in the
form localpart@org.domain) or an address in another Domino domain
(including Foreign domains such as a pager or fax gateway).
To determine whether an Internet address is local, the Router checks
whether the domain part of the address matches any of the local Internet
domains defined in the Global Domain document in the Domino
Directory. Local Internet domains include any domains listed in the
Local primary Internet domain and Alternate Internet domain aliases
fields in the Global Domain document. If there is no Global Domain
document, the Router compares the domain in the recipients address to
the servers host name. For example, if the message is addressed to
jdoe@mailhost3.acme.com and the Router is on the server
mailhub.acme.com, the Router knows that the recipient is in the local
Internet domain.
Connecting the Domino mail system to the Internet
Because Domino routes mail using the Internet-standard SMTP routing
protocol, its easy to configure the Domino system to send and receive
mail from external Internet domains. For outgoing mail you can use a
gateway routing architecture in which only designated servers use SMTP
to route mail to external domains, or you can enable all mail servers to
use SMTP to route mail to external domains. For inbound mail, you need
to decide how to route mail coming in to your Internet domain from a
firewall to Domino servers. How you set up inbound mail depends on
whether your organization uses a single Internet domain name or
multiple names and on the distribution of your servers.
For information on connecting Domino to the Internet, see the topics
Preparing to send and receive mail to the Internet and Routing mail to
external Internet domains.
Using a relay host

A relay host is an SMTP server or firewall that connects to the Internet
and forwards, or relays, inbound or outbound Internet mail. A relay host
can also be a DNS name that maps to multiple MX records. To configure
Domino to use a relay host, you use two fields on the Configuration
Settings document of the sending server. Add the relays DNS or host
name to the Relay host for messages leaving the local Internet domain
field and enable SMTP used when sending messages outside of the local
Internet domain.
Note R4 SMTP MTA servers use the relay host specified in the SMTP
Connection document.
For more information on configuring Domino to use a relay host, see the
Using Notes routing to transfer outbound Internet mail to an SMTP
server
On internal Domino servers that do not use SMTP to route mail, Domino
uses Notes routing to transfer outbound Internet messages to a Domino
SMTP server, which then transfers the messages to the Internet, either
directly or through a relay host. To configure servers that use Notes
routing to transfer Internet mail to a Domino SMTP server requires use of
a Foreign SMTP Domain document and an SMTP Connection document.
For more information on setting up Notes routing for Internet mail, see
the chapter Setting Up Mail Routing.
The Domain Name System (DNS) and SMTP mail routing

The Domain Name System (DNS) is a directory used by SMTP to convert
a name, such as acme.com, to a list of servers that can receive connections
for that name and to find the IP address of a specific server. By looking
up a destination servers address in the DNS, the sending server can
properly route a message to a recipient. DNS uses two kinds of records:
Mail Exchanger (MX) records and A records. An MX record maps a
domain name to the names of one or more mail hosts. An A record maps
a host name to the IP address of a server.
Mail servers also use other DNS records. For example, servers that
receive Internet mail perform a reverse lookup to a DNS PTR record to
determine the host name for a given IP address. Reverse lookups are
Mail
For information on connecting Domino to the Internet, see the chapter

useful in verifying the source of a message, an important tool for

restricting relay access through your server or preventing unsolicited
commercial e-mail (UCE).
You must correctly configure DNS to support your use of SMTP. To
determine the IP address of the mail server for the destination domain,
Domino does the following:
1. The server looks up the domain part of each recipients address in
DNS.
2. If DNS finds an MX record, the server tries to connect to the server
listed in that MX record. If there is more than one MX record, the
server tries to connect to the record that has the lowest cost. If more
than one MX record has the lowest cost, the server randomly selects
one and tries to connect to the server listed in that MX record.
Note There may be more than one MX record for a specific domain
name. The host name is looked up in DNS to find an A record. An A
record contains the IP address for the host.
3. If DNS finds only an A record, Domino routes the message to the IP
address in that A record.
4. If DNS does not find a record, Domino cannot deliver the message
and sends a nondelivery message to the sender.
An MX record maps a domain name to one or more host names. An A
record maps a host name to the IP address of a server. You may want to
use a host name in the MX record instead of just an A record for the
following reasons:
Some third-party tools recognize only host names, not IP addresses.
If you replace or relocate a machine, you can assign the existing host
name and IP address to the new or relocated machine. This change is
transparent to users, and messages continue to route properly.
You can use DNS to provide failover and load-balancing for your mail
servers by creating multiple MX records for a domain name on the DNS
server. When you set more than one MX record for a name, you can set
preference values to control how DNS selects those records. DNS selects
lower value preferences first for example, DNS selects 5 before 10. If
more than one MX record has the same preference value, DNS randomly
selects from among those MX records. If one of those MX records fails
for example, because a server is unavailable DNS caches that failure
and tries other MX records of equal weight, followed by less-preferred
MX records.
MX record: acme.com IN MX 5 mail1.acme.com
When a server tries to connect to acme.com, the DNS first uses MX

records with preferences of 5. If there are two MX records with
preferences of 5, DNS randomly selects between the MX record for
mail1.acme.com or mail2.acme.com. If the DNS returns the MX record
for mail1.acme.com and mail1.acme.com is unavailable, the DNS returns
the MX record for mail2.acme.com. If mail2.acme.com is unavailable,
both MX records with a cost of 5 have failed. The DNS then selects MX
records that have a cost of 10 and uses them the same way it used the MX
records that have a cost of 5.
Examples of using multiple MX records

These are examples of setting up multiple MX records in the DNS.
Using a single Internet domain with a single domain name
You can specify MX records for a single Internet domain for example,
acme.com with a single Internet domain name, such as acme.com. Use
the servers fully-qualified Internet host name in the MX and A records
for example, mail1.acme.com.
For example, configure a backup SMTP server (mail2.acme.com) to
deliver or forward mail when the primary SMTP server
(mail1.acme.com) is unavailable:
1. MX record: acme.com IN MX 5 mail1.acme.com
A record: mail1.acme.com IN A 192.168.10.17
Messages addressed to acme.com route to mail1.acme.com first
because the records preference (5) is lower. If mail1.acme.com is
unavailable, mail is routed to mail2.acme.com.
Mail
For example, the acme.com domain has four MX records:
Using a single Internet domain name with two balanced servers

If you specify equal preference for two servers, DNS randomly selects a
server to balance the load of incoming mail.
Using a single Internet domain with multiple domain names
You can create MX records for a single Internet domain for example,
acme.com with multiple Internet domain names for example,
acme.com, qrs.com, and xyz.com.
Note Users can address mail to each domain name and each domain
has a backup SMTP server.
3. MX record: qrs.com IN MX 5 mail1.acme.com
6. MX record: xyz.com IN MX 10 mail2.acme.com
Mail
Chapter 27
Setting Up Mail Routing
This chapter describes how to set up mail routing on your Domino
system. If you are upgrading a mail system from a previous Domino
release, see the Upgrade Guide.
The Domino mail router

The Domino mail router (the Router) is a special server task responsible
for the delivery and transfer of the messages in MAIL.BOX. Delivery
refers to moving messages from MAIL.BOX into a local mail file or
database; while transfer refers to sending messages from MAIL.BOX
across the network to another server.
Mail routing on a Domino server begins when a mail server receives a
message from a mail client, a Router on another Domino server, or an
application. The message is transferred to a special Notes database,
called MAIL.BOX, on the server. The server temporarily stores all
incoming and outgoing mail in the MAIL.BOX database.
The Router periodically checks MAIL.BOX for new or changed messages.
When it finds a message that requires processing, the Router reads the
recipient list and for each recipient determines whether the destination
mail file is on the current server or a different server. The Router then
moves the message, delivering it to local mail files on the server or
transferring it to MAIL.BOX databases on other servers as necessary.
When a recipients mail file is not on the local server, but is in the
Domino domain, Domino calculates how to route the message to the
recipients server and whether to use SMTP or Notes routing. The
configuration of the local server and the message format determine how
Domino moves the message to the server. For messages in MIME format,
if the local server can send SMTP within the local Internet domain and
the home mail server can receive SMTP, the Router uses SMTP to send
the message. Otherwise the message is routed using NRPC.
When necessary, the Router converts the format of the message.
Conversion can occur during message delivery and during message
transfer. For example, if a recipients Person document specifies MIME
storage for incoming mail, but the original message was sent in Notes
27-1
rich text format, the Router converts the message to MIME before
delivering it to the local recipients mail file. Likewise, during message
transfer, if a server receives a message in MIME format and must transfer
it to a Domino Release 4 server, which does not support MIME, the
server converts the MIME message to Notes rich text before transferring
it. To determine whether the receiving server can handle MIME
messages, the sending server checks the Server document of the
receiving server to find out what version of Domino its running.
To minimize the number of conversions, Domino servers running
Release 5 or later support the transfer of MIME messages over Notes
routing. As a result, MIME messages destined for Internet recipients can
route through internal servers as is, regardless of whether the
intermediate servers use Notes routing or SMTP.
Planning a mail routing topology

Domino offers you considerable flexibility in configuring your mail
system infrastructure, allowing you to use Notes routing, SMTP routing,
or both, for internal and external messages. In determining how to set up
mail routing, you need to consider:
How clients access the server
How to route internal mail
How to route mail to external destinations
Connection topologies for mail routing
Connection topologies for mail routing

Typically, mail routing on the network occurs across a mix of
hub-and-spoke and peer-to-peer connections. In a hub-and-spoke
topology, mail traffic passes between a central hub server and multiple
spoke servers; no mail is exchanged directly among the spokes. A
hub-and-spoke topology is suited to handling a high volume of mail
across a large organization. In a peer-to-peer topology, on the other
hand, every server connects to every other server. A peer-to-peer
topology is commonly used when connecting a small number of servers
in a workgroup or department.
In larger networks, create a Domino server cluster to act as the mail

hub and specify the cluster as the destination in Connection
documents originating from spoke servers.
When connecting Domino domains, designate one server in each

domain to connect to other domains. In larger networks, make this
connecting server part of a Domino cluster to provide failover.
When connecting domains across a wide-area network (WAN),

ensure that the Connection documents match the physical network
path of the WAN. For example, in a network where multiple WAN
connections originate from a central site (hub-to-spoke design),
create Connection documents that follow this same design, with
Connection documents between the hub server or server cluster and
each spoke server, and vice-versa.
When setting up a connection from a spoke server to a clustered hub,

specify the name of the cluster as the destination server in
Connection documents.
Establish a single Connection document to define routing from all

spoke servers in a domain to a central hub server or server cluster by
using a wildcard (*) to represent part of the source servers name in
the Connection document. For example, enter */acme as the source
server to set up a connection from all servers in the /acme
organization (Mail1/acme, Mail2/acme, SalesMail/acme,
HRMail/acme, and so forth) to a designated destination server.
Establish a single Connection document to define routing from a hub

server to each spoke server by creating a server group that includes
each spoke server as a member and specifying this group as the
destination server in the Connection document from the hub server.
For example, create a group MailSpokes and add the servers
Mail1/acme, Mail2/acme, SalesMail/acme, and HRMail/acme to
this group. Then create a Connection document from the hub server
that lists MailSpokes as the destination server.
For more information on connecting servers, see the chapter Setting Up

Clients accessing the Domino server

Users who have mail files on the Domino server can use either the Notes
client or an Internet mail client to access their mail. By default, Notes
clients use Notes protocols to send and access mail on a Domino server,
but a Notes client can also act as an Internet mail client. Internet mail
clients access mail files through the Domino POP3, IMAP, or HTTP
servers. POP3 and IMAP clients send mail using SMTP.
When deciding how to route local mail, keep in mind what types of mail
clients you support. For example, if users have Internet mail clients, such
as POP3 or IMAP, youll need servers that can receive mail over SMTP.
On the other hand, if most users send mail from the Lotus Notes mail
Setting Up Mail Routing 27-3
Mail
client, youll want to implement Notes routing to ensure support for

Notes public key security and features such as Notes Document links
and workflow applications.
For more information about Domino mail clients, see the chapter
Overview of the Domino Mail System.
Routing internal mail

Internal mail consists of messages sent between users within an
organization and its local Internet domains. The Domino mail router (the
Router) uses both SMTP and Notes routing to transfer messages between
network servers, and handles messages in both MIME format and Notes
rich text format. By default, the Router transfers local mail using the
Notes routing protocol only. Within a given Domino named network,
servers that use Notes routing automatically transfer mail among
themselves.
For information about configuring Notes routing to support messaging
across multiple Domino named networks and domains, see the topic
Setting up Notes routing later in this chapter.
To use SMTP routing to transfer local mail, you must enable the SMTP
listener for receiving mail and enable servers to send SMTP within the
local Domino domain. In addition, the Server document for each
SMTP-enabled server must specify a valid, fully qualified Internet host
name for the server. In most cases the host name field is populated
during server setup or by the Admin process (AdminP).
For information about setting up internal SMTP routing, see the topic
Setting up SMTP routing within the local Internet domain later in this
chapter.
Implementing different protocols for internal and external routing
When selecting the protocol to use for internal mail routing, dont base
your decision on whether youre using SMTP to transfer mail to external
systems. Domino can send mail to the Internet even if you use Notes
routing for internal mail. Rather than having all your servers route
SMTP, you may want to retain a gateway-style architecture wherein you
channel all mail to and from the Internet through a few designated
servers and prohibit the majority of internal servers from sending
directly to the Internet.
Ensuring support for Lotus Notes functionality
When choosing a routing protocol, consider security requirements and
the need to support Notes applications. Using Notes as the internal
routing protocol and SMTP for external routing can provide greater
Routing mail to local users not listed in the Domino Directory

If you have users in your organization who are not listed in the Domino
Directory, but in an alternate directory on another SMTP server, set up
Domino to use this other server as a smart host. When processing a
message in MAIL.BOX, if the Router comes across a recipient address
that is in the local Internet domain, but does not have a match in the
Domino Directory, it forwards the message to the specified smart host,
which routes it to the recipient.
For information about setting up a smart host, see the topic Setting up a
smart host later in this chapter.
A Domino SMTP server in your organization may receive Internet mail
for recipients in Domino domains that are within the local Internet
domain, but outside the local Domino domain, and thus not listed in the
Domino Directory. To ensure that the server can access other Domino
Directories and route messages to servers in other Domino domains,
configure Directory Assistance on the server.
For more information, see the chapter Setting Up Directory Assistance.
Starting and stopping the mail router

By default, when you start the server, the Router task automatically loads
and starts. You can manually shut down and restart the Router to
troubleshoot server and messaging problems. You can also disable
automatic loading of the Router.
To shut down the Router from the console
Enter this command at the console:
tell router quit
This shuts down the Router. Mail accumulates in MAIL.BOX, since other
servers and clients continue to deposit mail, but the Router does not
deliver or transfer the messages.
To reload the Router, enter this command at the console:
load router
The Router task starts and begins routing and delivering mail.
Mail
protection for your network against external intrusion. Certain Lotus

Notes features, such as mail-enabled workflow applications, Notes
public key security, and Notes items, such as Doclinks, require Notes
routing to work properly.
To shut down the Router from the Domino Administrator

1. From the Domino Administrator, click the Server Status tab.
2. Select the Server Tasks view.
3. From the list of tasks, right-click Router and select Stop Task.
4. Click Yes when prompted to confirm the operation. The Router task
shuts down and no longer appears in the list of active tasks. Mail
accumulates in MAIL.BOX, since other servers and clients continue
to deposit mail, but the Router does not deliver or transfer the
messages.
To start the Router from the Domino Administrator
1. From the Domino Administrator, click the Server Status tab.
2. Choose Tools Task Start.
3. From the Start New Task dialog box, select Router and click Start
Task. The Router task starts and begins routing and delivering mail.
4. Click Done to close the dialog box.
To prevent the Router from automatically starting when the server
starts
1. Shut down the server.
2. Edit the NOTES.INI file to remove Router from the ServerTasks
setting.
3. Restart the server so that the change takes effect.
When you restart the server, it does not load the Router task.
To restore automatic loading, add Router back to the ServerTasks setting
in the NOTES.INI file.
Routing mail on demand to a specific server
You can route mail to another Domino server between scheduled
intervals, forcing all mail in the transfer queue of the specified server to
route immediately. Use one of the following methods:
Console ROUTE command
Domino administrator
Sending mail outside the local Internet domain

Because all mail on the Internet travels over SMTP routing, for your
organization to send mail to Internet addresses youll need to set up at
least one Domino server to send SMTP to external Internet domains and
one to listen for incoming SMTP connections. Alternately, you can enable
multiple, or even all, of your servers to route mail over SMTP to external
Internet domains. Although you can use a single server to handle
The Domino SMTP servers you use for inbound and outbound Internet
mail can connect to the Internet either directly or through an SMTP relay
host or firewall. Routing between the Domino Internet mail server and
internal mail servers can be over either SMTP or Notes routing. Its not
necessary to enable SMTP routing on your internal servers.
Using a single server to route mail to external Internet domains
In this configuration, a single designated mail server connects to the
Internet. All other internal mail servers route messages addressed to
recipients in external Internet domains to this server. If you use SMTP for
internal mail routing, you can configure all of your internal servers to use
the server that is connected to the Internet as a relay host. In the
Configuration Settings documents that apply to any mail servers that do
not connect directly to the Internet, enter the host name of the designated
relay host in the Relay host for messages leaving the local Internet
domain field. When the Router on these internal servers finds a message
addressed to a recipient in an external Internet domain, it looks up the
specified relay host in the DNS and forwards the message to it.
To set this up using Notes protocols, create a Foreign SMTP Domain
document and an SMTP Connection document. When the Router on a
server not connected directly to the Internet finds a message addressed to
a recipient in an external Internet domain, the Router forwards the
message to the domain in the Foreign SMTP Domain document, which is
connected to the server with an Internet connection by the SMTP
Connection document. When that server receives the message, its Router
connects to the external Internet domain and routes the message.
Using multiple servers to route mail to external Internet domains
In this configuration, a few designated mail servers connect to the
Internet. Other mail servers route messages addressed to recipients in
external Internet domains to these servers. To set this up using SMTP,
configure the servers that are connected to the Internet as relay hosts
for example, create a DNS name, such as outbound.acme.com, that maps
to multiple MX records. Each MX record lists one of the connected
servers. Enter the DNS name in the Relay host for messages leaving the
local Internet domain field in the Configuration Settings document that
applies to all servers that do not connect directly to the Internet. When the
Router on those servers finds a message addressed to a recipient in an
external Internet domain, it forwards the message to one of the servers
that are listed in DNS and correspond to that name.
Mail
incoming and outgoing SMTP connections, if you anticipate a high

volume of Internet mail, to avoid bottlenecks consider balancing the load
among multiple servers.
To set this up using Notes protocols, create Foreign SMTP Domain and
SMTP Connection documents. When the Router on a server not
connected directly to the Internet finds a message addressed to a
recipient in an external Internet domain, the Router forwards the
message to the domain in the Foreign SMTP Domain document, which is
connected to one of the servers with an Internet connection by the SMTP
Connection document. When that server receives the message, its Router
connects to the external Internet domain and routes the message.
Enabling all mail servers to route mail to external Internet domains
In this configuration, every mail server connects to the Internet and runs
the TCP/IP network protocol. Each server has the setting SMTP used
when sending messages outside of the local Internet domain enabled in
its Configuration Settings Document. When a user sends a message to a
recipient in an external Internet domain, the Router looks up the domain
in the Domain Name Service (DNS) and uses SMTP to connect to the
receiving server in that domain. The Router transfers the message and
closes the connection.
Routing SMTP mail over dialup connections
Your organization may connect to the Internet and external Internet
domains through a dialup connection for example, to an Internet
Service Provider (ISP). To set up a dialup connection in your Domino
mail system:
For Notes routing, create a Notes Direct Dialup Connection

document
For SMTP routing, create a Network Dialup Connection document

that specifies TCP/IP as the network protocol
After you create the appropriate Connection document, specify how

Domino exchanges messages over that connection.
For more information on creating Connection documents for dialup
connections, see the chapter Setting up Server-to-Server Connections.
For information on setting up mail routing over a dialup connection, see
the topic Routing mail over transient connections later in this chapter.
Routing Internet mail through a relay host
A relay host is an SMTP server that receives mail from other servers and
then transfers, or relays, it to the next SMTP server on the route to the
recipients domain. A relay host can be a Domino SMTP server, or a
non-Domino SMTP host for example, you might relay mail to an
SMTP server hosted by your ISP, or through a firewall server. If only a
small number of servers on the network have direct connections to the
Internet, set these servers up as relay hosts to which other internal
For more information on setting up relay hosts, see the topic

Configuring Domino to send mail to a relay host or firewall later in
this chapter.
Sample mail routing configurations

These sample mail routing configurations represent typical messaging
implementations; however, other configurations are possible. Use these
sample configurations to help you plan and refine the messaging
infrastructure in your organization:
Use one server for all Internet messages
Use one server for inbound and one server for outbound messages
Use two servers to balance Internet mail load
Set up mail routing in the local Internet domain
Set up mail routing between a third-party server and Domino in the

same Internet domain
Use a smart host
Use all servers to route outbound mail and one to route internal mail
Example of using one server for all Internet messages
Mail1
INTERNET
Mail2
SMTP enabled for outbound
Listener enabled for inbound
Mail3
Mail
servers forward messages for recipients in external Internet domains.

You can set up a single relay host that handles messages addressed to
any external Internet domain, or set up multiple relay hosts, and set up
each one to route messages addressed to specific Internet domains.
In this example, a single Domino server, Mail2, handles messages from

the Acme organization destined for other Internet domains (external
addresses) and receives all mail addressed to the Acme Internet domain
(acme.com). Mail2 has the field SMTP used when sending messages
outside of the local Internet domain enabled on the
Router/SMTP-Basics tab of the Configuration Settings document that
applies to the server, and has the SMTP listener task enabled on the
Basics tab of its Server document.
If a user on either of the two Acme internal mail servers, Mail1 or Mail3,
sends a message to an external address one with a domain other than
acme.com the server routes the message to Mail2, which can route
mail to external domains. Any mail from an external Internet domain
one other than acme.com is routed to Mail2, which is listed in the DNS
as the Mail Exchanger (MX) host for acme.com. After the mail reaches
Mail2, the server routes it to its destination.
The two internal mail servers, Mail1 and Mail3, can route Internet mail to
the server with SMTP enabled for external mail (Mail2) either via Notes
routing, with a Foreign SMTP Domain document and SMTP Connection
document linking to Mail2, or via SMTP routing, with Mail2 configured
as the relay host.
Configuring these servers requires:
Enabling SMTP used when sending messages outside of the local

Internet domain for Mail2.
Enabling the SMTP listener task for Mail2.
Setting up DNS correctly to list Mail2 as the connecting server for the
acme.com domain for inbound mail.
Either enabling SMTP allowed outside of the local Internet domain

for Mail1 and Mail3 and listing Mail2 as the relay host, or creating a
Foreign SMTP Domain document and SMTP Connection document
that define the route to Mail2.
via SMTP
Mail2
INTERNET
Mail1
via SMTP
Foreign SMTP domain doc

Connection doc to Mail2
Mail3
In this example, one Domino server, Mail2, routes messages from the
Acme organization destined for other Internet domains (external
addresses) and a second Domino server, Mail3, receives mail addressed
to the Acme Internet domain (acme.com). Mail2 has the field SMTP
used when sending messages outside of the local Internet domain
enabled on the Router/SMTP-Basics tab of the Configuration Settings
document that applies to the server. Mail3 has the SMTP listener task
enabled on the Basics tab of its Server document, and has an MX (mail
exchanger) record in the external DNS.
If a user on the Acme internal mail server, Mail1, sends a message to an
external address one with a domain other than acme.com the server
routes the message to Mail2, which can route mail to external domains.
Any mail from an external Internet domain one other than acme.com
is routed to Mail3, which is listed in the DNS as the MX host for
acme.com. Once the mail reaches Mail3, the server routes it to its
destination.
The internal mail server, Mail1, can route Internet mail to the server with
SMTP enabled for external mail (Mail2) either via Notes routing, with a
Foreign SMTP Domain document and SMTP Connection document
linking to Mail2, or via SMTP routing, with Mail2 configured as the relay
host.

Internet domain for Mail2.
Enabling the SMTP listener task for Mail3.
Setting up DNS correctly to list Mail3 as the MX host for the

acme.com domain for inbound mail.
Mail
Example of using separate servers for inbound and outbound

Internet mail

for Mail1 and listing Mail2 as the relay host, or creating a Foreign
SMTP Domain document and SMTP Connection document that
define the route to Mail2.
Example of using two servers to balance Internet mail load
Mail2
outbound to Mail1
inbound from Mail1 or Mail3
Mail1
via SMTP
SMTP to external Internet domain enabled

MX record in DNS for acme.com
SMTP Listener enabled
INTERNET
via SMTP
Mail4
outbound to Mail3
inbound from Mail3 or Mail1
Mail3
SMTP to external Internet domain enabled
MX record in DNS for acme.com
SMTP Listener enabled
In this example, two Domino servers, Mail1 and Mail3, route messages
from the Acme organization destined for other Internet domains
(external addresses) and receive mail addressed to the Acme Internet
domain (acme.com). Mail1 and Mail3 have the field SMTP used when
sending messages outside of the local Internet domain enabled on the
Router/SMTP-Basics tab of the Configuration Settings document that
applies to the servers and have the SMTP listener task enabled on the
Basics tab of their Server documents.
If a user on the Acme internal mail server Mail2 sends a message to an
routes the message to Mail1, which can route mail to external domains. If
a user on the Acme internal mail server Mail4 sends a message to an
routes the message to Mail3, which can route mail to external domains.
This splits the load of outbound messages half route to Mail1 and half
route to Mail3.
is routed to either Mail1 or Mail3. The external DNS has two MX
records for the acme.com domain, one for Mail1 and one for Mail3. When
an Internet mail server tries to connect to the acme.com domain to
transfer a message, it looks up acme.com in the DNS. The server finds the
The internal mail servers can route Internet mail to the server with SMTP
enabled for external mail either via Notes routing, with a Foreign SMTP
Domain document and SMTP Connection document linking to the SMTP
server, or via SMTP routing, with the SMTP server configured as the
relay host.

Internet domain for Mail1 and Mail3.
Enabling the SMTP listener task for Mail1 and Mail3.
Setting up DNS correctly to include MX records for Mail1 and Mail3,

indicating to external SMTP systems that these are the hosts that
receive inbound mail for the acme.com domain.

for the internal mail servers, Mail2 and Mail4, and listing Mail1 or
Mail3 as the relay host, or creating a Foreign SMTP Domain
document and SMTP Connection document that define the route to
Mail1 or Mail3.
Mail
MX records for acme.com and, based on the record preferences of the

MX records, returns the IP address of either Mail1 or Mail3. If the MX
records have equal weight, the server randomly selects one of the records
and returns the IP address of that records server. Should that server be
unavailable, the other MX record is selected and the IP address of the
other server is returned. This provides load balancing through the
random selection of the MX records when record preferences are equal
and provides failover since the DNS shifts to another MX record when a
connection fails. Once the mail reaches Mail1 or Mail3, that server routes
the message to its destination.
Example of using SMTP to route mail within the local Internet

domain
Mail1
Mail2
Mail3
In this example, Acme users send messages in the acme.com domain

(internal messages) over SMTP. Mail1, Mail2, and Mail3 are Domino mail
servers with SMTP allowed within the local Internet domain enabled
for MIME messages only on the Router/SMTP-Basic tab of the
Configuration Settings document that applies to the servers and have the
SMTP listener task enabled on the Basics tab of their Server documents.
This allows the servers to send mail to each other over SMTP and to
receive mail over SMTP.
The servers must be in the same Domino named network, based on
TCP/IP, to route mail unless each server has the field Servers within the
local Domino domain are reachable via SMTP over TCPIP set to Always
in the Configuration Settings document that applies to it.
If a user sends a MIME message to another user in the acme.com domain,
her mail server determines which server the recipients mail file is on,
connects to that server over TCP/IP, and transfers the message using
SMTP. If the message is in Notes format for example, if the user is
using an R4 Notes client the message is routed using Notes routing.
Enabling the SMTP listener task for Mail1, Mail2, and Mail3.
Enabling SMTP allowed within the local Internet domain for
MIME messages only for Mail1, Mail2, and Mail3.
Entering the servers Fully qualified Internet host name field on

the Basics tab of the Server document. The local Router uses the
value in this field to define the local Internet domain in the
absence of a Global Domain document. Other Domino servers on
the network check this field before attempting inbound SMTP
connections to this server. If the field is blank or contains an
invalid value, all inbound mail transfers take place over Notes
routing.
Example of mail routing between a third-party server and Domino in

the same Internet domain
Mail1
via SMTP
Mail2
non-Notesserver.acme.com
Mail3
In this example, Acme has three Domino servers and a third-party SMTP
host in the local Internet domain that handles mail for some users. All
users have entries in the Domino Directory. When a user sends mail to
another user in the acme.com domain, the Domino server looks up the
recipient in the Domino Directory. If the recipient has a mail file on one
of the Domino mail servers Mail1, Mail2, or Mail3 the server routes
the message to its destination over Notes routing. Notes routing handles
both MIME and Notes format messages. If the recipient has a mail file on
the third-party server, non-Notesserver.acme.com, their Person
document has a forwarding address with the domain
non-Notesserver.acme.com. To route mail over SMTP, Mail1 and Mail3
find a Foreign SMTP Domain document for
*.non-Notesserver.acme.com that corresponds to an SMTP Connection
document listing Mail2 as the server to which to transfer messages. The
server sends the message via Notes routing to Mail2, which has the field
SMTP used when sending messages outside of the local Internet
Mail
Either having all three servers in the same Domino named

network or enabling Servers within the local Domino domain are
reachable via SMTP over TCPIP for each server.
domain enabled on the Router/SMTP-Basics tab of the Configuration

Settings document that applies to it. If the message is in Notes format,
Mail2 converts it to MIME. Mail2 connects to non-Notesserver.acme.com
over TCP/IP and transfers the message over SMTP.
If a user on non-Notesserver.acme.com sends a message to a user on
Mail1, Mail2, or Mail3, the server transfers the message over SMTP to
Mail2, which has the SMTP listener task enabled on the Basics tab of its
Server document, and Mail2 routes the message to its destination over
Notes routing.
Enabling the SMTP listener task for Mail2
Setting up DNS correctly
Creating a Foreign SMTP Domain document for

*.non-Notesserver.acme.com and an SMTP Connection document
that links to Mail2
Example of using a smart host
mail4.acme.com
Mail1
via SMTP
Domino mail
system
Mail2
Mail3
smarthost.acme.com
non-Domino
mail system
mail5.acme.com
If the local Internet domain includes mail systems other than Domino,
users who have Internet addresses ending in yourdomain.com may not
have mail files on a Domino server or Person documents in the Domino
Directory. When Domino receives a message for such a user, the Router
cannot resolve the address. To prevent Domino from generating delivery
failures, set up the Domino server to forward mail it receives for
unknown local domain users to a local smart host. A smart host is
typically a more central computer that has an authoritative directory of
all users in the local domain. When Domino receives mail it doesnt
know how to deliver, it sends it to the smart host.
If a user on one of the Domino mail servers sends a message to a user in

the acme.com Internet domain, and the Router cannot find the recipient
in the Domino Directory, the Router forwards that message to
smarthost.acme.com over SMTP.
Setting up DNS correctly
Enabling SMTP allowed within the local Internet domain for

MIME messages only for Mail1, Mail2 and Mail3
Listing smarthost.acme.com as the Local Internet domain smart

host for Mail1, Mail2, and Mail3.
Example of using all servers to route outbound mail and one to

route inbound mail
Mail1
via SMTP
INTERNET
Mail2
via SMTP
Mail3
In this example, Acme has three mail servers, Mail1, Mail2, and Mail3,
each of which can route messages from the Acme organization destined
for other Internet domains (external addresses). All three servers have
the field SMTP used when sending messages outside of the local
Internet domain enabled on the Router/SMTP-Basics tab of the
Configuration Settings document that applies to them. One server, Mail2,
receives mail addressed to the Acme Internet domain (acme.com). Mail2
Mail
In this example, Acme has three Domino servers (Mail1, Mail2, and
Mail3) and a third-party SMTP host, smarthost.acme.com, that houses
the directory for users who have non-Domino mail files within the
acme.com domain. Users in the non-Domino system do not have Person
documents in the Domino Directory. The Domino servers have the field
SMTP allowed within the local Internet domain enabled and have
smarthost.acme.com listed in the Local Internet domain smart host
field on the Router/SMTP-Basic tab of the Configuration Settings
document.
has the SMTP listener task enabled on the Basics tab of its Server
document.
If a user on one of the mail servers sends a message to an external
address one with a domain other than acme.com the server looks
up the destination domain in the DNS, connects to the destination server
over TCP/IP, establishes an SMTP connection, and transfers the message.
is routed to Mail2. The DNS lists Mail2 as the MX host for acme.com.
Once the mail reaches Mail2, the server routes the message to its
destination.
Since each server can send messages directly to external domains, no
relay host, Foreign SMTP Domain documents, or SMTP Connection
documents are needed.

Internet domain for all three servers
Enabling the SMTP listener task for Mail2
Setting up DNS correctly to list Mail2 as the connecting server for the
acme.com domain for inbound mail
Creating a Configuration Settings document

Using a Configuration Settings document you can set up mail routing on
multiple Domino servers at once. The Configuration Settings document
includes settings that affect both Notes routing and SMTP routing.
Administrators can create a single Configuration Settings document for:
All Domino servers in the Domino domain
Servers in a specific group
A specific server
You can designate a Configuration Settings document to serve as the

default for all servers in the Domino domain by selecting the field Use
these settings as the default settings for all servers or by entering a
wildcard (*) in the Group or Server field. Using a default Configuration
Settings document simplifies administration and saves time because you
can change the settings for the entire Domino domain by editing a single
document.
To specify additional restrictions for a server that is included in a group,

create a separate Configuration Settings document for the specific server.
For example, assume you have a Configuration Settings document for a
group of servers or for all servers. The executives in your organization
have their own mail server and require different settings. You will need
to create a Configuration Settings document for the specific server. The
document that is most specific (in terms of which servers it applies to)
will take precedence.
Each server checks the Configuration Settings documents in the
following order a document specific to the server, then a group
document for any group the server is in, and then for the default
document. If there are multiple Configuration documents for groups
containing the same server, the results are undefined. For example, you
could have a server ServerA, and two groups named Group1 and
Group2 that both contain ServerA. If you create a Configuration Settings
document naming ServerA, all settings that are set in that document are
used by ServerA, but if there are settings that are not defined in that
document, then the Configuration documents defined for Group1 and
Group2 are examined for those settings. However any settings that were
defined in the ServerA document will not be examined in the Group1
and Group2 documents. If after examining the Group1 and Group2
documents there are still settings that do not have values defined, the
default settings apply.
For more information about creating groups, see the chapter Setting Up
Note Use fully qualified host names in fields on the Configuration
Settings document instead of IP addresses. While IP addresses will work
and are fully supported, using host names ensures that you wont need
to change a server entry in the event that a subnet change requires a
change to the servers IP address. You can change the servers record
once in the Domain Name Service (DNS) rather than having to search
through the Domino Directory to find every instance where the server is
referenced.
Mail
Each setting applies to every server included in the Configuration

Settings document. Therefore, you need multiple Configuration
documents if you need different settings for specific servers. For
example, if your Domino domain includes three geographic locations,
you may want a Configuration Settings document for each location. You
can create groups that include all the servers in the specific location and
use the location as the group name.
To create a Configuration Settings document

1. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
2. Choose Configurations.
3. Click Add Configuration to create a new Configuration Settings
document.
4. Click the Basics tab.
5. Complete one of these fields, and then click Save & Close.
Field
Enter
Use these settings

as the default
settings for all
servers
Select the Yes checkbox to have this document serve as

the default Configuration Settings document for all
Domino servers in the Domino domain. If you create
additional Configuration Settings documents in the
Domino Directory for specific servers or groups of
servers, settings in those documents override
equivalent settings in the default document.
Group or server
name
Enter the name of the individual server or server group

to which this Configuration Settings document applies.
Setting up Notes routing

By default, Domino uses Notes routing to transfer messages between
servers. Notes routing uses information in the Domino Directory to
determine where to send mail addressed to a given user. If two servers
are in the same Domino named network, Notes routing automatically
transfers mail between them. A Domino named network is a group of
servers in a given Domino domain that share a common protocol and are
connected by a LAN or modem connections.
To set up routing between servers that are not in the same Domino
named network, you must create documents in the Domino Directory to
specify how to route mail within the Notes mail system, as follows:
1. Create Connection documents to enable message transfer between
servers in different Notes named networks. A Connection document
specifies how and when two servers connect to exchange mail and
update common databases through replication. To route mail
between servers in different Notes named networks requires a pair of
Connection document, one from each server to the other.
Mail
2. Depending on your messaging system topology, create these

documents, as necessary:
Non-adjacent domain documents.
Adjacent domain documents.
Foreign domain documents.
Foreign SMTP domain documents.
SMTP Connection documents.
How you create connections for Notes routing depends on:
The location of the two servers: same Notes named network, same
Domino domain, adjacent Domino domain, non-adjacent Domino
domain
The type of network connection between the two servers: LAN,

direct dialup, network dialup, or passthru
In addition, the number of Connection documents you need to create

depends on how you want to route mail that is, whether you want to
route mail both to and from a server, only to a server, or only from a
server. Since, in most cases, youll want to route mail in both directions,
you generally need to create two Connection documents for each
connection.
In small Domino networks, you can minimize the number of Connection
documents by using the same document to schedule mail routing and
replication. Or you can create a separate Connection document for each
task.
This table describes the typical types of connections and the documents
required to set them up.
Type of connection
required
Documents required to create connection
To a server in same
Domino named
network
No Connection documents required. There must be a

common entry on the Ports - Notes Network Ports tab of
each servers Server document.
To a server in a
different Domino
named network
within the local
Domino domain
Two Connection documents one from each server to

ensure that mail routes in both directions.
To an adjacent
Domino domain
Two Connection documents, one in each Domino domain,

to ensure that mail routes in both directions.
One Adjacent domain document if you need restrictions.
continued
Type of connection
required
Documents required to create connection
To a non-adjacent
Domino domain
Two Connection documents, one in each Domino domain

that connects to the adjacent Domino domain.
Two Non-adjacent domain documents, one in each
Domino domain that are not adjacent, to provide
restrictions and simplify addressing across the
intermediary domain between the first and third domains.
To a gateway for a
foreign domain
One Foreign domain document to identify the foreign

domain for non-mail messaging systems, such as fax or
pager systems.
To an SMTP-enabled
server (for example,
a server that can
send mail to the
Internet)
One Foreign SMTP domain document to identify the

destination for messages being sent to the Internet.
One SMTP connection document to specify the
SMTP-enabled server.
Note When you create a Connection document, Notes routing is

enabled by default.
For complete information on creating Connection documents, see the
chapter Setting up Server-to-Server Connections.
Recalculating the servers routing table

The Router on each server maintains a dynamic routing table, which
specifies the best route to each possible destination server. The routing
table builds on information contained in the servers NOTES.INI file and
in the Configuration Settings, Domain, Connection, and Server
By default, at intervals of approximately 5 minutes, or after you restart
the task, the Router examines the Domino Directory for changes that
would warrant rebuilding the routing table. In cases where you want
new settings to take effect immediately, but do not want to interrupt the
flow of mail by stopping and restarting the Router, you can use a TELL
command to force an update.
To update the server's routing table
Enter the following command at the server console:
Tell router update config
The Router checks the Server, Server Configuration, Connection,

Adjacent and Non-Adjacent domain documents, and the NOTES.INI file
for changes that might effect the routing topology. The Router then
builds a new routing table that incorporates the changes. The Router
The Router does not check the Global Domain document for changes in
response to the update configuration command. The information
contained in the Global Domain document is loaded into memory only
after server initialization. It is not refreshed when the routing tables
reload.
Creating an Adjacent domain document

You create an Adjacent domain document when you need to restrict the
transfer of mail from one adjacent domain to another. For example, if you
are in domain B and want to prevent mail from an adjacent domain A
from traversing your domain to reach another adjacent domain C, create
an Adjacent domain document that names C as the adjacent domain and
denies mail from A.
Domain Z
Domain A
Domain B
Domain C
Adjacent Domain document

Adjacent domain name: C
Deny mail from domains: A
The restrictions you define in the Adjacent domain document apply to

the domain of the previous hop only. That is, in the Adjacent domain
document created in the previous example, adding A to the Deny list
prevents mail originating in A from routing to C. This includes mail that
domain A may receive from domain Z for eventual transfer to C.
But suppose you want to allow mail from A, but deny mail from domain
Z, which uses A and B as intermediate domains to reach C. If the
administrator in domain B removes domain A from the deny list of the
Adjacent domain document for domain C, and adds domain Z, domain Z
is allowed to route mail to C. This is because once the message arrives in
domain B the domain of origin appears to be A, rather than Z. In the
Mail
reprocesses any messages currently in MAIL.BOX based on the new

routing table.
absence of restrictions on transferring mail from A to C, Domino allows

the message to route.
Domain Z
Domain A
Domain B
Domain C
Adjacent Domain document

Adjacent domain name: C
Deny mail from domains: Z
You also use Adjacent domain documents to allow Free Time searches
across domains. For more information, see the chapter Setting up
Calendars and Scheduling.
Note Restrictions set in an Adjacent domain document work in
conjunction with those in the Configuration Settings document. Domino
always defaults to the most restrictive entry.
Adjacent Domain documents do not provide connectivity to adjacent
domains, and are not required to enable connections between adjacent
domains. To define routes between adjacent domains, create a
Connection document.
Using Adjacent domain documents to restrict mail
By default, a domain that can route mail to your domain can also route
mail through your domain to another adjacent domain. When mail
routes from one domain to another through your domain, it ties up your
resources. To prevent your servers from being used to transfer mail
between other domains, you can selectively allow and deny mail routing
through your domain to the domain named in the Adjacent domain
document.
The Allow and Deny fields on the Restrictions tab of the Adjacent
domain document let you control the flow of messages from other
domains to the adjacent domain. Entries in these fields must be the
names of adjacent domains; the Router ignores entries for non-adjacent
domains beyond the previous hop. If you deny a domain from sending
The settings in the Allow and Deny fields work in conjunction with the
Allow and Deny fields on the Router/SMTP - Restrictions and Controls Restrictions tab of the Configuration Settings document. In the event of
any conflict between settings, Domino applies the most restrictive entry.
Messages may be further restricted by Adjacent Domain documents,
Non-adjacent Domain documents, and Configuration Settings documents
set up between domains along the routing path.
To create a Adjacent domain document
2. Choose Domains.
3. Click Add Domain to create a new Domain document.
Field
Enter
Domain type
Choose Adjacent domain
Adjacent domain The name of the adjacent Domino domain. The current
name
domain must have a Connection document to this
domain.
Domain
description
Optional description of the domain
5. To restrict other domains from routing mail through the current

domain to the adjacent domain, click the Restrictions tab, complete
the following fields, and then click Save and Close:
Field
Enter
Allow mail only

from domains
Enter the names of adjacent Domino domains that are

allowed to route mail to this adjacent domain.
To allow any domain to route mail through the local
domain to this adjacent domain, leave this field blank.
Deny mail from

domains
Enter the names of adjacent Domino domains that are

not allowed to route mail to this adjacent domain.
To allow any domain to route mail through the local
domain to this adjacent domain leave this field blank.
Mail
mail through your domain, the Router denies all mail received from that
domain, including messages the domain may have passed on from
another, non-adjacent domain. There is no way to restrict specific users
from routing to a Notes domain. Restrictions apply to all users in
specified domain.
Note You cannot use wildcards in the Restrictions fields. You must
enter explicit domain names.
6. Create a Connection document to specify how servers in the current
domain connect to the adjacent domain.
Setting up routing to non-adjacent Domino domains

Non-adjacent domains are Domino domains that are not directly
connected, but have an intermediary domain, adjacent to both of them in
common. For example, domain A and domain B are adjacent and have
Connection documents defining the route between them. Similarly,
domain B, in turn, is adjacent to domain C and mutual Connection
documents exist between them; and domains C and D are likewise
adjacent to each other and linked by Connection documents. Domain B is
thus adjacent to domain A on one side, and domain C on the other; and
domain C is adjacent to B and D, respectively. If no direct connection
exists between A and C, these two domains are considered to be
non-adjacent domains. Similarly if there is no direct connection between
B and D, these two domains are also non-adjacent.
Non-adjacent domains
Kathy Burke
Domain A
Domain B
Robin Rutherford
Judy Kaplan
Domain C
Domain D
Non-adjacent domains
Because there is no direct connection between two non-adjacent domains,

you cannot define the routing path between them in a Connection
document. Connection documents can only be used between two
directly-connected, adjacent domains. However, users in non-adjacent
domains can send mail to each other by routing it through the
intermediary domain.
One way to do this is to use explicit addressing telling the Router how
to reach the destination domain through the intermediary domain by
placing the entire routing path in the address field. For example, if Kathy
Robin Rutherford@C@B
In processing the message, the Router on the domain A mail server looks
only at the last part of the address, and uses the Connection document to
determine the route to domain B. The domain B server then uses the
Connection document in its Domino Directory to transfer the message to
domain C.
Although the use of explicit addressing is an effective method for
directing mail to non-adjacent domains, because it relies on a complete
knowledge of the inter-domain routing topology, its also not a very
practical solution. This information is not readily available to a typical
user. To simplify routing and addressing to non-adjacent domains, you
can create a Non-adjacent domain document in the Domino Directory to
define the path between the non-adjacent domains.
Using a Non-adjacent domain document
Administrators can create a Non-adjacent domain document to control
message routing to a non-adjacent domain. A Non-adjacent Domain
documents serves three functions:
Specifies a routing path to the non-adjacent domain by supplying

next-hop domain information
Restricts mail from other domains from routing to the non-adjacent

domain
Defines the Calendar server used to enable free time lookups

between two non-adjacent domains.
For more information on how to enable free time lookups between
non-adjacent domains, see the chapter Setting up Calendars and
Scheduling.
Non-adjacent domain documents are only required to specify routing

restrictions to a non-adjacent domain. However, to simplify addressing
on messages destined for a non-adjacent domain, its useful to have a
Non-adjacent domain document for that domain. Without a
Non-adjacent domain document in the Directory, the Router has no
defined routing path to the non-adjacent domain. The Router can transfer
a message to the non-adjacent domain if the recipient address uses
explicit path routing (User@AdjacentDomain@NonAdjacentDomain), but
cannot transfer a message with a simple domain address
Mail
Burke in domain A wants to send a message to Robin Rutherford in the

non-adjacent domain C, she addresses the message by way of domain B,
as follows:
(User@NonAdjacentDomain). When explicit addressing is used the

Router uses the Connection documents between domains to calculate the
path to the next-hop domain.
But when a Non-adjacent domain document is available, the Router
obtains intermediary domain information from that document. This
eliminates the need for users sending mail to a non-adjacent domain to
use complex, explicit addressing. Thus, if domain A has a Non-adjacent
domain document for domain C, when Kathy Burke in domain A sends
mail to Robin Rutherford in domain C, she uses the address Robin
Rutherford@C (rather than Robin Rutherford@C@B). Because the Router
finds the intermediate domain information in the Non-adjacent domain
document, the message is transferred successfully to domain C by way of
domain B.
Using Non-Adjacent domain documents to restrict mail
Using Non-adjacent domain documents to simplify addressing makes
them valuable enough. But Non-adjacent domain documents play
another equally significant role. Although they are not strictly required to
enable routing between non-adjacent domains, they are needed if you
want to restrict routing of messages from certain domains.
By default, any domains that can route mail to your domain can also
route mail to the destination domains named in a Non-adjacent domain
document. Mail routed from one domain to another through your
domain consumes your network resources. To prevent your servers from
being used to transfer mail between other domains, you can selectively
allow and deny mail routing through your domain.
The Allow and Deny fields on the Restrictions tab of the Non-adjacent
domain document let you control the flow of messages from other
domains to the non-adjacent domain. Entries in these fields must be the
names of adjacent domains; the Router ignores entries for non-adjacent
domains beyond the previous hop. If you deny a domain from sending
mail through your domain, the Router denies all mail received from that
domain, including messages the domain may have passed on from
another, non-adjacent domain.
The Deny mail from domains field in a Non-adjacent domain
document does not block messages that use explicit domain addressing,
that is, addresses that explicitly name every domain on the routing path.
A Non-adjacent domain document can only block mail that relies on
information in the Non-adjacent domain document to supply the name of
a a missing intermediate domain. If the entire routing path is contained
in the recipient address, the Router doesnt need to check the document
to determine where to route the message, and thus cannot block it. For
example, if in the previous example, the administrator in domain B
To prevent Kathy Burke from sending this message, the administrator in

Domain B would have to create an Adjacent domain document for
domain C that names domain A in the Deny mail from domains field.
The settings in the Allow and Deny fields work in conjunction with the
Allow and Deny fields on the Router/SMTP - Restrictions and Controls Restrictions tab of the Configuration Settings document. In the event of
any conflict between settings, Domino applies the most restrictive entry.
Messages may be further restricted by Adjacent Domain documents,
Non-adjacent Domain documents, and Configuration Settings documents
set up between domains along the routing path.
To create a Non-adjacent domain document
2. Choose Domains.
Field
Enter
Domain type
Choose Non-adjacent domain
Mail sent to
domain
The name of the non-adjacent Domino domain you want

to route mail to.
Route through
domain
The name of the intermediary Domino domain through

which you want to route mail for the destination domain.
The current domain must have a Connection document to
this domain.
Also, the Domino Directory in the intermediary domain
must have a Connection document to the destination
domain.
Domain
description
An optional description of the domain
Mail
creates a a Non-adjacent domain document for domain D and adds

domain A to the Deny mail from domains field. Kathy Burke in domain
A can still send mail to Judy Kaplan in domain D by specifying the
following explicit domain address: Judy Kaplan@D@C@B.
5. Click the Restrictions tab, complete one or both of these fields, and
Field
Enter
Allow mail only Enter the names of Domino domains adjacent to the
from domains
current domain that are allowed to route mail to this
non-adjacent domain.
Leave this field blank to allow any domain to route mail
through the local domain to the non-adjacent domain.
Deny mail from Enter the names of Domino domains adjacent to the
domains
current domain that are not allowed to route mail to this
non-adjacent domain.
Leave this field blank to allow any domain to route mail
through the local domain to the non-adjacent domain.
Note You cannot use wildcards in the Restrictions fields. You must
enter explicit domain names.
domain connect to the intermediary adjacent domain.
Note Since, by definition, all servers in a domain use the same Domino
Directory, only one Non-adjacent domain document is required for each
non-adjacent domain. You do not have to create a separate document for
each server.
Setting up routing to external application gateways

Domino treats external messaging applications, such as fax or pager
gateways, as foreign domains. To route mail from a Domino domain to
an external application, create a Foreign domain document.
Creating a Foreign domain document
A Foreign domain document defines the path between a Domino domain
and an external application, such as a fax or pager gateway. A Foreign
domain document identifies the Domino server that acts as the gateway
to the external application.
Applications such as X.400 and cc:Mail use their own specialized
versions of the Foreign domain document to direct the messages through
a message transfer agent (MTA). For more information about MTAs, see
the documentation for the specific MTA.
Although Foreign domains are mostly used for third party applications,
you can also use them to transfer messages between a Release 5.0 or later
server and a Release 3.x SMTP server.
To create a Foreign domain document

2. Choose Domains.
Field
Enter
Domain type
Choose Foreign domain.
Foreign Domain Name The domain name of the foreign mail system. This
name was chosen when the MTA or gateway was
installed.
Domain description
An optional description of the gateway or MTA.
5. Click the Restrictions tab, and then complete these fields:

Field
Enter
Allow mail only from

domains
The names of Domino domains that are allowed to

route messages to this foreign domain. Leave this
field blank to allow any domain to route mail
through the local domain to the foreign domain.
Deny mail from

domains
The names of Domino domains that are not

allowed to route messages to this foreign domain.
Leave this field blank to allow any domain to
route mail through the local domain to the foreign
domain.
6. Click the Mail Information tab and complete these fields, and then
save the document:
Field
Enter
Gateway server name
The name of the Domino server running the

gateway software.
Gateway mail filename The gateways mail file name. See the
documentation that came with the gateway for the
proper file name.

domain connect to the foreign domain.
Mail
Restrictions that you set on this Foreign domain document apply only to
the From domain of the previous hop. These restrictions work in
conjunction with those in the Configuration Settings document. Domino
always defaults to the most restrictive entry.
Transferring outbound Internet mail to an SMTP server over Notes

routing
On Domino networks that dont use SMTP for internal mail routing you
can implement a gateway topology for sending outbound mail to the
Internet. Your internal servers can continue to use Notes routing to
transfer mail and send Internet mail to an SMTP server that connects to
the Internet. Your gateway server must be a Domino server able to
send SMTP mail to external Internet domains.
To define a route between your internal servers and the SMTP gateway
server, create:
One or more Foreign SMTP domain documents that define the next
domain for sending SMTP mail addressed to a given set of
destination addresses
SMTP Connection documents specifying the server that processes

outbound SMTP mail for each Foreign SMTP domain document
The gateway server receives outbound mail from internal servers over
Notes routing and then transfers it to the Internet over SMTP. The
gateway server can connect to the Internet directly or through an SMTP
relay host or firewall that connects to the Internet.
The Foreign SMTP domain document
A Foreign SMTP domain document provides servers that dont use
SMTP routing and which do not have access to DNS with the next hop
information required to route Internet mail. You can also use Foreign
SMTP domain documents with servers that route mail over SMTP to
configure different routing paths for mail sent to different destinations.
A Foreign SMTP Domain document provides servers in a Domino
domain with information on where to transfer mail destined for external
SMTP addresses. The Foreign SMTP domain document specifies the
name of the next hop domain to which messages addressed to a specific
Internet domain or domain pattern are sent. For example, a Foreign
SMTP Domain document might specify that the next hop for messages
addressed to the domain company.com should be the domain
TheInternet.
The next hop domain can either be an actual Domino domain that is, a
group of servers sharing a Domino Directory or a virtual domain.
Use the name of an existing Domino domain if you can create a
Connection document to it and it already has SMTP servers connected to
the Internet. If the network does not currently have a Domino domain
that routes outbound Internet mail, use a virtual, or logical, domain
name. The name must not correspond to the name of any servers or
Configuring different relay hosts for different destination domains

To explicitly control message routing, you can set up multiple Foreign
SMTP domain documents, splitting outbound mail traffic so that
messages destined for one Internet domain route through one Domino
host and those destined for others go to a different host.
For example, you can configure one Foreign SMTP Domain document to
route all mail addressed to domains ending in lotus.com; a second can
route all mail addressed to domains ending in ibm.com; and a third can
process mail addressed to all other Internet domains (*.*). For each of the
three configured Foreign SMTP domains, you must create an SMTP
Connection document that describes how to transfer the messages routed
to that domain.
Note If you use a wildcard when specifying which messages to route to
a domain, you can still restrict messages destined for specific Internet
domains using the SMTP Outbound Controls in the Configuration
Settings document.
The Router always uses the Foreign SMTP Domain document that most
closely matches the address. For example, if a message is addressed to
jdoe@server1.japan.lotus.com and there are two Foreign SMTP Domain
documents one for lotus.com and one for japan.lotus.com the
Router uses the document for japan.lotus.com.
After the Router determines which Foreign SMTP Domain document
most closely matches the address of the message, it forwards the message
to the specified next domain. If the domain is a real Domino domain, the
Router looks in the Domino Directory for a connection to that domain
and routes the message. If the domain is a logical domain, the Router
checks for an SMTP Connection document that describes the next hop for
mail routed to that domain.
To create a Foreign SMTP domain document
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
3. Choose Domains, and then click Add Domain.
Mail
domains in the Domino Directory. Domino uses the virtual domain name
to link this SMTP domain document with an SMTP Connection
document, which, in turn, specifies the name of an SMTP-enabled server
that can process outbound mail, for example, a firewall server that can
route outbound Internet mail.
4. On the Basics tab, complete this field:

Field
Enter
Domain type
Foreign SMTP Domain
5. Click the Routing tab, complete these fields, and then click Save &
Close:
Field
Enter
Messages
Addressed to
Internet Domain
The name of the Internet domain to which this

document applies, for example, company.com, or a
wildcard (*.*) to indicate all Internet domains.
Should be Routed to A fictitious, logical domain name for example,

TheInternet to which messages that match the
Domain name
pattern in the Internet Domain field will be routed.
The name you specify serves as a placeholder;
Domino uses the name to pair the Foreign SMTP
Domain document with the connection document you
create in the next step.
6. Create an SMTP Connection document to associate the Foreign

SMTP Domain document with an SMTP server that can send
outbound mail to the Internet.
Creating an SMTP Connection document

On networks where internal mail travels over Notes routing, the SMTP
Connection document works in conjunction with a Foreign SMTP
Domain document to route messages from non-SMTP servers to an
SMTP server that can send messages outside the local Internet domain.
SMTP Connection documents link the virtual foreign SMTP domain
specified in a Foreign SMTP Domain document, to a Domino SMTP
server. For example, an SMTP Connection document might link the
virtual domain TheInternet to the firewall server that routes mail to the
Internet. In the SMTP Connection document, you specify the source
server (the server that can connect directly to the Internet and route
SMTP mail), the destination domain (which must match the Internet
domain in the Foreign SMTP Domain document), and the method to use
when connecting to the source server (direct or dialup). An SMTP
Connection document lets Internet messages travel from a Domino
domain to a server that is enabled to use SMTP to route outbound
Internet mail.
When the Router receives a message for a recipient outside the local
Internet domain, it forwards the message to the domain specified in the
Foreign SMTP Domain document. After the message reaches a Domino
server that can connect to the Internet, that server establishes a
To create an SMTP Connection document

2. Choose Connections and click Add Connection.
3. On the Basics tab, complete these fields, and then save the document:
Field
Enter
Connection type
SMTP
Source server
The name of the SMTP-enabled server where non-SMTP

servers send mail destined for the Internet domains
specified in the Foreign SMTP domain document. This
server must have access to DNS and have SMTP
enabled for sending messages outside the local Internet
domain.
Connect via
Choose one:
Direct connection For servers that communicate
over LAN connections
Dial-up connection For servers that communicate
over transient connections, such as phone lines. If
you select this option, Domino displays the field
Dial using connection record.
Dial using
connection
record
Specifies the Network Dialup Connection document

containing the dialup settings for connecting to the
SMTP server specified in the Source server field. This
field appears only if you selected Dial-up connection
in the preceding field.
Click Choose record, to select a Network Dialup
Connection document (remote LAN service connection
record) from the list of previously created Network
Dialup Connection documents.
For information about creating a Network Dialup
Connection document, see the chapter Planning
server-to-server connections.
Destination
server
A unique, fictitious, placeholder name such as,

all_internal_hosts. Domino does not use the value in
this field, but the Connection document will not work if
the field is empty. The name you specify must not
match the name of any server on the network.
continued
Mail
connection with a server in the destination domain and routes the

message.
Field
Enter
Destination
domain
The fictitious, logical domain name specified in the

Internet Domain name field of the corresponding
Foreign SMTP domain document. The name in this field
links this SMTP connection document with the Foreign
SMTP Domain document.
SMTP MTA relay Specifies the SMTP host to which the source server
transfers outbound mail. This allows a SMTP server to
host
further split Internet destinations and configure
multiple relays.
If this field is blank, the Router transfers outbound mail
to the relay host specified in the servers Configuration
Settings document.
If there is no relay host specified in either this field or in
the Configuration Settings document, the Router
determines the next hop by looking up the destination
domain in the DNS or a local hosts file, depending on
the value of Host name resolution field on the
Router/SMTP- Basics tab of the Configuration Settings
document.
For information on configuring how the Router resolves host names,

see the topic Specifying how Domino looks up SMTP hosts when
sending outbound mail later in this chapter.
4. On the Replication/Routing tab, complete these fields:
Field
Enter
Replication task
Disabled
Routing task
Choose Mail Routing. Because the same routing task is

responsible for transferring messages over NRPC and
SMTP, theres no need to specify SMTP routing. The
source server must have SMTP routing enabled in its
Server document; otherwise, the Router discards the
information in the SMTP Connection document.
Choose SMTP routing only if the specified source server
is running Domino Release 4.6x or earlier.
Route at once if
The number of pending messages that will force routing.

Default is 5.
5. On the Schedule tab, specify the desired routing schedule.

6. Click Save & Close. Replicate the Domino Directory to all servers in
the Domino domain.
The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, recalculate the
routing tables on all effected servers.
Setting up a Domino server as an SMTP server consists of enabling two

separate tasks: a listener task and a routing task. Enabling the SMTP
Listener allows a server to receive mail over SMTP. Enabling SMTP
routing lets the Domino Router send mail to other servers using SMTP.
You enable SMTP routing to destinations within the local Internet
domain separately from SMTP routing to external destinations. Its also
possible to enable SMTP routing on a server without enabling the
Listener task, and vice-versa.
For example, to support POP3 and IMAP clients, which use SMTP to
send mail, you must have at least one internal server running the SMTP
Listener task. However, the server does not have to use SMTP when
transferring messages it receives over SMTP to the next hop on the
routing path. After the server has accepted a message over SMTP, it can
use Notes routing to transfer the message to other servers.
By default, Domino uses Notes routing only and is not configured for
SMTP routing. To have Domino use SMTP to send and receive mail, do
the following:
Prepare your system for sending messages to the Internet by testing

your Internet connection and verifying that DNS is set up properly.
Enable the SMTP Listener task in the Server document of each server
you want to receive mail over SMTP
Enable SMTP routing within the local Internet domain so that servers
can send mail over SMTP within the local Internet domain.
Enable SMTP to be used to send messages outside the local Internet

domain.
Specify the relay host, if any, to be used when sending mail outside
the local Internet domain. Configure a relay host for SMTP servers
that do not have direct access to the Internet.
Set up inbound and outbound mail restrictions to protect against

misuse of the mail infrastructure.
To allow POP3 or IMAP users who connect to Domino from an

external network to send mail to external Internet domains, specify
exceptions to inbound relay enforcement for authenticated users.
If you intend to allow users to access mail from POP3 or IMAP mail
clients, you must install and enable these access protocols on users mail
servers. By default, Domino supports only Notes client access.
Mail
Configuring Domino to send and receive mail over SMTP
For information about using POP3 mail, refer to the chapter Setting Up
the POP3 Service. For information about using IMAP mail, see the
chapter Setting Up the IMAP Service.
Preparing to send and receive mail to the Internet

Use this list to ensure that your system is ready to send mail to and
receive mail from the Internet or another private SMTP network.
1. Make sure that you have a connection to the Internet via an Internet
Service Provider (ISP) or a direct connection.
2. Use the Ping command to test the connectivity between the
SMTP-enabled server and any external host to which it connects. Test
the connection between machines from which messages will be sent
and the servers from which you send mail to the outside world, such
as your ISP. Ping tests only the accessibility of the host, not the
existence or proper configuration of SMTP.
3. Define a list of the inbound Internet domain names by which your
organization is known. In some cases, a company may have multiple
Internet domain names. Enter these names as aliases in the Global
domain document.
4. Make sure that the DNS is set up to include all the Internet domain
names that your company uses.
5. If your company uses a mail relay or firewall, obtain the host name.
Setting up SMTP routing to external Internet domains

To send messages over SMTP to destinations outside of the local Internet
domain for example, to the Internet or another private network you
must enable external SMTP routing.
To enable SMTP routing outside of the local Internet domain
1. Make sure that you prepared your system to send mail to the
Internet.
5. Select the Configuration Settings document and then click Edit
Configuration.
Field
Enter
SMTP used when

sending messages
outside the local
Internet domain
Choose one:
Enabled to use SMTP to route mail to the
Internet
Disabled (default) to prevent the server from
routing mail outside the local Internet domain
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Setting up SMTP routing within the local Internet domain

You can set up servers to use SMTP routing when transferring messages
to other servers in the local Internet domain.
You can enable SMTP routing on every server or only on servers that
route to destinations outside of the Domino named network. For
example, you may not have a direct IP connection between all the servers
in one TCP/IP Domino named network and all the servers in another.
You may still require that all messages moving from one Domino named
network to another be routed through hub servers.
To set up SMTP routing within the local Internet domain
4. Select the Configuration Settings document to be edited and then
5. Click the Router/SMTP- Basics tab.
Mail
6. On the Router/SMTP - Basics tab, complete this field, and then save
the document:
6. Complete these fields, and then save the document:

Field
Enter
SMTP allowed Choose one:

within the local MIME messages only The Router uses SMTP to
Internet
transfer MIME messages to other Domino servers that
domain
are within the same Domino domain and that run the
SMTP Listener.
Disabled (default) The Router uses Notes routing to
transfer mail to other servers in the same Domino
domain.
All messages The Router uses SMTP to transfer both
Notes format and MIME format messages to other
Domino servers that are within the same Domino
domain and that run the SMTP Listener. This will
cause Notes format messages to be converted to MIME
format before being transferred. This may cause loss of
fidelity and performance. For example, Notes Doclinks
and applications such as Calendar and Scheduling will
not work.
You can limit the use of SMTP to transfer mail within the
Domino domain by setting the next field (Servers within
the local Domino domain are reachable via SMTP over
TCPIP) to only allow SMTP within the same Domino
named network.
Servers within
the local
Domino
domain are
reachable via
SMTP over
TCPIP
Choose one:
Always (default) The Router can use SMTP to
transfer mail to any Domino server in the local
Domino domain that runs the SMTP Listener.
Only if in same Domino named network The Router
can use SMTP to transfer mail to other Domino servers
in the local Domino domain only if the destination
server is in the same Domino named network. If the
destination server is in the local Domino domain, but
resides in a different Domino named network, the
Router must use Notes routing to transfer mail.
configuration.
To set up a server to receive SMTP-routed messages, you must enable the

SMTP Listener. Then the server can listen for SMTP traffic over the
TCP/IP port (usually port 25) and receive SMTP messages in the
MAIL.BOX database(s).
Enabling the SMTP listener causes the server SMTP task to start up
automatically every time the server starts. Disabling the SMTP listener
prevents the SMTP task from starting up when the server starts.
Note Do not add SMTP as a task to the task list in the NOTES.INI file or
this feature will not work.
To enable or disable the SMTP Listener
then expand the Server section.
2. Select the Server document to be edited it and then click Edit Server.
Field
Enter
The servers complete combined host name and

Fully qualified
Internet host name domain name, including the top-level domain. For
example, smtp.acme.com; smtp is the host name;
acme is the second-level domain; and .com is the top
level domain.
In the absence of a Global Domain document, the
Router uses the entry in this field to determine the
local Internet domain. Typically, the fully qualified
host name is added to the Server document during
server setup or by the Administration process
(AdminP). A routing loop can result if this field does
not contain a valid entry.
SMTP listener task Choose one:
Enabled to turn on the Listener so that the server
can receive messages routed via SMTP routing
Disabled (default) to prevent the server from
receiving messages routed via SMTP routing
4. Click the Ports - Internet Ports - Mail tab.

5. In the Mail (SMTP Inbound) column, ensure that the TCP/IP port
status is set to Enabled, and then click Save and Close.
Refer to Reconfiguring the SMTP port for more information about
modifying the default SMTP port settings.
Mail
Enabling a server to receive mail sent over SMTP routing
Setting up how addresses are resolved on inbound and outbound mail

To ensure that messages are properly routed, you can configure the
following addressing and lookup options:
Create forwarding addresses for users that do not have Notes mail
files
Specify a smart host that contains a master directory for the

organization
Enable Domino to accept mail for multiple Internet domains used by

the organization
Specify how Domino looks up the recipients of incoming SMTP

messages
Specify how Domino resolves host names for outbound SMTP

messages
Enable Domino to look up the senders Internet address from a

Person document when sending outbound SMTP messages
Specify how Domino forms the senders return address when

sending outbound Internet messages
Setting up a forwarding address

A forwarding address allows users who have Person documents in the
Domino Directory to have their mail forwarded to another address. Set
up forwarding addresses for users who:
Change their names for example, because of marriage but still

want to receive all their messages.
Move for example, a user may resign from the company but leave
a forwarding address so that mail addressed to the old address is
forwarded to the new location.
Use a different mail system and do not have Notes mail files.
Configure the forwarding address on the users Person document.

For more information about creating a Person document for a user, see
the chapter Setting Up and Managing Notes Users.
By default, the Router supports use of the Send copy to rule action,
which lets Notes users create mail rules to automatically forward copies
of messages delivered to their mail files to another address, such as a
forwarding address.
For information on disabling automatic message forwarding, see the
chapter Customizing the Domino Mail System.
Mail
Setting up a smart host

A smart host is a directory server to which SMTP-routed messages are
sent when the message recipient cannot be found in the Domino
Directory or other secondary directories configured on the server.
Typically, a smart host is used in organizations that employ multiple
mail systems within a single Internet domain. Users on these systems
may not be in the Domino Directory. For example, if some users are on a
UNIX sendmail system but their inbound messages are routed through
the Domino mail system, you can set up a smart host to ensure proper
address resolution.
After you set up a smart host, when Domino receives a message, if the
domain part of the recipients address matches the local Internet domain
or one of the alternate Internet domain aliases defined in the Global
Domain document, the Router looks up the address against all
configured directories. If the address is not found, the Router then uses
SMTP to forward the message to the configured smart host.
Domino sends all messages addressed to unknown recipients in the local
Internet domain to the configured smart host. You cannot configure
Domino to send to the smart host only messages addressed to recipients
in some subset of the internal domains and domain aliases defined in the
Global domain document.
Note Domino does not send messages addressed to unknown Notes
addresses to the smart host.
You must have DNS set up correctly to use a smart host. For more
information about DNS, see the chapter Overview of the Domino Mail
System.
To set up a smart host
2. Enable SMTP allowed within the local Internet domain for MIME
messages only.
For information, see the topic Setting up SMTP routing within the
local Internet domain earlier in this chapter.
Configuration.
6. Click the Router/SMTP - Basics tab.

Field
Enter
Local Internet
domain smart
host
The host name for the server that hosts the directory
for SMTP recipients who are not in the local Domino
Directory. To provide a level of failover and
load-balancing, specify a host name that maps to an
existing MX record. You can also specify IP address
Smart host is used Choose one:

for all local
Enabled to route all incoming SMTP messages to the
Internet domain
smart host for lookup before routing elsewhere.
recipients
Disabled (default) to route only messages whose
recipients are not found in the Domino Directory to
the smart host for lookup.
Note Smart host settings are ignored if you enable the field Verify
that local domain recipients exist in the Domino Directory on the
Router/SMTP - Restrictions and Controls - SMTP Inbound Controls
tab.
configuration.
Setting up a server to receive mail for multiple Internet domains

Every organization has a primary Internet domain name for example,
acme.com by which it is known to the rest of the world. By default,
Domino considers the local, primary Internet domain to be the domain
specified in the servers host name. For example, for a server with the
host name Server1.acme.com, both Server1.acme.com and acme.com are
considered local Internet domains. The server does not accept messages
addressed to recipients in any other Internet domain.
In addition to having a primary Internet domain, some organizations use
alternate Internet domain names. If your organization uses more than
one Internet domain name, youll want Domino to consider other domain
suffixes as local. Using multiple Internet domain names typically results
when:
An organization changes names
An organization acquires or merges with another company that

already has an existing Internet domain name, and users continue to
use the other Internet domain in their addresses
You set up a mail topology to route messages addressed to other

subsidiaries through your firewall before routing the messages to the
Internet or another private network
You set up a mail topology specifically to include more than one

Internet domain name
If for any of the preceding reasons people in your organization have

addresses in an Internet domain other than the primary domain, create a
Global Domain document. A Global Domain document identifies the
Internet domains that are considered to be internal to a Domino domain
and for which the local domain can accept mail. By default, the Domino
Directory does not contain a Global domain document. Within the Global
Domain document, you specify one primary Internet domain name and
multiple secondary domains. Secondary domains are listed as alternate
Internet domain aliases.
You must ensure that the DNS is set up to include all the Internet domain
names that your company uses.
To create a Global Domain document
the server(s) to be configured. For Domino Release 5 and greater
servers, a Configuration Settings document is required to set up
SMTP routing.
3. Choose Domains, and then click Add Domain.
Field
Enter
Domain type
Choose Global Domain
Global domain name (Optional) A word or phrase that describes the

domain. Never use the name of an existing domain
for your Global Domain
Global domain role
Choose one:
R5 Internet Domain For Domino Release 5 and
greater SMTP servers.
R4.x SMTP MTA For Domino servers that use
the SMTP MTA to send Internet mail.
Mail
5. Click the Conversions tab, complete these fields, and then save the
document:
Field
Enter
Local primary
The primary Internet domain name that your company
Internet domain uses to represent themselves to the outside world for
example, another.com.
Additional Internet domain names that your company
Alternate
Internet domain uses for example, still.another.com, yet.another.com,
have.another.com, and so on.
aliases
Use the asterisk (*) as a wildcard to represent the names
of subdomains. Wildcard use is valid only if the
wildcard character appears as the first character of a
given entry and represents an entire subdomain name,
for example: the entry *.another.com indicates that
Domino treats any subdomain of another.com as a
local domain.
Entries that use wildcards in any other way are
considered invalid, including:
Using a wildcard in any position other than as a
leading character in the entry. For example, the
entries another.*, and still.*.com are not valid.
Using a wildcard on its own to represent an entire
domain suffix. For example, the entry * is not valid.
Using a wildcard to represent a portion of a name
only. For example, the entries *other.com and
*ill.another.com are not valid.
These fields represent the only ones you must complete if you are
using the Global Domain document solely for the purpose of
defining the internal Internet domains in an organization running
Domino Release 5 and greater.
6. Restart the server to put the changes into effect. The server reloads
information in the Global Domain document into memory only after
a restart.
For more information about DNS, see the chapter Overview of the
Domino Mail System.
If a Domino server uses ETRN to pull mail for multiple Internet domains
from another mail host, you can set up the Connection document to that
host to request mail for alternate Internet domains.
When Domino receives a message over SMTP, the message recipient is

identified by an Internet-style address, in the format
Genevieve_Martin@acme.com, rather than a Notes-style address, such as
Genevieve Martin/Acme. To determine the correct destination mail file,
Domino must match the SMTP address to a Person document in the
Domino Directory. To find a match, the Router checks the $Users view of
the directory. This view displays all name entries in all Person
documents in the directory, including Internet mail addresses, as well as
all user name variations, first names, last names, common names (CN),
distinguished names (DN), short names, and soundex names.
Note To display the hidden $Users view: Open the directory, press
CTRL-SHIFT and select View-Go To. In the Go To dialog box, select the
view ($Users) and click OK.
Inbound recipient lookups are controlled by the Address lookup setting
on the Router/SMTP - Basics tab of the Configuration Settings document.
This setting determines the criteria that the Router uses when attempting
to match the SMTP address on an incoming message to an entry in the
$Users view. The Router matches addresses based on:
The full SMTP address only for example,

Genevieve_Martin@acme.com
The local part of the SMTP address (that is, the part to the left of the
@ sign) only for example, Genevieve_Martin
The full SMTP address, and then if no match is found, the local part
address
When using full name matching, the Router searches the Domino
Directory for an exact match of the entire SMTP address (for example,
First_Last@Acme.com). If an exact match is not found, the Router
performs a secondary search if the domain suffix of the incoming address
is listed in the Global domain document as an Internet domain alias. For
this secondary search, the Router replaces the given domain suffix with
the domain suffix designated in the Global domain document as the
Primary domain name.
To prevent the Router from using domain aliases when looking up
addresses, do not include alternate Internet domain aliases in a Global
domain document. Instead, create multiple Global Domain documents,
each specifying a different primary Internet domain.
Restricting the Router to matching addresses on the full Internet address
only ensures that each users Internet address complies with a standard
format. Users cannot receive inbound mail addressed to their short
Mail
Specifying how Domino looks up the recipients of incoming SMTP

messages
names, soundex names, or other name variations that exist in the $Users
view. When configuring the Router to look up users full Internet
addresses only, complete the Internet address field in all Person
documents, and Mail-in database documents for mail-in databases that
receive mail over SMTP.
To specify how addresses are looked up
Field
Enter
Address lookup Specifies how the Router searches the Domino Directory
to determine the Notes recipient of an inbound Internet
message. Choose one:
Fullname then Local Part (default) The Router first
searches the Domino Directory for a match for the full
Internet address (localpart@domain.com). If no match
is found, it searches the directory again, looking for a
match for the local part of the address only.
Fullname only The Router searches the Domino
Directory for full Internet addresses only. For example,
it searches for user@domain.com but not for user.
If an exact match is not found and the domain suffix is
equivalent to an Internet domain alias defined in the
Global domain document, a secondary search is
performed using the domain suffix of the primary
Internet domain.
Local Part only The Router searches the Domino
Directory for a match of the local part of the Internet
address, that is, the part before the @ symbol. Local
part matching matches periods and underscores in the
address with spaces in the directory.
continued
Enter
Exhaustive
lookup
Choose one:
Mail
Field
Enabled The Router searches all directories to

ensure that there are no duplicate recipient names that
might prevent the message from getting to the right
person. Performing exhaustive lookups is
time-consuming and places a heavy load on the server.
Disabled (default) The Router limits its search to the
first directory that contains the address.
configuration.
Specifying how Domino looks up SMTP hosts when sending

outbound mail
You can specify how the Router determines the IP address(es) for
destination SMTP systems (for example, the Internet). Known as address
resolution, the method you select determines how the Router performs
domain-name-to-IP-address translation.
Address resolution methods are:
Dynamic lookup only (DNS only)
Local lookup only
Dynamic then local
If you configure TCP/IP to use the Domain Name System (DNS), select
Dynamic mapping only or Dynamic then local. For Dynamic mapping
only, the Router queries a DNS server to map a fully qualified host name
to an IP address.
For Dynamic then local, the Router first queries the DNS and then checks
a file on your local drive. This file, known as a hosts file, maps destination
host names to IP addresses. The Dynamic then local option can be useful
if you need to connect to internal hosts that are not listed in the DNS.
If you configure TCP/IP to use local hosts lookup, select Local lookup
only. If you use this option, the IP address and fully qualified host name
for each destination must exist in the hosts file. This option requires more
administrative attention than the Dynamic mapping only option because
you need to maintain the file.
If the DNS does not list a destination host name, the Router designates
the message as non-deliverable. If the DNS is unavailable, the Router
retries delivery up to the configured number of times as indicated in the
Initial transfer retry field on the Configuration Settings document.
To set how host names are looked up

5. Click the Router/SMTP tab.
6. On the Basics tab, complete this field, and then save the document:
Field
Enter
Host name lookup Choose one:

Dynamic lookup only (DNS only) The Router
determines the IP address for a host by looking it up
in DNS. SMTP transfer can occur only if the
destination host is listed in DNS.
Local lookup only (host files only) The Router
in a hosts file on the local machine.
Dynamic then local (default) The Router
in DNS first and then checking the local hosts file if
no DNS entry exists.
configuration.
Enabling the Router to look up the senders Internet address from

the Person document
When a Notes client is configured to send mail for Internet recipients in
Notes rich text format, a Domino server must convert outbound mail
from the client to MIME format for Internet mail transport over SMTP.
The Domino server responsible for the conversion must ensure that all
addresses in the message headers, including both the recipient and
sender addresses, are in Internet mail (RFC 821/822) format.
If your organization prefers to standardize Internet addresses using a

format that does not reveal internal domain names, you can specify an
Internet address in each users Person document and configure Domino
to look up the specified addresses during MIME conversion.
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the MIME - Conversion Options - Outbound tab.
Mail
If the sending users Location document specifies an Internet address,

Domino places this address in the From field of the MIME message.
However, if the Location document does not specify an Internet address,
Domino must obtain the address by other means. By default, Domino
forms an Internet address by converting spaces in the users Notes
address into underscores, and prefixing the names of Domino domains in
the address with percent signs. For example, a Domino server in the
acme.com Internet domain converts the Notes address John
Smith@Notes to the Internet address John_Smith%Notes@acme.com.
Domino determines the Internet domain from the Server document or
the Global Domain document.
6. Complete the following and click Save & Close:

Field
Description
Lookup Internet
address for all
Notes addresses
when Internet
address is not
defined in
document
Addresses on all messages sent to Internet recipients

must be in Internet format (RFC 821/822 format). A
Notes user may send a message to both Notes
addresses and Internet addresses. To specify how
Domino converts the addresses of Notes recipients on
messages sent to the Internet, choose one:
Enabled On outbound Internet messages, if the
address of the sender or any recipient is in Notes
format, Domino looks up the users Internet address
from the Person document and, if found, substitutes
it for the Notes address before sending.
Disabled (default) Domino forms Internet
addresses based on rules in the Global Domain
document. If a Global domain document is not
present, Domino constructs addresses by converting
spaces into underscores and encoding Domino
domains with percent signs. For example, Domino
converts the Notes address John Smith@Notes to the
Internet address John_Smith%Notes@acme.com
When this option is disabled, Domino will continue to
perform Internet address lookups if configured to do
so in the field Internet address lookup in the SMTP
Address Conversion section of the Conversion tab of
the Global Domain document.
How Domino formats the senders Internet address in outbound

messages
Outbound SMTP messages always include the Internet address of the
sender. Domino can obtain the senders address, sometimes called the
reply address, from the senders Location document, the senders Person,
or by constructing the address based on a default format or rules
configured in the Global Domain document. To ensure that message
replies are routed correctly to the original sender, reply addresses should
match the senders Internet address.
Internet
Address Format
Address Style
Example
RFC 821
Username@IPDomain.
TopLevelDomain
Tyler_Hamilton@acme.com
RFC 822
FriendlyName
Tyler Hamilton
<Username@IPDomain. <Tyler_Hamilton@acme.com>
TopLevelDomain>
If a Domino SMTP server receives a message that is in Notes mail format

as when a server in the local network transfers a message to an SMTP
server for routing to the Internet it must convert that message to
MIME before transferring it over SMTP. As part of the conversion
process, the Router replaces Notes-style addresses in the message,
including the senders address, with an Internet-style address.
Its easy for the Router to add the appropriate address when its been
defined in the senders Person document. In this case, the senders Notes
client enters the Internet address in the INetFrom field of the message.
When converting the message for SMTP transfer, the Router uses the
supplied Internet address.
For more information about Location documents, see the topic Creating
or editing a Location document manually in Lotus Notes 6 Help. You
can download or view Notes 6 Help from the Documentation Library of
the Lotus Developer Domain at http://www.lotus.com/ldd/doc.
If the senders Internet address is not present in the Notes message, the
Router can attempt to retrieve it from the Person document. For address
lookups to occur, you must enable them on the MIME - Conversion
Options - Outbound tab of the servers Configuration Settings document
(if lookups are disabled in the Configuration Settings document, they can
occur if enabled in the Global domain document).
For information about enabling outbound address lookup in the
Configuration Settings document, see the chapter Customizing the
Domino Mail System.
Mail
To comply with Internet addressing standards, Domino uses RFC 821 or

RFC 822 address formats for any message sent over SMTP, as illustrated
in the following table.
Finally, if the Router cannot obtain the senders Internet address from
either the message itself or the Person document, it will construct the
address. You can specify the rules for constructing this address in the
Global domain document, but in the absence of a Global domain
document, the Router constructs Internet addresses using the following
default format:
Full_Name/Org%DominoDomain@IPDomain.TopLevelDomain
For example, the Router on the host smtp.acme.com would construct the
following default Internet address for the Notes user Tyler
Hamilton/Sales@Europe: Tyler_Hamilton/Sales%Europe@acme.com.
Internet Address
component
Description
Full_Name
The Notes common name of the sender. The Router

replaces spaces in the name with underscores. For
example, Tyler Hamilton becomes Tyler_Hamilton.
Org
The organizational certifier or certifiers in the senders

Notes hierarchical name. For example /Sales.
DominoDomain
The name of the Domino domain that hosts the users

mail file. For example, Europe. By default, the Domino
domain is separated from the Org name by the percent
(%) character.
IPDomain.TopLevelD The Internet domain suffix listed in the Fully qualified

omain
Internet host name field of the Server document of the
server converting the message for SMTP transfer. For
example, the domain suffix of the server smtp.acme.com
is acme.com.
To ensure that messages always include the senders correct and

reply-able Internet address, always add the Internet address to a users
Location document and Person document. To fill in the Internet Address
field for all Person documents in which the field is blank, use the Internet
Address Tool.
For more information about the Internet Address tool, see the Upgrade
Guide.
Changing the default format for constructing the sender's Internet

address on outbound mail
When converting a Notes message for SMTP transfer, the Router replaces
the Notes address of the sender with an Internet address. If the Router
cannot determine the senders Internet address, either from the InetFrom
field of the Notes message, or the Internet address field of the users
Person document, it constructs an Internet address by combining the
First_Last/ou/org%DominoDomain@Internetdomain.TopLevelDomain
For example:
Meredith_Richards/East/Acme%Acme@acme.com
The address conversion settings in the Global domain document apply to

all mail sent over SMTP from servers in this Global domain including
messages for recipients in the local Internet domain as well as messages
for recipients in external Internet domains.
The Router uses the address conversion settings in the Global domain
document for outbound mail only in cases where the sender does not
have an Internet address defined in the Location and Person documents,
or address lookup to the Domino Directory either fails or is disabled.
To ensure that every user has a standard Internet address, populate the
Internet address field in each users Person document. The Internet
address tool available in the Domino Administrator lets you specify an
address format for creating unique Internet addresses in every Person
document in which the Internet address field is not currently set.
Generally speaking, if all users have Internet addresses in their Person
documents and address lookups are always successful, address
construction on outbound SMTP messages never occurs. However, even
if you complete the Internet address field of every users Person
document, configure address conversion in at least one Global domain
document to ensure that addresses are formed correctly in the event that
lookups fail and address conversion occurs. Only in the most limited of
deployments can one expect never to require address conversion.
For information about enabling Internet address lookup for outbound
SMTP mail, see the topic Enabling the Router to look up the senders
Internet address from the Person document earlier in this chapter.
How Domino uses Global domain documents during inbound and

outbound SMTP routing
When Domino receives an inbound SMTP message, it attempts to
determine whether the message is for a local recipient. When the Domino
Directory does not include a Global Domain document, Domino accepts
only messages addressed to users in the same Internet domain as the
server, as indicated in the Fully-qualified Internet host name that appears
in the Server document.
Mail
users Notes name with Domino domain and Internet domain

information. The rules for constructing the senders Internet address are
specified in the Global domain document. By default, the Global domain
document constructs addresses in the following format:
But if the Domino Directory includes a Global domain document,

Domino can receive mail for multiple Internet domains. To determine
whether to accept a message, Domino compares the domain part to the
local primary Internet domain listed in the Global domain document. If it
does not find a match in this field, it examines the secondary Internet
domains the alternate Internet domain aliases listed in that
document.
The role of Global domain documents in determining whether to
accept inbound SMTP mail
If the Domino Directory contains multiple Global domain documents,
Domino uses a similar process to determine whether a recipient is local:
it first checks the primary Internet domain in each Global Domain
document, and then, if it still hasnt found a match, it continues by
checking the alternate Internet domains. If the domain in the address
does not match any of the domain entries in any Global domain
document, the message is considered an attempt to relay, and Domino
rejects the message.
Inbound address lookup when the Domino Directory contains
multiple Global Domain documents
After Domino accepts a message, the Router attempts to match the
recipients Internet address to an entry in the Domino Directory. When
looking up the recipient in the Domino Directory, if the domain suffix in
the address matches an alternate Internet domain aliases defined in a
Global Domain document, and no Person document includes this
address, the Router performs a secondary lookup. In this secondary
lookup, the Router pairs the local part of the address with the domain
suffix of the primary Internet domain specified in the Global domain
document.
For example, a server receives a message for
craig_bowker@acmewest.com. The Router searches all of the Person
documents in the Domino Directory for this Internet address, but cannot
find a match. However, in the Domino Directory, there is a Global
domain document that includes the domain suffix acmewest.com as an
alternate Internet domain alias. In this same Global Domain document,
the primary Internet domain is acme.com. After the primary lookup fails,
Domino performs a secondary lookup, using the address
craig_bowker@acme.com. Domino performs secondary lookups only if
the Router is configured to perform fullname, or fullname, then local part
lookups.
In cases where the Domino Directory contains multiple Global domain
documents, and a secondary lookup is required, when replacing the
domain suffix in the original address with the domain suffix of the
To prevent the Router from using domain aliases when looking up

addresses, do not include alternate Internet domain aliases in a Global
domain document. Instead, create multiple Global Domain documents,
each specifying a different primary Internet domain.
Controlling outbound addresses construction with multiple Global

domain documents
When the Domino Directory contains a single Global Domain document,
the address construction rules in that document determine how a server
forms the senders address in an outbound SMTP message. However, if
the Domino Directory contains multiple Global Domain documents,
when constructing the senders address, Domino uses the Internet
domain specified in the Server document and the address construction
rules defined in the Global Domain document listed last, alphabetically,
in the directory. If you want Domino to form the senders outbound
address from the primary Internet domain and the address construction
rules contained in a particular Global domain document, designate that
document as the default Global Domain document.
Designating a default Global domain document
When there are multiple Global Domain documents in the Domino
Directory, designate one as the default so that when a servers construct a
senders outbound Internet address, the addresses created are based on
the primary Internet domain and address construction rules specified in
the designated document.
2. Choose Domains, and click Global Domain
3. Select the Global Domain document you want to designate as the
default and click Edit Domain.
4. On the Basics tab, complete following field, and then click Save &
Close:
Field
Enter
Use as default Global Domain Select Yes to designate this Global Domain
(for use with all Internet
document as the default Global domain for
protocols except HTTP)
this Domino Directory.
Mail
primary Internet domain, the Router only considers Global domain

documents that list the alternate Internet domain alias. That is, Domino
always replaces the domain suffix from within a given document; it
never replaces an alternate domain listed in one document with a
primary domain from another document.
Configuring Domino to send mail to a relay host or firewall

A relay host can be a server within your organization or an Internet
Service Provider (ISP) that routes messages addressed to destinations
outside the local Internet domain. Often the same server acts as a firewall
through which your organization funnels all messages outbound to the
Internet. It can be a Domino server or another type of server for
example, a UNIX sendmail server.
To configure internal SMTP servers to send mail to a relay host, you
specify the IP address or host name of the relay host in the Configuration
Settings document. If connections from the internal mail server to an ISP
mail server pass through a firewall, specify the internal interface of the of
the firewall in this field, and configure the firewall to forward traffic
received on port 25 to the ISP mail server.
Servers that do not route mail over SMTP require special configuration to
transfer messages to a relay host or firewall. For more information, see
the topic Transferring outbound Internet mail to an SMTP server over
Notes routing earlier in this chapter.
For information about restricting relay access through an Internet
domain, see the chapter Customizing the Domino Mail System.
Configuring multiple relay hosts
To enable greater control over outbound message routing, you can
configure multiple relay hosts. Using multiple relay hosts enables Domino
to route mail addressed to certain Internet domains to certain relay hosts,
without first performing a DNS lookup. For example, you can split
external SMTP mail routing so that Domino routes all outbound Internet
mail along one path, except mail addressed to a specific domain, such as
*.acmepartner.com, which it sends through a specific SMTP server.
To configure multiple relay hosts, create a Foreign SMTP Domain
document for each set of destinations, and then create SMTP connection
documents to match these foreign SMTP domain documents. For
example, using the previous example, you would create one Foreign
SMTP Domain document for *.* and another for *acmepartner.com.
Foreign SMTP Domain documents are used by servers that route mail
over SMTP as well as those using NRPC. For servers that use SMTP
routing, Foreign SMTP Domain document indicate the destinations that
need relay hosts and the relay hosts to use in each case.
For more information on creating Foreign SMTP Domain documents, see
the topic Transferring outbound Internet mail to an SMTP server over
Notes routing earlier in this chapter.

Configuration.
Field
Enter
Relay host for

The host name, domain name, or IP address of the
messages leaving the server being used as a relay host.
local Internet
A domain name is a valid entry only if the internal
domain
DNS contains an MX record for that domain and can
resolve it to a host name.
When entering an IP address, enclose it within square
brackets; for example, [127.0.0.1].
configuration.
8. After you set up a relay host, you can set up restrictions based on
where the message originated or the message destination.
Routing mail over transient connections

Sites that do not have permanent connections to the Internet, or to other
servers on the Domino network, can send and receive messages over a
transient connection, such as a dialup connection.
For example, an organization that does not have a constant connection to
the Internet might use a remote mail server at its ISP to hold mail until a
local mail server calls in to the ISP server to retrieve or pull pending
messages from the ISP server. If the ISP mail server supports the SMTP
ETRN command, you can configure the Domino server to pull mail
over SMTP. A local Domino server can also use Notes routing protocols
to pull messages from a remote Domino server over a Notes Direct
Dialup connection.
Mail
To set up a relay host

Setting up Domino to pull mail from a remote server

By default, when a local server initiates a connection to a remote server,
it uses the connection to push messages to the remote server. The local
server does not pull pending messages from the remote server.
Instead, the local server only receive mail from the remote server when
the remote server initiates a connection to route those pending messages.
To change this default behavior and have the local server retrieve
messages from a remote server during the same session in which it sends
messages to the remote server, set up the local server to send a pull
request to the remote server.
When the local server is configured to send a pull request, it sends a
message to the remote server requesting that the server deliver any
messages it has pending for the local server. The remote server receiving
the pull request can be any SMTP host; it does not have to be a Domino
server. When the remote server receives the pull request, it checks its
mail queues for any messages pending for the initiating server and starts
the processing necessary to transfer those messages.
If you are using SMTP routing, you must make sure that ETRN protocol
extension has been enabled on the other server (the one receiving the
pull request), or it will not be able to receive the pull request. Also the
remote server must be able to resolve the DNS host name of the initiating
server to an IP address to ensure that the messages can be sent.
Generally, ETRN requires that the initiating server has a static IP
address, which is available in DNS to the server holding the pending
messages.
Note Some ISPs use DHCP to assign a host a new IP address whenever
it connects. If the remote system assigns a new IP address every time you
connect, do not configure dialup systems to use pull routing.
When configuring dialup routing, you can indicate how long the
initiating server keeps the line open to allow the remote server to
establish a connection. This is useful to prevent the initiating server from
hanging up the line before the remote server is able to attempt to transfer
any pending mail. The initiating server sends a pull request, then pushes
any messages it has for the remote server, and then waits for any
messages pending from the remote server.
When sending a pull request, the initiating server can also request
messages for other servers, domains, hosts, or any queue name within
your organization for which the initiating server is responsible.
ETRN stands for Extended Turn and is an SMTP service extension

command, defined in RFC 1985. that provides improved security over
the SMTP TURN command, originally defined in RFC 821. The TURN
command allows hosts involved in a SMTP session to reverse their
respective roles, so that, for example, if Server1 is sending an SMTP
message to Server2, Server1 can issue the TURN command so that
Server2 then becomes the sender and Server1, the receiver.
However, because the TURN command has no mechanism for verifying
the identity of the calling host, use of the command poses a security risk.
A malicious user who spoofs the identify of a server can falsely appear to
belong to a someone elses Internet domain and then use the TURN
command to retrieve messages intended for that domain.
The ETRN command plugs this security hole by redefining the sending
and receiving roles during the course of the SMTP session. For example,
after Server1 issues the ETRN command to Server2, ETRN instructs
Server2 to open a new SMTP session with Server1. Because Server2 has
to resolve the name of Server1 to an IP number in the DNS, Server2 is
more likely to open a new SMTP session with the correct machine.
For Domino to use ETRN to retrieve new mail over a dialup connection,
your ISP must support this command. Check with your ISP to verify
whether they support this command or not. You can also verify support
for the command by establishing a telnet connection to port 25 of the
ISPs SMTP server. After the SMTP session starts, type EHLO and press
Enter. The response from the ISPs SMTP server indicates whether the
server supports ETRN.
For more information about Notes Direct Dialup Connections and
Network Dialup Connections, see the chapter Setting Up
To set up a server to route mail over a transient connection
1. For SMTP routing, on the Router/SMTP Basics tab of the
Configuration Settings document for the sending server, enable
SMTP for messages sent outside the local Internet domain.
For information on how to enable SMTP for outbound Internet mail,
see the topic Setting up SMTP routing to external Internet domains
Mail
The ETRN command

With ETRN support, a dialup SMTP host can notify an SMTP server
holding messages for it when to deliver those messages. ETRN enables
servers to use bandwidth resources efficiently, because the dialup host
sends and receives mail during the course of a single session.

3. Click Connections.
Field
Description
Connection
type
Choose one:
Network Dialup Choose this option for servers that
will route mail over SMTP using this dialup connection.
You can also use this option for NRPC routing.
Notes Direct Dialup Choose this option only for
servers that will use this connection to route mail over
NRPC to another Domino server.
Source server The Notes hierarchical name of the local Domino server
initiating the routing request, for example,
SMTP/East/Acme.
Source
domain
The Domino domain of the source server, for example,

AcmeEast
Use the LAN For Network dialup connections, enter the port name for
port(s)
the Domino TCP/IP port on the local server.
Use the
port(s)
For Notes Direct Dialup connections, specifies the name of

the communications port that the source server uses.
Destination
server
The name of the Domino server, or SMTP server to which

you want to route mail.
For SMTP routing connections to an ISP server, enter the
host name of the ISP server, for example, internet.isp.com.
Depending on the requirements of your ISP, the specified
host can be used for outbound mail, inbound mail (using
ETRN), or both. If the host is used for outbound mail, enter
the same host name on the Router/SMTP - Basics tab of the
Configuration Settings document, in the field Relay host
for messages leaving the local Internet domain.
Destination
domain
For routing to Domino servers over Notes routing, enter the

Domino domain of the destination server.
Leave this field blank when configuring SMTP routing to an
ISP server.
Field
Description
Routing
task
Select Mail routing
Router
type
Choose one:
Push/Wait Select this option when the destination server
is used for outbound mail only, and initiates the connection
to the source server. After the source server establishes the
dialup connection, it waits to receive a connection from the
destination server. When the destination server connects
and issues a pull request, the source server then pushes
any messages pending for the remote server.
Push Only (default) Select this option if the destination
server is used for outbound mail only. The source server
calls the destination server and sends messages queued for
that destination. Youll need to create a separate Connection
document to the server used for inbound mail.
Pull Push Select this option if the ISP host to which the
source server connects is used for both inbound and
outbound routing. The source server calls the destination
server, pushes, or sends, any pending messages for that
destination, and then pulls messages from the destination
server (actually, the calling server issues a request to the
other server to push messages back to it). The destination
server pushes any pending messages back to the source
server. If you select this option, you must specify whether
the source server issues the pull request using Notes routing
or SMTP.
Pull Only Select this option if the destination server is
used for inbound mail only. The source server calls the
destination server and issues a pull request (a request for
the other server to push back messages). The destination
server pushes any pending messages to the source server.
Youll need to create a separate Connection document to the
server used for outbound mail.
continued
Mail
6. On the Routing and Replication tab, complete these fields, and then
click Save & Close:
Field
Description
Pull
routing
request
protocol
Choose one:
Request
the
following
when
issuing a
pull
request
Notes RPC The server makes the pull request using

Notes Remote Procedure Calls.
SMTP The server makes the pull request using SMTP.
Select this option for SMTP connections that support ETRN.
When the destination server is a Domino server, the protocol
specified in this field only applies when the Router type is set
to Pull Only. By contrast, if the Router type is set to Pull/Push,
the sending server always uses the same protocol to issue the
pull request that it used to transfer messages to the destination
server.
Specifies the servers, hosts, or domains on whose behalf the
source server issues a pull request. As a result of the request,
the remote server sends all messages it is holding for the
specified entities. Choose one or more of the following:
Source server name (both Notes and Host) (default) The
source server requests that the remote server transfer any
messages addressed to recipients on the source server. The
source server receives messages for addresses that specify
either the Domino server name or the DNS host name (for
example, CN=Server/Org=ACME or server1.acme.com).
All local primary Internet domains listed Global Domain(s)
(default) The source server requests that the destination
server transfer all messages it is holding for recipients with
addresses in the primary Internet domain named in the
source servers Global Domain document (for example,
acme.com).
All alternate Internet domain aliases listed in Global
domain(s) The source server requests that the destination
server transfer all messages it is holding for recipients with
addresses in any of the Internet domain names listed in the
source servers Global Domain document (for example,
acme.com, sales.acme.com, acme-alias.com).
The following servers/domains/hosts The source server
requests that the destination server transfer all messages it
is holding for recipients in the specified Domino servers,
Internet domains, or DNS host names. If you select this
option, list the specific servers, domains, or hosts on whose
behalf the pull request is made. Use this option if the remote
server requires the calling server to use a specific syntax or
name when sending the ETRN pull request to initiate
message transfer.
continued
Mail
Field
Description
Pull router The number of seconds that the calling server waits for the
answering server to respond to a pull request before
timeout
disconnecting. The default is 30 seconds.
7. For outbound SMTP connections, configure other servers on the local

network to use the dialup system as a relay.
configuration.
Updating the SMTP configuration

The SMTP service controls the SMTP listener on the Domino server. By
default, whenever you restart the SMTP service, and at two-minute
intervals thereafter, the SMTP service automatically checks the
NOTES.INI file, Configuration Settings document, and Server document
to see if any settings have changed. If the service detects that settings
have changed, it rebuilds its internal configuration to incorporate the
changes.
You can use a server console command to manually trigger such a
service update. Using the console command allows you to immediately
put into effect changes to the SMTP configuration without disrupting
normal service operation.
To update the SMTP service configuration
1. Modify settings in the NOTES.INI file, Configuration Settings

document, or Server document.
2. At the server console, enter:
Tell smtp update config
If the servers logging level is set to Informational or Verbose, the

server console displays messages to indicate when the update begins
and completes.
Mail
Chapter 28
Customizing the Domino Mail System
This chapter explains how to customize messaging for your Domino
system after you set up mail routing.
Customizing mail
After you set up basic mail routing, you can customize the Domino
messaging system to improve performance and meet the specific needs
of your organization. For example, you can set inbound messaging
restrictions to prevent unwanted commercial e-mail (UCE) from entering
your system; implement restrictions on message size to conserve network
bandwidth; enforce database quotas to ensure that users promptly delete
old messages; set system mail rules to automatically process messages
that meet certain criteria; and enforce security policies by encrypting
messages delivered to user mail files and restricting message transfer to
the Internet.
Before you customize your messaging system, you must:
1. Make sure that your mail system is properly set up.
2. Evaluate your customizing options and decide which you want to
implement.
Controlling messaging
After you set up basic mail routing, use Dominos administrative controls
to customize the messaging system to your environment. Using the
Domino Administrator and other tools you can change settings that
affect routing performance, protect the system from unauthorized use,
schedule message transfer, and ensure efficient use of network
bandwidth and storage space.
Some of the settings you change apply to all of the messages that the
server processes, regardless of whether a message is sent or received
using Notes routing or SMTP routing; other settings are specific to a
particular routing protocol.
28-1
These topics provide additional information on customizing the Domino

system:
Improving mail performance
Customizing message transfer
Customizing Notes routing
Customizing SMTP routing
Setting server mail rules
Configuring message delivery options
Using mail journaling
As you customize your messaging system, you may need to troubleshoot

problems that occur. To assist in troubleshooting, Domino lets you:
Change the log level to record additional messaging information
Temporarily disable mail routing
Requirements for a working mail system

For the Domino mail system to work properly you must first complete
the following tasks:
Install a Domino server that runs without errors.
Load the Router task and verify that it runs properly.
Create a mail file and Person document for every user in the Domino
mail system.
Set up Notes routing or SMTP mail routing.
For more detailed information on setting up mail routing, see the chapter
Improving mail performance

Domino includes features that improve efficiency in specific
environments, but these features may not be switched on by default. See
the following topics for information about how you can improve the
efficiency of the Domino mail system:
Creating multiple MAIL.BOX databases
Disabling type-ahead addressing
Domino mail servers use a MAIL.BOX database to hold messages that

are in transit. Mail clients and other servers use SMTP or Notes routing
protocols to deposit messages into MAIL.BOX. The Router on each server
checks the address of each message in MAIL.BOX and either delivers the
message to a local mail file or transfers it to the MAIL.BOX database on
another server.
Server processes including server threads and the Router that write
to MAIL.BOX require exclusive access to it. To ensure exclusive access,
processes that write to or read from MAIL.BOX lock the database to
prevent simultaneous access by other processes. Other processes trying
to access the database must wait until the currently active process
completes and unlocks the database before they can complete.
In most cases, a mail process locks MAIL.BOX for only an instant.
However, longer wait times occur when the Router or another process
reads or writes a large message. When there is a large amount of new
mail for example, on a busy system with heavy mail traffic several
server threads may try to deposit mail into MAIL.BOX while the Router
attempts to read and update mail. Under heavy loads, such contention
for a single MAIL.BOX database degrades performance.
On servers that run Domino Release 5 and higher, you can improve
performance significantly by creating multiple MAIL.BOX databases on a
server. Using multiple MAIL.BOX databases removes contention for
MAIL.BOX, allows multiple concurrent processes to act on messages,
and increases server throughput. While reading one MAIL.BOX, the
Router marks the database in use so other server threads trying to
deposit mail move to the next MAIL.BOX. As a further benefit, having
multiple MAIL.BOX databases provides failover in the event that one
MAIL.BOX becomes corrupted.
When creating additional MAIL.BOX databases, consider placing each
one on a separate disk. Because disk contention is rarely an issue for
MAIL.BOX, placing each additional MAIL.BOX database on a different
disk will not improve performance per se. However, distributing the
databases across multiple disks does ensure greater availability in the
event of a disk failure.
Creating a second MAIL.BOX database offers a large performance
improvement over using a single MAIL.BOX. Depending on server mail
traffic, adding a third and fourth MAIL.BOX database may further
improve performance. However, the improvement gained with each
additional MAIL.BOX is increasingly smaller.
Customizing the Domino Mail System 28-3
Mail
Creating multiple MAIL.BOX databases
You specify the number of MAIL.BOX databases on the Router/SMTP Basics tab of the Configuration Settings document. Changes to the
mailbox count take effect only after the next server restart.
After you configure a second MAIL.BOX database, you can use mail
statistics to determine whether additional MAIL.BOX databases are
needed.
For more information, see the topic Determining how many MAIL.BOX
databases to place on a server later in this chapter.
To create multiple MAIL.BOX databases
6. Complete this field and then click Save & Close:
Field
Description
Number of
mailboxes
Indicates the number of mailboxes (MAIL.BOX databases) on

servers that uses this Configuration Settings document. If this
field is blank, one mailbox is used. Configure a maximum of
ten mailboxes.
7. Restart the server to put the new setting into effect.

Determining how many MAIL.BOX databases to place on a server
When a server sends and receives mail, server processes, such as the
Router, access the servers MAIL.BOX database, writing messages to it
and reading messages from it. Because only one process at a time can
access MAIL.BOX, when mail traffic is heavy, access conflicts occur as
multiple processes try to access the database simultaneously.
For servers that support a small number of users, access conflicts are
rare, and the default of a single MAIL.BOX usually provides an
acceptable level of service. However, on servers that support a higher
numbers of users, creating an additional MAIL.BOX database can
eliminate most access conflicts.
Statistic name
Description
Mail.Mailbox.Accesses
Total number of times that threads accessed

any mailbox on the server.
Mail.Mailbox.AccessConflicts
The number of times that a thread attempting

to access a mailbox had to wait because the
number of concurrent threads exceeded the
number of mailboxes configured.
For example, if there are three mailboxes
configured, and there are four concurrent
accesses, the conflict count would be
incremented.
If the number of access conflicts consistently
exceeds two percent of the value of
Mail.Mailbox.Accesses, consider creating an
additional mailbox.
Mail.Mailbox.CurrentAccesses The total number of current accesses (for

example. a count of 2 would indicate that two
threads are accessing mailbox at this time.
Mail.Mailbox.AccessWarnings The number of times that the number of
threads accessing the mailbox (that is, the value
of Mail.Mailbox.CurrentAccesses) reached one
less than the number of configured mailboxes.
For example, the warning count is incremented
when two threads attempt to access MAIL.BOX
concurrently and there are three mailboxes
configured.
If the number of warnings consistently exceeds
ten percent of the value of
Mail.Mailbox.Accesses, consider creating an
additional mailbox.
Mail.Mailbox.MaxConcurrent
Accesses
The highest number of current accesses

recorded.
By calculating the number of access conflicts as a percentage of total

accesses, you can determine whether a server will benefit from the
addition of another MAIL.BOX. In general, the number of access conflicts
should be no more than two percent of the total number of accesses.
However, because some access conflicts may result from unusually high
peak loads, theres no need to eliminate all access conflicts. Only when
Mail
Especially busy servers may benefit from more than two MAIL.BOX
databases. Use mailbox statistics to determine whether additional
MAIL.BOX databases are indicated. As seen in the following table,
separate statistics provide information on the number of access conflicts
and the number of total mailbox accesses.
the percentage of access conflicts remains consistently greater than 2

percent is an additional MAIL.BOX database warranted.
Note Mailbox statistics are available only on servers where two or more
MAIL.BOX databases are configured. You must restart the server to put
into effect any changes to the number of mailboxes.
Disabling type-ahead addressing

Type-ahead addressing displays names that match the letters a user
types in the To, cc, and bcc fields in a mail message. For example, if a
user types Jane D in the To field of a mail memo and Domino finds a
Person document for Jane Doe/Acme in the Domino Directory, Domino
automatically completes the rest of the recipients address. The user can
change or retype the address as needed.
To save bandwidth and improve server performance, you can disable
type-ahead addressing. If you disable type-ahead addressing on a mail
server, users can still use type-ahead addressing to find addresses in
their Personal Address Book or mobile Directory Catalog.
servers to administer, and click Edit Configuration.
5. On the Basics tab, complete this field, and then click Save & Close:
Field
Enter
Type-ahead Choose one:

Enabled (default) The server checks the Domino
Directory for an address that matches what a user enters
in the To, cc, or bcc field of a message.
Disabled The server does not try to match addresses.
Matches occur only in the users Personal Address Book
or local Directory Catalog.
configuration
By default, when the Router is unable to deliver a mail message, Domino

records information in the server log file (LOG.NSF). When you
troubleshoot messaging, you may want to record additional information
in the log file.
5. Click the Router/SMTP - Advanced - Controls tab.
6. Complete this field in the Miscellaneous Controls section, and then
click Save & Close:
Field
Enter
Logging
level
Choose one:
Minimal Domino logs all mandatory status messages
and fatal error messages.
Normal (default) Domino logs all minimal events, plus
warning messages indicating conditions that do not cause
processing to stop.
Informational Domino logs all minimal and normal
events, plus informational messages involving
intermediate storage, MAIL.BOX access, message
handling, message conversion, and transport status.
Verbose Domino logs all minimal, normal, and
informational events, plus additional messages that may
help you troubleshoot system problems.
To prevent the log file from becoming excessively large, use
Verbose logging only when troubleshooting specific
problems.
7. The change takes affect after the next Router configuration update.
configuration.
Mail
Changing the logging level for mail
Controlling message delivery

Message delivery occurs when the Router deposits a message in the
recipients mail file. You can control how the Router behaves when
delivering messages to mail files on the Domino server. For example, you
can specify whether messages are always encrypted, how many server
threads the Router can use to deliver messages, and what the Router
does with messages sent to users whose mail files are larger than the
allowed size.
You set delivery controls in the Configuration document on the
Router/SMTP - Restrictions and Controls - Delivery Controls tab. You
can also set quota controls to help control the size of user mail files.
Setting delivery controls

You can customize message delivery on Domino, including how many
threads are used to deliver messages, whether the messages must be
encrypted, how long the server waits for a pre-delivery agent to run, and
whether the Router supports the forwarding action in Notes client mail
rules.
5. Click the Router/SMTP - Restrictions and Controls - Delivery
Controls tab.
Field
Description
The maximum number of server threads Domino can

Maximum
delivery threads create to deliver mail from MAIL.BOX to local mail files.
The Router automatically sets the default maximum
number of delivery threads based on server memory.
Letting the Router select the maximum number is
usually best. To set the maximum number manually,
enter a maximum between 1 and 25, based on the server
load.
Encrypt all
delivered mail
Choose one:
Enabled When delivering messages to local mail
files, Domino encrypts the messages, regardless of
whether the sender encrypted the message or the
recipients mail file encrypts messages.
Disabled (default) Domino encrypts messages only
if the recipients mail file is set to encrypt received
messages.
When encryption is enabled and an external user
requests a return receipt for a message sent to a user
whose mail file is on the server, the return receipt
message that Domino generates contains a blank
message body.
Pre-delivery
agents
Users who create LotusScript or Java agents for their

mail files can set the agent to run before new mail
arrives. When delivering a new message, if the Router
detects such a pre-delivery agent, it runs the agent
against the message before the message ever appear in
the recipients Inbox. Use this field to specify whether
the server permits the use of pre-delivery agents.
Choose one:
Enabled (default) Allows the Router to run agents
that process mail before delivering it to user mail files
on the server.
Disabled Prevents the Router from running
pre-delivery agents.
Pre-delivery
agent timeout
The maximum time (in seconds) that a pre-delivery

agent, such as a mail filter, can run before the Router
interrupts it. Because the Router waits for pre-delivery
agents to complete, failure to restrict agents can slow
routing performance on the server. The default time-out
is 30 seconds.
continued
Mail
6. Complete these fields in the Delivery Controls section, and then click
Save & Close:
Field
Description
User rules mail

forwarding
Notes users can create mail file rules[[ that automatically

process new mail. User mail rules specify an action to
take when a newly-delivered messages meets certain
conditions. Use this field to specify whether the Router
on this server supports the rule action to send copies of
selected messages automatically to other recipients.
Choose one:
Enabled The Router supports the Send copy to
action for Notes client mail rules, allowing users to
send copies of messages automatically to other
recipients.
Disabled Prevents Notes clients from using the
Send copy to rule action.
configuration.
Using quotas to manage the size of user mail files

Users may receive and save a high volume of e-mail, including their own
sent messages, in their mail files. Large mail files can overwhelm a
servers disk capacity and reduce the performance of the mail client.
Because you generally cannot provide users with unlimited storage
space, set a size limit, or database quota, for each mail file. When
delivering mail to a users mail file, the Router checks the current size of
the mail file against the specified quota.
You can configure the Router to respond in several ways when a mail file
exceeds its quota, each representing a higher level of enforcement. The
least restrictive response is to have the Router issue automatic
notifications to users when their mail files exceed the quota. If users fail
to respond to notifications, you can hold pending messages in
MAIL.BOX or return messages to the senders as undeliverable until the
users reduce the size of their mail files.
In addition to setting a quota, you can configure a warning threshold and
use it as the basis for providing users with advance notice that their mail
files have grown too large. For example, you might set a warning
threshold of 25MB on a mail file that has a 30MB quota. In the
Configuration Settings document, you can enable the Router to send
notifications to users who exceed their warning threshold. If you enable
this option, the Router delivers an Over Threshold Warning to users
whose mail files exceed the warning threshold. Sending such warnings
allows users to reduce the size of their mail files before they exceed the
quota.
Setting mail file quotas

You can set two types of size limits on a users mail file: an absolute
quota size and a warning threshold. Set a quota if you intend to establish
a policy of interrupting users mail usage if their mail files exceed a
specified size. Set a warning threshold to provide users with advance
notice when their mail files approach the designated mail file quota, so
they can reduce the size of their mail files before message flow is
interrupted. You must set a quota before you can set a warning
threshold.
Quotas and warning thresholds are associated with a particular mail file
database only, not with a user ID. If a user has access to an alternate mail
file, the quota set on the primary mail file has no effect on the alternate
mail file.
You set quota limits and warning thresholds:
During registration quotas specified during registration apply

only to new users, not to existing users. For users migrated from
other mail systems, the restrictions do not apply to mailbox contents
brought over from the old system. In other words, a mail file limit of
5MB does not prevent you from migrating a users 6MB mail box
from cc:Mail. However, the user will not be able to receive new mail.
Per database Using the Domino Administrator, you can manually

specify the warning threshold and quota of one or more mail files
using the same method you would to set these limits for any Notes
database.
Detecting when a mail file exceeds its quota

If quota enforcement is enabled, whenever the Router delivers mail, it
compares the current size of the destination mail file against its
configured database quota or threshold. If the size exceeds one of these,
the Router takes appropriate action.
If a mail file uses shared mail, Domino factors in the complete size of any
messages stored in shared mail databases when calculating mail file size.
When calculating mail file size, Domino does not take into account the
space consumed by a files full-text index. When setting a mail file quota,
be sure to consider the additional space required for the files full-text
index. Over time, the full-text index of a typical mail database can reach
a size between 5 and 15 percent of the database size.
Mail
Along with the methods the Router uses to enforce quotas, the Notes
client also displays a warning to any user who has exceeded their
designated warning threshold or quota whenever the user attempts to
send mail.
To specify the method a server uses to calculate the size of a mail

file
1. From the Domino Administrator, click the Configuration tab, expand
the Server section, and click All Server Documents.
2. Select the Server document to edit, and then click Edit Server.
3. Click the Transactional Logging tab, and in the Quota enforcement
field, select one of these methods and then click Save & Close:
Method for
enforcing quotas
Description
Check space
used in file
when adding a
note
The Router calculates the current size of a mail file from

the amount of space that messages occupy in the
database and determines whether mail files are in
compliance with configured warning thresholds or
quotas based on this calculation. White space in the
database is discounted. If the user is over quota and
quota enforcement is enabled, no new messages are
delivered. If the mail file is close to its quota, the Router
continues to deliver messages only until their cumulative
size exceeds the quota; thereafter, messages are held or
rejected, depending on the enforcement setting.
When a user deletes a message, the space occupied by
that message is immediately removed from the calculated
size of the mail file. There is no need to run the Compact
task to recover space. Users who cannot receive mail
because of a quota violation can reduce the current size of
the mail file immediately by archiving or deleting
messages.
If transaction logging is enabled on the server, select this
method of enforcement, because it does not require
administrative intervention to compact mail files.
continued
Mail
Method for
enforcing quotas
Description
(Default) The Router calculates the current size of a mail

Check filesize
when extending file from its actual physical size. The calculated physical
size includes the unused white space in a file that
the file
results when a user deletes or archives a message.
Domino does not immediately recover this white space.
As a result, accumulated white space may account for a
large portion of the file size, so that the actual mail file
size is considerably larger than the combined size of its
stored messages.
The size check occurs only if adding a message requires
an increase in the size of the mail file. When quota
enforcement is enabled and this option is selected, if a
message delivered to the mail file requires an increase in
the file size that would result in a quota violation,
delivery fails. However, a message is always delivered if
there is sufficient white space to accommodate it.
On servers that do not use transaction logging, users can
run the Compact task to remove white space and
decrease the file size. However, when transaction logging
is in effect, users cannot compact their own mail files. An
administrator must run Compact with the -B option to
reduce the size of the file.
Check filesize
when adding a
note
The Router calculates the current size of a mail file from its
actual file size. Both the space occupied by messages and
white space in the database count toward the total size.
This option is more restrictive than the preceding option,
because the Router checks the quota every time it adds a
message to the mail file, regardless of whether this
results in an increase in file size.
On servers that do not use transaction logging, when
quota enforcement is enabled, select this option to
eliminate inconsistent behavior during delivery to the
mail files of users who exceed their quotas. Because the
Router always checks the current file size when
delivering a message, after a mail file reaches quota, no
new messages are delivered, even if a particular message
is small enough to fit within the available white space in
the mail file.
On servers where transaction logging is enabled,
selecting this option can prevent a user from recovering
from a quota violation, since compacting the mail file
does not reduce its size, preventing the user from getting
back under quota. An administrator must run Compact
with the -B option to reduce the size of the file.
How the configured size method effects over-quota enforcement

Unless you configure the Router to withhold mail from or send warnings
to users whose mail files exceed their quotas or warning thresholds, you
wont notice any differences between the various methods for calculating
file size. However, the method you select for calculating file size becomes
significant if you enable quota enforcement or warning notifications on
the server.
When servers are set to use file size to determine whether a user is over
quota, a user who is over quota might not be able to receive mail
immediately after deleting messages. This is because white space
remains in the mail file until the Compact task removes it. As a result, a
user whose mail is withheld due to a quota error typically experiences
some delay between removing messages and achieving the reduced mail
file size required to reinstate mail delivery.
On servers where quota enforcement is set to Hold mail and retry, you
choose whether the Router attempts delivery to mail files that exceed
quota.
For more information on the Hold mail and retry setting, see the topic
Withholding mail from users who exceed their quota later in this
chapter.
If database usage is enabled as the method for calculating size, message
delivery always fails after a mail file exceeds it quota. If a mail file is
close to its quota but has not yet exceeded it, the Router may succeed in
delivering smaller messages. But eventually the file will exceed its quota,
and subsequent deliveries will fail.
Reclaiming space in mail files for which soft deletions are enabled
When soft deletions are enabled for a mail file, deleting messages from a
mail file doesnt immediately reduce its size. Instead, the deleted
messages are moved to the Trash view until they expire - after 48 hours,
by default. Only then are the messages permanently removed from the
database.
To reclaim space immediately, a user must open the Trash view of the
mail file and click Empty Trash or select a message in the view and then
click Delete Selected Item. By default, soft deletions are enabled for mail
files that use the Release 6 mail template (MAIL6.NTF).
For more information about soft deletions, see the chapter Improving
Database Performance.
Message field
Description
Notification type
Describes why the user received the notification. For

example, an over quota report explains that an incoming
message caused the users mail file to exceed the quota set
for their mail file. Over quota and quota warning reports
contain default text, which you can customize.
Message headers
The sender (FROM field), recipients (TO and CC), subject

of the effected message.
Message size
The size of the affected message, in KB.
Current mail file

usage
Database usage or current size of the users mail file, in

KB.
Current quota
settings
The warning threshold and quota currently set for the

users mail file.
What you should

do
Explains what action, if any, was taken for example,

whether the message was returned to the sender or is
being held for retry; and provides instructions explaining
what actions the user should take to reduce the size of the
mail file for example, deleting or archiving messages. If
you customize the text of the notification to provide users
with additional instructions or information, the text you
add appears as part of the Notification type information
at the beginning of the message.
For information on adding custom text to over quota and quota warning
reports, see the topic Customizing the text of mail failure messages
Users who exceed the quota for their mail file receive over quota
warnings only. If the Router is configured to send over threshold
warnings, it stops sending them to users who exceed their quota.
Message tracking is not enforced or supported for either type of warning
notification.
If Domino rejects an inbound message as the result of a quota violation, it
returns a failure message stating the reason for the failure to the sender.
Mail
Notifying users who exceed their mail file's quota or warning

threshold
You can configure the Router to notify a user whose mail file exceeds a
warning threshold or quota. The following table lists the information
contained in the notification message:
Specifying how often users receive notifications

You have three options for specifying how often the Router delivers
warning notifications to users who violate their mail files warning
threshold or quota:
None - (Default ) Users receive no warning if their mail files

exceed the size limit.
Per Message Users whose mail files exceed the size limit receive a
warning notification every time MAIL.BOX receives a new message
for them.
Per time interval Users whose mail files exceed the size limit
receive a warning message at the specified interval until they reduce
the size of their mail file. If you select this option, an additional field
appears where you can specify the interval in minutes, hours, or days.
Withholding mail from users who exceed their quota

Quota controls enable the Router to selectively hold or reject mail if the
destination mail file has exceeded its quota. When the Router has new
mail to deliver to a user whose mail file is already full, it checks the
Configuration Settings document to determine the appropriate action. By
default the Router continues to deliver mail, even after a mail file exceeds
its quota. To change the default behavior, you must configure the Router
to refuse or hold mail.
When delivering mail to a users mail file, the Router checks the mail
files size. If the file will remain within the specified threshold after
delivery of the message, no action is taken.
The Router recognizes certain exceptions to the specified quota setting.
For example, users who are over quota continue to receive over quota
notifications from the Router, regardless of the current setting. However,
if the Router is configured to Hold and Retry, all messages are held, and
the owner of the mail file receives no further notifications until the size of
the mail file is reduced or the administrator takes action to allow
messages to be delivered.
To prevent an excessive number of messages from accumulating in
MAIL.BOX when you choose the Hold and Retry method of enforcing
quota violations, its best to have Domino calculate database size based
on usage, rather than file size. This is especially true on servers where
transaction logging is enabled, because users cannot reduce the size of
their mail files without assistance from an administrator.
Limiting the size and number of messages held for retry
If you set the Router to temporarily hold mail intended for users whose
mail files exceed the specified quota, the increased number of pending
messages can increase the size of MAIL.BOX and decrease Router
You can also specify the maximum size of messages that the Router will
hold. If a message is larger than the configured size, it is returned to the
sender as undeliverable, rather than held.
Restrictions do not apply to sent messages
Router enforcement of mail file quotas is limited to withholding new
mail from users who exceed their quotas. The Router continues to accept
outgoing mail from whose mail files are full. However, these users are
not able to save any messages to mail files on the server.
When a user who exceeds the configured warning threshold or quota
sends a message from a Notes client, the client displays a warning, but
the user can still send the message.
Setting quota controls for the Router
5. Click the Router/SMTP - Restrictions and Controls - Delivery
Controls tab.
6. In the Quota Controls section, complete these fields:
Field
Enter
Specifies how often the Router delivers notifications to users

Over
who exceed their warning threshold.
Warning
Threshold
Choose one:
Notifications
None The Router does not deliver notifications when
mail files grow larger than the specified warning
threshold.
Per Message The Router delivers a notification for
every message it delivers after the mail file exceeds the
specified warning threshold.
Per Interval N Send notifications at a specified interval
until the user deletes or archives enough messages to bring
the size of the mail file below the specified Warning
Threshold. When this option is selected, an additional field,
Warning Interval Minutes, appears.
continued
Mail
performance. To help ensure service quality, you can limit the number of
pending messages.
Field
Enter
Warning
Interval
Minutes
Specifies, in minutes, how long the Router waits to send the

next Over Warning Threshold Notification
Over Quota Specifies how often the Router delivers notifications to users
Notification who exceed their quota.
Choose one:
None The Router does not deliver notifications when
mail files grow larger than the specified warning threshold.
Per Message The Router delivers a notification for
every message it delivers after the mail file exceeds the
specified quota.
Per time interval Send notifications at the specified
interval until the user deletes or archives enough
messages to bring the size of the mail file below the
specified quota. When this option is selected, an
additional field appears where you can specify an interval
measured in minutes, hours, or days.
Error
Interval
Specifies, in minutes, hours, or days, how long the Router

waits to send the next over quota notification.
Over Quota Specifies the action the Router takes when receiving new mail
Enforcement for a user whose mail file is larger than the specified quota.
Choose one:
Deliver anyway (dont obey quotas) (Default) The Router
continues to deliver mail to a mail file that is over quota.
Non Deliver to originator The Router stops delivering
new messages to the mail file and returns a nondelivery
message to the sender reporting that the message could
not be delivered because the intended recipients mail file
was full.
Hold mail and Retry The Router stops delivering new
messages to the mail file and temporarily holds incoming
messages in MAIL.BOX until space is available in the mail
file. After a configured interval, the Router tries to deliver
the message. If the user has sufficiently reduced the size of
the mail database by the next scheduled delivery attempt,
the mail is delivered. Messages that cannot be delivered
before the configured expiration time (default =1 day) are
returned to the sender as undeliverable. If you choose this
option, the document displays additional fields where
you can specify how the server handles held messages.
To prevent an excessive number of messages from
accumulating in MAIL.BOX when this option is selected, its
best to have Domino calculate database size based on usage,
rather than file size.
Field
Description
Pending messages may be of different sizes. A mail file that

Attempt
has reached its quota may have sufficient space available to
delivery of
each message fit some messages, but not others. Use this field to specify
whether the Router delivers messages small enough to fit
the available space in a destination mail file. Choose one:
Enabled The Router attempts delivery of each new
message. Messages that fit the available space are
delivered. Other messages are held.
Disabled After a mail file reaches its quota, the Router
holds all messages until the file size is reduced.
Maximum
number of
messages to
hold per user
Specifies the maximum number of messages that the Router

will hold in MAIL.BOX for a given mail file. After the
number of pending messages reaches the specified number,
the Router returns a delivery failure report to the sender of
each additional message in first-in, first-out order.
Maximum
message size
to hold
Specifies the maximum size, in KB, of messages that the

Router can hold in MAIL.BOX for over quota users. If a
message larger than the specified size is received for the
user, the Router returns a delivery failure report to the
sender.

configuration.
Overriding quotas
Administrators can provide users who are over quota with temporary
access to their new mail by:
Modifying the quota currently in effect for the users database.
Changing the Router setting, so that the Router ignores database

quotas and delivers mail. If you set the Router to ignore database
quotas, all users who exceed their quotas are able to receive mail.
To permanently change a quota, reset its size value.
Mail
7. If you selected Hold mail and Retry in the Over Quota

Enforcement field, complete the following:
Setting server mail rules

You can create content filtering rules for a server that define actions to
take on certain messages. When a new message that meets a specified
condition is deposited in MAIL.BOX, Domino automatically performs the
designated action. Rule conditions are based on content in the message
headers. Possible actions include journaling a message, moving it to a
graveyard or quarantine database, refusing to accept or deliver a
message, or changing the routing state of a message. You can specify
only one action for each rule. Rule conditions are based on content in the
message headers. or in the message body.
Mail rules automatically handle mail in a variety of situations. By
configuring a set of conditions and actions, you can customize rules to
block spam mail or intercept messages with questionable content. For
example, you could create a rule that rejects mail with subjects like
make money fast or that comes from a known spam vendor. Similarly
you can restrict users from receiving message attachments that do not
have a business purpose by setting up a rule to intercept messages that
contain attachments of certain file types (EXE, VBS, VBE, SCR, and so
forth) and redirect them to a quarantine database where they could be
reviewed by an administrator and optionally sent on to the intended
recipient.
Except where a rule action explicitly indicates, Domino does not notify
the sender or recipient if a rule prevents a message from reaching its
destination. For example, if a rule results in a message being routed to a
graveyard database, Domino does not generate a delivery failure report
or indicate to the intended recipients that a message for them has been
intercepted. By contrast, if a message triggers a rule with the specified
two-part action Dont deliver message/ Send NDR, the sender receives
a delivery failure report stating that the message was rejected for policy
reasons.
Note Although Domino does not generate a notification to the sender
when a rule condition triggers the action dont accept message,
because rules execute as mail is deposited to MAIL.BOX, the sender may
still receive notification that the message was rejected. For example,
when the Domino SMTP listener refuses a message because of a mail
rule, the sending SMTP server receives the error indicating that the
transaction was rejected for policy reasons. Typically, servers receiving
this type of error generate a delivery failure report to the sending user.
Similarly, when a mail rule prevents the server from accepting a
message, a Notes client attempting to deposit the message in MAIL.BOX
displays an error indicating that the message cannot be sent.
Domino stores the mail rules you create in the Configuration Settings
document. On startup, each server retrieves from the appropriate
Configuration Settings document and registers them as monitors on each
MAIL.BOX database in use.
Whenever MAIL.BOX receives a new message from any source the
SMTP process, the Router on another server, or a client depositing a
message the server evaluates the various message fields against the
registered mail rules. Each message is evaluated only once. Additional
updates occurring after a message is added to MAIL.BOX such as
updates to reflect the number of recipients handled do not cause
reevaluation of the rules.
Prioritizing mail rules
When multiple mail rules are enabled, you can set their relative priority
by moving them up and down in the list.
Putting new rules into effect
The Configuration Settings document displays new mail rules only if the
document has been previously saved. Before adding rules to a new
Configuration Settings document, save and close the document. Reopen
the document to begin adding rules.
When you add a new rule, it takes effect only after the server reloads the
mail rules. A reload is automatically triggered if the Server task detects a
rule change when performing its routine check of the Configuration
Settings document. This check occurs approximately every five minutes.
You can force the server to reload rules, using a console command.
Enter the following command at the server console:
set rules
To create a new mail rule

the server(s) where the rules will apply.
If you are creating a new Configuration Settings document, complete
the Group or Server name field on the Basics tab, and then click Save
& Close. Then reopen the document to begin adding rules.
Mail
Mail rules are not intended to serve as an anti-virus solution and should
not be considered a replacement for anti-virus software. Although you
can configure rules to quarantine messages with known virus
attachments, the available rule actions do not include typical anti-virus
features such as generating warnings upon detecting a virus or
automatically disinfecting files.
If you attempt to add a new rule before saving a new document, you
are prompted to save the configuration before proceeding.
5. Click the Router/SMTP - Restrictions and Controls - Rules tab.
6. Click New Rule.
7. In the Specify Conditions section of the New Rule dialog box, set the
criteria the server uses to determine whether to apply a rule to a
given message. A rule condition can include the following
components:
Condition component
Description
Message item to
examine
Specifies the Notes message item that the Router

examines when evaluating whether to apply a
rule. Choose one of the following:
Sender, Subject, Body, Importance, Delivery
priority, To, CC, BCC, To or CC, Body or subject,
Internet domain, Size (in bytes), All documents,
Attachment name, Number of attachments, Form,
Recipient count, or Any recipient.
Note To create a rule that acts on all messages
deposited in MAIL.BOX, choose All Documents.
Logical operator or
qualifier
Specifies how the Router evaluates the content of

the target field. Choose one of the following:
contains (for text field values)
does not contain (for text field values)
is
is not
is less than (for numeric field values)
is greater than (for numeric field values)
For example, if you selected the message item
Attachment Name, selecting the qualifier is
defines a rule that acts on all messages having an
attached file with a name that exactly matches the
name you specify.
continued
Mail
Condition component
Description
Value to check in
message item
Specifies the content to search for in the target

message item.
For example, if the target message item is
Attachment Name and the qualifier is contains,
enter .VBS to create a rule that acts on all messages
having an attached file with a name containing the
string .VBS, including, LOVE-LETTER.VBS,
CLICK-THIS.VBS.TXT, and MY.VBS.CARD.EXE.
Text fields do not support wildcard values, such
as the asterisk character (*). To specify a search
string for a target field, use the contains
operator and enter the search string in the
accompanying text field. For example, as in the
preceding example, to search for an attached
file with a name that contains the string .VBS,
create the condition Attachment Name
contains .VBS, not Attachment Name is
*.VBS.
Search string text is not case sensitive.
When indicating numeric values, always enter a
numeral, rather than its text equivalent (that is,
enter 2, not two).
8. Click Add. The Rules tab displays the new rule.

9. (Optional) Modify the condition by doing the following:
Add more conditions, by selecting Condition, selecting AND or
OR, and repeat Steps 7 and 8 for each new condition.
Add an exception by selecting Exception and repeating Steps 7
through 9 for each exception. You can add only one exception to a
condition statement.
10. In the Specify Actions section specify the action to perform when a
message arrives that matches the condition statement, and click Add
Action. You can specify one action per rule.
The following actions are available:
Action name
Description
Journal this message
The Router sends a copy of the message to the

configured Mail journaling database and
continues routing the message to its destination.
Journaling must be enabled on the Router/SMTP
- Advanced - Journaling tab.
continued
Action name
Description
Move to database
The Router removes the message from

MAIL.BOX and quarantines it in the database
specified in the accompanying text field, for
example, GRAVEYARD.NSF. The specified
database must already exist. The message is not
routed to its destination. Placing messages in a
quarantine database lets you examine them more
closely for viruses or other suspicious content.
Dont accept message
Domino rejects the message, but the Router does

not generate a delivery failure report. Depending
on the message source, the sender may or may
not receive an NDR or other indication that the
message was not sent.
When Domino does not accept an incoming
SMTP message it returns an SMTP permanent
error code to the sending server, indicating that
the message was rejected for policy reasons.
SMTP permanent errors (500-series errors)
indicate error types that will recur if the sender
attempts to send to the same address again.
Depending on the configuration of the sending
client and server, the message originator may
then receive a Delivery Failure report.
For messages received over Notes routing,
Domino returns a Delivery Failure Report
indicating that the message violated a mail rule.
For messages deposited by a Notes client, the
sending client displays an error indicating that
the message violated a mail rule.
Dont deliver message
Domino accepts the message, but rather than

sending it to its destination, it processes the
message according to one of the following
specified options:
Silently delete Domino deletes the message
from MAIL.BOX with no indication to the
sender or recipient.
Send NDR Domino generates a nondelivery
report and returns it to the sender. The MIME
and Notes rich-text versions of messages sent
from a Notes client result in separate delivery
failure reports.
continued
Description
Change routing state
Domino accepts the message but does not deliver

it. Instead, it marks it as held, changing the value
of the RoutingState item on the message to
HOLD. This change to the routing state of the
message causes the Router to retain the message
in MAIL.BOX indefinitely, pending
administrative action.
Domino differentiates between messages held by
a mail rule and messages held as undeliverable.
This action may not work properly on servers
where third-party products, such as certain types
of anti-virus software, also manipulate the
RoutingState item.
For information on enabling mail journaling, see the topic Mail

journaling later in this chapter.
11. To save the rule and put it into effect immediately, click OK.
To save the rule but wait before putting it into effect, click the Off
radio button at the top of the dialog box, and then click OK.
12. (Optional) After you create several rules, you can rearrange them to
indicate their relative priority. The server executes each rule in turn,
beginning with the rule at the top of the list. To change the position
of a rule, select it and click Move Up or Move Down. Place rules with
security implications higher in the list to ensure that the server
processes them before other rules.
configuration.
How mail rules handle encrypted messages
If MAIL.BOX receives an encrypted message (Notes encrypted, S/MIME,
PGP, and so forth), the server mail rules process any rule conditions that
are based on unencrypted information in the message envelope, such as
the sender, importance, and recipients, but do not process conditions
based on the encrypted portion of the message body. Most rule
conditions are based on information in the message envelope. The server
does not log instances in which rules are unable to process a message.
Mail
Action name
Specifying the message form in a condition

You can specify which types of messages a rule acts on by specifying the
message form type in the rule condition. When evaluating the form type,
the server checks the Notes message form used (the Form item displayed
in the Document properties); it does not use form information defined in
MIME items in the message. All messages deposited in MAIL.BOX are
rendered as Notes documents, including inbound Internet messages in
native MIME format. By default, messages received over SMTP use the
Memo form, except for SMTP Nondelivery reports, which Domino
renders using the NonDelivery Report form. Common Notes form names
include:
Appointment
Delivery Report
Memo
NonDelivery Report
Notice
Reply
Return Receipt
Trace Report
Customizing message transfer

To control the transfer of messages between servers in your Domino
system, you can:
Restrict routing of large messages
Route messages by priority
Generate delay notifications for low-priority mail
Restrict sending to groups listed in the Domino Directory
Set transfer limits for example, the number of transfer threads and
the retry interval
Set advanced transfer controls for example, change the logging

level and specify when to ignore message priority
Customize the text of mail failure messages
Transfer settings apply to messages sent using either Notes routing

or SMTP.
Mail
Routing mail by priority

Notes users can click the Delivery Options button to specify a priority
level high, normal, or low for each message they create. The
priority level determines how quickly the Domino Router transfers a
message over either Notes or SMTP routing. If you do not specify a
priority for a message, the server treats it as normal priority by default.
Priority level
Default Notes routing
High
The server routes the mail immediately.
Normal
The server routes the mail at the next scheduled connection

time, based on the schedule in the Connection document to
the server that is the next hop for the message. Within the
same Notes named network, normal priority messages route
immediately.
Low
By default, the server routes low-priority mail only between

midnight and 6 AM. Even if low-priority mail is pending
delivery when the server routes other mail, the server does
not route the low-priority mail except during the specified
time interval. You can change the default time for routing
low-priority mail.
For information on changing the default time for routing low-priority

mail, and setting the Router to ignore message priority, see the topics
Setting transfer limits and Setting advanced transfer and delivery
controls later in this chapter.
The Router typically processes delayed messages within 5 minutes of the
start of the low-priority time range.
Forcing low-priority mail to route
By default, the Router delays low-priority mail until the low-priority
time range, even for servers in the same Notes Named Network. If you
do not want to delay low-priority mail you can:
Set Domino to ignore message priority.
For information on configuring Domino to ignore message priority,

see the topic Setting advanced transfer and delivery controls later
in this chapter.
Change the low-priority time range in the Configuration Settings

document.
For information on changing the low-priority time range, see the
topic Setting transfer limits later in this chapter.
Use the ROUTE servername command at the console to force all

mail in the transfer queue of the specified server to route
immediately.
For information on using the ROUTE command, see the appendix
Server Commands.
Restricting mail routing based on message size

You can set size limits on messages to prevent large messages from
consuming network bandwidth. There are two types of message size
limits: a maximum message size and a low-priority size range. Messages
that exceed the maximum message size are returned to the sender as
undeliverable. Messages that are smaller than the maximum size, but
that fall within the specified size range, are marked low-priority and
routed during off-peak hours (12 AM to 6 AM by default).
Domino uses the maximum message size you specify as the upper limit
of the low-priority size range. Before specifying a low-priority size range,
you must set a maximum message size.
The size restrictions you set in the Configuration Settings document
apply to every message the Router handles, regardless of whether the
message is inbound or outbound, routed over Notes routing or over
SMTP. To set a unique size limit on some part of your messaging traffic,
you must set up distinct routing paths for that traffic and then create
separate Configuration Settings documents for servers on those paths.
For example, if you want to place a 500KB limit on inbound SMTP mail
and a 1000KB size limit on internal mail, create two Configuration
Settings documents: one for the servers that receive mail from the
Internet that specifies a 500KB size limit and a second for your internal
mail servers that specifies a 1000KB limit.
To set message size restrictions
5. Click the Router/SMTP - Restrictions and Controls - Restrictions tab.
Field
Enter
Maximum message
size
The maximum message size in KB (thousands of

bytes) the server accepts. The Router rejects any
messages that exceed this size for both transfer and
delivery. The default is 0 KB, which does not limit
message size.
Send all messages as Choose one:

low-priority if
Enabled
message size is
Disabled (default)
between
If you choose Enabled, specify the lower limit of the
size range in KB. By default (size range 0 to 0)
message priority is not based on size.
configuration.
Total message size is equal to the sum of the message text and the
size of all attachments.
You can change the default hours for routing low-priority mail.
For more information, see the topic Setting transfer limits later
in this chapter.
You can customize the text of delivery failure messages.
For more information, see the topics Customizing the text of mail
failure messages later in this chapter and Routing mail by
priority earlier in this chapter.
On Domino SMTP servers you can use the ESMTP SIZE extension
to prevent inbound transfer of messages that exceed the specified
maximum message size. You can also use the outbound ESMTP
SIZE extension to configure Domino to honor size restrictions on a
target server when transferring outbound SMTP mail.
For information on setting the inbound and outbound SIZE
extensions, see the topics Supporting inbound SMTP extensions
and Supporting outbound SMTP extensions later in this chapter.
Mail
6. Complete these fields in the Router Restrictions section, and then

click Save & Close:
Generating delay notifications for deferred low-priority mail

When Domino routes all low-priority mail within the specified
low-priority time range, the affected messages may remain in MAIL.BOX
for a significant amount of time. The delay may be acceptable to users
who sent their messages as low priority, but users may be less forgiving
if their messages were relegated to late-night routing after the Router
automatically demoted their priority as happens when you set
Domino to change the routing priority of messages above a certain size.
Unexpected routing delays are likely to cause concern and result in calls
to the help desk.
You can configure the Router to notify senders when low-priority mail is
delayed. Of course, you should also educate users about your policy on
routing low-priority mail. When delay notifications are enabled, the
Router delivers a message to the sender of the delayed message that
explains that the message is being held until the specified routing time.
When a message is delayed, users receive an informational Delay report,
which identifies the number and addresses of the intended recipients and
indicates that transfer is delayed until the low-priority time range. The
notification includes the headers of the original message, but not the
message body, and explains that no additional user action is required to
deliver the message. You can also customize the text of the notification to
include additional information.
For information on customizing the text of a delay notification, see the
topic Customizing the text of mail failure messages later in this chapter.
You can have the Router deliver delay notifications for every
low-priority message held; for messages held because the sender
designated them as low-priority; or for messages held because Domino
changed the priority for policy reasons as, for example, when a size
restriction forces a change to the routing priority of a large message.
For information on configuring Domino to send delay notifications when
it holds low-priority messages, see the topic Setting transfer limits
earlier in this chapter. For information on setting size limits on messages,
see the topic Restricting mail routing based on message size earlier in
this chapter.
Normally, a server sends only one delay notification for each message.
However, restarting a server or Router can result in duplicate delay
notifications. Also, a user may receive multiple delay reports for a
message that is delayed by servers at successive hops along the routing
For example if a first hop server has a low-priority range of 12:00 AM to

3:00 AM and receives a low-priority message at 11:30 PM, it generates a
delay notification. At the start of the low-priority routing time, the server
routes the message to the next hop server. If this server also defers
low-priority mail and has a low-priority range of 4:00 AM to 6:00 AM, it
generates an additional delay notification.
By default, the Router does not send delay notifications for low-priority
messages that a user sends within the low-priority time range or a buffer
time of 30 minutes before the start of the time range. You can alter the
default behavior by adding the variable
RouterLPDelayNotifyBufferTime to the NOTES.INI file and setting its
value to the length of the desired buffer time, in minutes. For example, if
you would like to prevent low-priority messages sent within an hour of
the start of the time range from generating a delay notification, enter the
following line in the NOTES.INI file:
RouterLPDelayNotifyBufferTime=60
Exceptions to sending delay notifications

The Router does not send delay notifications in the following cases:
If you enabled the following setting in the Configuration Settings

document: Router/SMTP - Restrictions and Controls - Advanced Controls- Advanced transfer controls - Ignore message priority.
When inbound SMTP messages include a Delivery Status

Notification (DSN) request that is set to NOTIFY=NEVER. Only DSN
requests with the value NOTIFY=DELAY result in delay
notifications.
If the delayed message is a delivery failure report. For example, if a

message is demoted to low priority and delayed because its size
exceeds the threshold for normal priority mail, the resulting delay
notification (which includes the original message) is not delayed.
If a Notes client user sets the Delivery Reports option to None in the
Delivery Options dialog box.
Mail
path. Servers at successive hops can each send a delay report if delay
notifications are enabled and they each receive the message before their
configured low-priority routing time and buffer time.
Restricting users from sending mail to groups listed in the Domino

Directory
By default, all users can send mail to groups defined in the Domino
Directory. To reduce unnecessary mail traffic, you can edit the reader
fields for a Group document to restrict access to the group, specifying the
users who are allowed to send mail to the group. Only users to whom
you grant reader access can send mail addressed to the group. Users who
do not have access to the group can see the group name listed in the
Domino Directory and choose the name in the Select Addresses dialog
box, but the Router rejects the message if they attempt to send a message
to the group.
The restrictions apply to messages sent to either a groups Notes address
or its Internet address and to messages originating from a Notes client as
well as messages sent and received over SMTP (as from an IMAP or
Notes client). From a Notes client, a user who does not have permission
to use the group receives an error when attempting to send mail to the
restricted group. If the same user attempts to mail from a POP3 or IMAP
client, the Router generates a Nondelivery reports indicating that the
sender is not authorized to send mail to the specified recipient.
To restrict users from sending mail to a group
1. From the Domino Administrator, click the People & Groups tab,
expand the Domino Directory that contains the group you want to
restrict access to, and select the Groups view.
2. Right-click the Group document to manage and choose Document
Properties.
3. Select the Security tab (the Key).
4. Deselect the All readers and above checkbox to enable editing of the
readers list.
5. To enable a user to send mail to the group, select the users name in
the list.
6. To provide access to users not listed, click the Person icon to the
right, add the name in the Select Names dialog box, and click OK.
The users name appears at the bottom of the list with a check next
to it.
7. Deselect the names of users you want to prevent from sending mail
to the group, including the Anonymous entry.
8. Close the Document Properties dialog box.
Mail
Setting transfer limits

Transfer controls affect how Domino transfers messages between servers.
They control the number of threads used, the number of hops allowed
before a message fails, the low-priority mail routing time range, and the
time-out and purge intervals. Transfer controls apply to both SMTP and
Notes routing.
To set message transfer controls
5. Click the Router/SMTP - Restrictions and Controls - Transfer
Controls tab.
6. Complete these fields in the Transfer Controls section, and then click
Save & Close:
Field
Enter
Maximum
transfer
threads
The maximum number of server threads Domino creates to

transfer messages to all other servers. The value applies to
both Notes routing and SMTP. The Router sets a default
maximum number of transfer threads based on server
memory. Letting the Router select the maximum number is
usually best. If you set the maximum number manually, set
the maximum to between 1 and 25 threads, depending on
server load.
continued
Field
Enter
Maximum
concurrent
transfer
threads
The maximum number of server threads the Domino Router

can use to transfer messages to a single destination. The
value applies to both Notes routing and SMTP.
If no value is specified, the default value is equal to one-half
of the maximum transfer threads, rounded down to the
nearest integer. For example, if the maximum transfer
threads is 5, the maximum concurrent transfer threads
defaults to 2. On servers that send outbound Internet mail to
an SMTP relay host, this setting effectively defines the total
threads available for transferring mail to the relay host.
By default, when transferring messages over Notes routing
from one Domino domain to another, the Router does not
use multiple concurrent threads. To enable use of multiple
concurrent transfer threads between Domino domains, add
the variable RouterAllowConcurrentXFERToALL to the
servers NOTES.INI file.
Maximum
hop count
The maximum number of times a message can be

transferred between servers before delivery fails and
Domino sends a nondelivery message.
Low-priority The time range when Domino routes messages marked as

mail routing low-priority. The default is between 12 AM and 6 AM.
time range
For low-priority mail to route at the specified time, the
Router must be configured to obey message priority. If you
configure the Router to ignore message priority,
low-priority mail does not receive special handling.
continued
Mail
Field
Enter
Low-priority If you configure the Router to hold low-priority messages

until a given time period, message originators may not be
delay
notifications aware of the reason for the delay. To inform senders when
low-priority messages are delayed, have the Router
automatically generate delay notifications. The Router can
either generate delay notifications for every low-priority
message it holds or when it holds messages for a specific
reason only. Choose one:
Disabled The Router does not notify senders when
messages are delayed for priority reasons.
Only if priority changed for policy reasons The Router
notifies senders of priority-related delays only for
messages that were designated low-priority as the result
of a configured mail rule or size restriction.
Only if user requested low-priority The Router notifies
senders of priority-related delays only for messages that
the sender designated as low-priority.
All low-priority messages The Router notifies senders
of priority-related delays for all low-priority messages.
Domino Release 5.0.x used the variable
RouterLowPriorityDelayNotify in the servers NOTES.INI
file to control the use of low-priority delay notifications. If
this setting is present, it takes precedence over the setting
specified in the Configuration Settings document.
The time (in minutes) that the Router waits after a message
Initial
transfer retry transfer failure before retrying the transfer. If failure recurs,
Domino doubles the interval before a second retry. If
interval
additional retries are needed, they occur at three times the
initial retry value.
The default interval is 15 minutes. Lower values increase
the retry attempts per hour and could possibly increase the
success rate of routing the messages. Higher values decrease
the retry attempts per hour, resulting in longer routing
times.
The Router continues attempts to transfer a pending
message until the age of the message reaches the configured
time-out value (by default, 24 hours). After a message times
out, the Router generates a delivery failure report to the
sender.
Expired
message
purge
interval
Specifies, in minutes, how often the Router checks

MAIL.BOX for expired messages to purge. The default is 15
minutes.
Values specified in the NOTES.INI file override settings in the

Configuration Settings document. If you use the NOTES.INI file to
configure message transfer settings, the Domino server console
displays informational messages indicating that the setting can be
specified in the Configuration Settings document.
configuration.
For information on how to reload the routing configuration, see the
Enabling multiple concurrent transfer threads between Domino

domains
In a Domino network, message transfer over SMTP is always
multithreaded, allowing multiple transfer threads to a single destination.
However, by default, Notes routing is multithreaded only for transfers
within the local Notes Named Network (NNN). When using Notes
routing to transfer mail outside the NNN, Domino does not allow
multiple concurrent transfer threads. You can add a setting in the
NOTES.INI file to enable the use of multiple concurrent transfer threads
for inter-domain Notes routing.
To transfer a message, the Router assigns a transfer thread to a message
in its transfer queue. When Notes routing is used, the transfer thread
moves the message across the network by copying it from the queue and
writing it to the MAIL.BOX database on the destination server by means
of a Notes remote procedure call. Each transfer thread processes a single
message for a single destination only. If a message has multiple
recipients at that destination, the thread deposits a single message
addressed to all of them. To send additional messages or send the same
message to additional destinations, the Router must activate additional
transfer threads.
When the transfer queue has many messages for a given destination, the
messages may be able to be transferred more efficiently if the server can
create multiple transfer threads to that destination. However, for
multiple transfer threads to improve efficiency there must be ample
bandwidth on the connection between the servers. On a slow link,
multiple active threads are forced to contend for bandwidth, with no
resulting increase in the total throughput, thus defeating the purpose of
multiple threads. Furthermore, if a high proportion of the total transfer
threads are busy on a slow link, the server may be unable to transfer
messages to destinations over other, faster links because of a lack of
available threads.
To enable multiple concurrent transfer threads between Domino

domains
1. From the Domino Administrator, open the Domino Directory and
click the Configuration tab.
2. To edit an existing Configuration Settings document, highlight and
click Edit Configuration. To create a new Configuration settings
document, highlight the server for which the Configuration Settings
document will apply, then click Add Configuration.
3. Click the NOTES.INI Settings tab.
4. Click Set/Modify Parameters.
5. In the Item field, enter:
RouterAllowConcurrentXFERToALL
6. In the Value field, enter:

1
7. Click Add, and then click OK.

Note When this variable is set, the server does not attempt to
determine the connection speed or number of messages pending for
a particular destination. The server allows multiple concurrent
transfer threads, regardless of whether the speed of a particular
connection justifies the additional threads. The number of transfer
threads for each destination remains limited by the value you set for
the number of Maximum concurrent transfer threads.
Setting the message time-out value

When the Router is unable to transfer a message on the first attempt, it
continues to attempt delivery at intervals, as specified in the Initial
transfer retry interval field of the Configuration Settings document. If a
message cannot be delivered (or forwarded to the next server on the path
to the users mail server) within a specified time-out period, the Router
returns a delivery failure report to the sender. By default, the message
time-out value is 24 hours.
Mail
For Notes routing, connections that rely on Connection documents,

including connections to remote domain servers, are typically slower
than local domain connections; so, by default, Domino does not allow
multiple concurrent transfer threads to destinations that require a
Connection document. To ensure that message transfer is not adversely
affected, alter only the default behavior servers that have
high-bandwidth connections to other Domino domains.
In the event that mail files on certain servers become unreachable for an
extended period, consider increasing the default time-out value on other
servers. A higher time-out value decreases the likelihood of important
mail being returned because of transfer and delivery failures.
On the Internet, the time-out value for message transfer is typically five
days - that is, if the next hop server is unreachable, the connecting server
continues to retry transfer for five days before giving up and generating
a delivery failure report.
Increasing the time-out value to n days may result in senders receiving a
delivery failure report for undeliverable mail n days after the message
was sent.
Because each successive retry consumes server resources, a high volume
of undeliverable mail can place a significant extra load on the server. If
you notice an increase in the amount of pending mail in MAIL.BOX,
examine messages to determine the validity of their origins and
destinations. If a large portion of pending messages are addressed to
nonexistent users or originate from known or possible spam mailers,
consider resetting the time-out interval to a lower value. Using a lower
time-out value reduces the time before the server marks a message as
undeliverable, thereby decreasing the number of retries.
For information about managing undeliverable mail, see the topic
Managing undeliverable mail in MAIL.BOX later in this chapter.
For information about methods for rejecting unwanted mail before
servers accept it, see the topic Restricting SMTP inbound routing later
in this chapter.
For information about using mail rules to process mail automatically, see
the topic Setting server mail rules earlier in this chapter.
To set the message time-out value
1. From the Domino Administrator, open the Domino Directory and
click the Configuration tab.
2. To edit an existing Configuration Settings document, highlight and
click Edit Configuration. To create a new Configuration settings
document, highlight the server for which the Configuration Settings
document will apply, then click Add Configuration.
3. Click the NOTES.INI Settings tab.
4. Click Set/Modify Parameters.
5. In the Item field, enter:
MailTimeout
Note To specify a time-out period shorter than one day, specify the
variable MailTimeoutMinutes in the Item field in Step 5, and specify
a time-out period, in minutes, in Step 6.
Setting advanced transfer and delivery controls

6. Complete these fields in the Advanced Transfer Controls section:
Field
Enter
Ignore message
priority
Choose one:
Enabled The Router sends all messages as Normal
priority.
Disabled (default) The Router honors message
priority settings assigned by the sender or another
server process.
Do not enable this setting if you restricted Domino to
routing messages of a specified size as low priority and
want to confine routing of large messages to the
specified low priority routing time.
Dynamic cost
reset interval
The time, in minutes, after which the Router resets the

costs for the various connections. For example, if the
cost reset interval is 15 minutes and a network failure
caused the Router to increase a connection cost from 1
to 2, the Router resets the connection cost to 1 after the
15-minute cost reset interval.
Mail
6. In the Value field, enter the number of days after which Domino
returns undeliverable mail to the sender, click Add, and then click
OK.
7. Complete these fields in the Additional Controls section, and then

click Save & Close:
Field
Enter
Restrict name
lookups to
primary
directory only
Choose one:
Enabled Users can look up names and groups only
in the Domino Directory for the servers Domino
domain. Users cannot look up names and groups in
other directories that are available through Directory
Assistance.
Disabled (default) Users can look up names and
groups in any directories available from the server.
Cluster failover
Choose one:
Disabled If a recipients server is unavailable, the
Router does not automatically route mail through a
clustered server.
Enabled for last hop only (default) When the
Router detects that a recipients mail server (the last
hop in the routing path) is unavailable, it attempts to
locate a clustered server and transfer the message to
that server. For example, Server1 routes a message
addressed to Jane Doe, whose mail file is on Server3.
Server1 fails to connect to Server3, which is
unavailable. Server1 checks the Domino Directory to
see if there are any servers clustered with Server3.
Server2 is clustered with Server3, so the Router on
Server1 attempts to connect to Server2. If the
connection is successful, the Router transfers the
message to Server2.
Enabled for all transfers in this domain When the
Router detects that a server for any hop in the routing
path is unavailable, it attempts to locate a server
clustered with that hop server. If the Router can find
another clustered server, it transfers the message to
that server. For example, if the Router on Server 1
attempts to transfer to HubA but HubA is
unavailable, the Router checks the Domino Directory
to see if there are any servers clustered with HubA.
Because HubB is clustered with HubA, the Router
attempts to connect to HubB. If the connection is
successful, the Router transfers the message from
Server1 to HubB, which continues routing the
message.
continued
Mail
Field
Enter
Hold
undeliverable
mail
Enabled When the Router cannot transfer or

deliver a message, it leaves the message in
MAIL.BOX rather than generate a delivery failure
report. Select this option if you want to be able to
examine messages with failures. You can then access
these messages and either release them, forward
them, or delete them
Disabled (default) When the Router cannot deliver
a message, it generates a delivery failure report.
If you configure MAIL.BOX to hold undeliverable
messages, examine the database frequently to check for
accumulated messages.
For more information on directory assistance, see the chapter

Setting Up Directory Assistance. For more information on clusters,
see Administering Domino Clusters.
configuration.
Managing undeliverable mail in MAIL.BOX

MAIL.BOX databases on the server may contain two types of
undeliverable messages: dead messages, designated by a stop sign icon;
and held messages, designated by a red exclamation point.
By default, when Domino cannot transfer or deliver a message for
example, when the address is typed incorrectly the Router returns a
delivery failure report to the sender. If the Router can neither deliver the
message to its intended recipient (To, CC, or BCC) nor deliver the failure
report to the sender for example, when the recipients address is typed
incorrectly and the senders mail server is unavailable the Router
changes the routing state of a message to Dead.
A message that is marked Dead lists the originator of the message in the
Recipients field and the address to whom the originator first sent the
message in the Intended Recipient field. You can correct addressing
errors in these fields to resend a delivery failure report to the originator
or the original message to its intended destination.
Undeliverable messages result when a server receives mail addressed to
nonexistent local recipients. Some undeliverable messages might be
legitimate, as in the case where a recipients name is misspelled or the
intended recipient has left the organization. But a high volume of
undeliverable messages may represent whats known as a dictionary

attack in which a spam mailer attempts to harvest e-mail addresses in a
domain by guessing every possible user name in the domain. The
attacker directs a bogus mass-mailing to the target domain, using a list of
names automatically generated by a script. The attacker then uses
delivery failure reports returned from the target domain to determine
which names are valid.
Held messages
In some cases, rather than letting Domino generate delivery failure
reports automatically, you may want to examine messages before
returning them. To trap undeliverable messages, you can configure the
Router to mark them as Held. For example, if you suspect that spam sites
are using delivery failure responses to test addresses in your
organization, you can hold undeliverable mail to eliminate this source of
feedback.
When you configure the Router to hold undeliverable messages, each
held message remains in MAIL.BOX indefinitely and is processed only if
an administrator releases the message.
Note If you configure MAIL.BOX to hold undeliverable messages,
examine the database frequently to check for accumulated messages.
You can prevent servers from accepting mail addressed to nonexistent
users by requiring Domino to check whether a recipient has a Person
document in the Domino Directory before it can accept a message.
For more information on configuring Domino to validate recipients
before accepting messages, see the topic Restricting users from receiving
Internet mail later in this chapter.
The Router also changes the routing state of a message to Held when
directed to do so by a mail rule.
By default, when you configure the Router to hold undeliverable mail, it
does not mark messages as Dead. Only if the Router cannot deliver a
held message or its delivery failure report after you release it for a final
delivery attempt does the Router mark any message Dead.
For each held or dead message, the views in MAIL.BOX display
information about when the server received the message, as well as the
sender and recipient, message size, and the reason why the message
failed. In addition, Dead messages display a Dead failure reason
explaining why the message could not be returned to the sender.
Check MAIL.BOX for undelivered mail
Edit the recipient and subject items of held or dead messages
Release held and dead messages from MAIL.BOX
Delete messages from MAIL.BOX
To check MAIL.BOX for undelivered mail

Periodically examine MAIL.BOX for messages, especially if you
configure MAIL.BOX to hold undeliverable messages.
1. From the Domino Administrator, select the server on which you
want to resolve undelivered mail.
2. Click the Messaging - Mail tab.
3. Select the MAIL.BOX database you want to examine by clicking
Servername Mailbox (mail.box). On servers with multiple mailboxes,
a separate view is available for each mailbox.
4. Check Held and Dead messages. You can do one of three things with
undeliverable messages:
Correct the addresses of the message recipients
Release the messages to their intended recipients
Delete the messages
To edit and release held or dead messages
Edit messages in MAIL.BOX to specify the destination address for
resending the original message or resulting delivery failure report. You
can also edit the Subject line to insert additional information about the
message, such as the reason it was held or the name of the original
recipient.
1. In the MAIL.BOX database, select the Held or Dead message for
which you want to correct addresses and click Edit Message.
2. Edit the address in the Recipients field or Intended Recipient field as
follows:
To edit the address of a held message:
To correct the destination address to which the Router resends an
original message, edit the Recipient field. You can specify a Notes
address or an Internet address.
When you release held messages, the Router ignores the entry in the
Intended Recipient field.
Mail
You can use the following tools to manage undeliverable mail in

MAIL.BOX:
To edit the address of a dead message:

To correct the destination address to which the Router resends the
original message, edit the address in the Intended Recipient field,
and click Release - Resend dead message to originally intended
recipient. You can specify a Notes address or an Internet address.
The Router ignores the entry in the Recipients field. The received
message displays the original recipient address.
To correct the destination address to which the Router resends the
delivery failure report for a dead message, change the address in the
Recipients field, and click Release - Return Non Delivery Report to
sender. You can specify a Notes address or an Internet address.
To release held and dead messages from MAIL.BOX
Depending on what caused a message to be retained in MAIL.BOX, you
may be able to successfully resend it to its originally intended recipients
or return a delivery failure report to the sender. For example, if messages
were marked held or dead as a result of a temporary network failure,
you may be able to release messages to their destinations after restoring
network connections. Or, if a message failed to reach its destination
because of a misspelled address, you can resend it by correcting the
address and releasing the message.
When deciding what to do with dead messages, always examine them
carefully before taking action. Check the message origin and the list of
intended recipients, and determine the failure reason. If the From or
Recipients fields of a dead message are blank or contain invalid
addresses, or if the failure reason indicates a null SMTP reverse path,
consider deleting the message, rather than releasing it.
1. From the Domino Administrator, select the server on which you
want to resolve undelivered mail.
2. Click the Messaging - Mail tab.
3. Click Servername Mailbox (mail.box) to select the MAIL.BOX
database to examine. On servers with multiple mailboxes, the view
displays each of the available mailboxes (mail1.box, mail2.box, and
so forth).
Release option
Description
Resend all dead

messages to
originally intended
recipients
The Router attempts to resend each dead message in

the current MAIL.BOX database to the originally
intended recipient (To, CC, or BCC), listed in the
Intended Recipient field. If the Router cannot deliver
or transfer the message, it generates a delivery failure
report to the sender. If the NDR is also undeliverable,
the Router again marks the message Dead.
This action applies to all messages in the current
MAIL.BOX database only. On servers with multiple
MAIL.BOX databases, dead messages in other
MAIL.BOX databases are not released.
Resend selected
dead messages to
originally intended
recipients
The Router attempts to resend the selected dead

message to the originally intended recipient (To, CC,
or BCC) listed in the Intended Recipient field. If the
Router cannot deliver or transfer the message, it
generates a delivery failure report to the sender. If the
NDR is also undeliverable, the Router again marks the
message Dead.
Return Non
Delivery Report to
sender of all
selected dead
messages
The Router attempts to resend the delivery failure

report for the selected dead messages to the message
originator specified in the Recipients field. If the
failure report is undeliverable, the Router again marks
the message Dead.
Resend selected
held messages
The Router attempts to resend the selected held

messages to the originally intended recipient (To, CC,
or BCC) listed in the Recipients field. The Router
ignores the entry in the Intended Recipient field.
If the Router cannot transfer or deliver a released
message, it again marks the message Held.
Resend selected
held messages for
a final time
The Router attempts to resend the selected held

messages to the originally intended recipient (To, CC,
or BCC) listed in the Recipients field. The Router
ignores the entry in the Intended Recipient field.
If the Router cannot deliver the messages to the
recipients, it sends a nondelivery failure report to the
message originator and removes the message from
MAIL.BOX. If the delivery failure report cannot be
sent, the Router marks the message Dead.
When you finish processing undeliverable messages, close the

MAIL.BOX database.
Mail
4. Select the held or dead messages to release and click the Release
button. Choose one of the following:
To delete messages from MAIL.BOX

The Router automatically deletes sent messages from MAIL.BOX. If you
cannot resend a message or delivery failure report, or choose not to
resend it, delete the message.
1. Select the Held or Dead to delete.
2. Click Delete Message. The messages are marked for deletion.
3. Press F9, and click Yes when prompted to delete the document.
Customizing the text of mail failure messages

You can customize the text of messages that Domino sends when various
mail failures occur. The text you specify is added to the default text for
the message. Customize messages to provide text in multiple languages
or supply users with additional information about how to respond to a
failure. For example, add text that provides the phone number to call in
case a mail message does not reach your server.
You can enter customized text directly on the Configuration Settings
document or create text files for each customized message and then use
the Configuration Settings document to specify the location of each file.
6. In the Failure Messages section, choose a method for specifying the
customized text for failure messages:
Method
Description
Text file
The Router adds customized text to failure messages

from external files. For each condition listed, enter the
complete path to a text file that contains customized text
you want to add to the default failure message.
Text
The Router adds customized text to failure messages

from text entered in the Configuration Settings
document. For each condition listed, enter the
customized text you want to add to the default failure
message.
Mail

Field
Enter
Transfer
failure
Transfer failures occur when there is a transient connection

failure between the servers for example, a network
problem.
If you specified Text in Step 6, enter text to add to the default
transfer failure message; otherwise specify the path to a file
containing the text for example,
C:\DOMINO\DATA\TRANSFER.TXT.
Delivery
failure
Delivery failures occur when the server is unable to deliver

the message to the recipients mail file for example, if the
recipients mail file has moved and the Domino Directory has
not been properly updated.
delivery failure message; otherwise specify the path to a file
C:\DOMINO\DATA\DELIVER.TXT.
Message
expiration
Message expiration failures occur when Domino cannot

transfer the message to its destination in a given period of
time.
message expiration notification; otherwise specify the path to
a file containing the text for example,
C:\DOMINO\DATA\EXPIRE.TXT.
Domain
failure
Domain failures occur when Domino cannot identify the

destination domain for a recipient of a message. For example,
if you send a message to jdoe@lotus.com and Domino cannot
locate lotus.com in either the Domino Directory or the DNS,
the server generates a domain failure message.
message for domain failures, or specify the path to a file
C:\DOMINO\DATA\DOMAIN.TXT.
Server
failure
Server failures occur when Domino cannot connect to the

destination server. For example, if you send a message to
jdoe@lotus.com, and DNS instructs you to send mail for the
lotus.com domain to mail1.lotus.com but Domino cannot
connect to mail1.lotus.com, the sending Domino server
generates a server failure message.
message for server failures; otherwise, specify the path to a
file containing the text for example,
C:\DOMINO\DATA\SERVER.TXT.
continued
Field
Enter
Username
failure
User name failures occur when Domino cannot match the

local part of an address to a recipient. For example, if you
send a message to jdoe@lotus.com, but Domino cannot find
jdoe in the Domino Directory, the server generates a user
name failure message.
message for user name failures; otherwise, specify the path to
C:\DOMINO\DATA\USER.TXT.
Size failure Size failures occur when Domino rejects a message because its
size is greater than the maximum message size (which you
can specify in the Maximum message size field on the
Restrictions and Controls - Restrictions tab of the Server
Configuration document) and generates a size failure
message.
message for size failures; otherwise, specify the path to a file
C:\DOMINO\DATA\SIZE.TXT.
Restriction
failure
Restriction failures occur when Domino rejects a message

based on outbound Router restrictions. For example, if you
send a message to jdoe@lotus.com, but lotus.com is listed in
the Deny messages from the following Internet addresses to
be sent to the Internet field on the Router/SMTP Restrictions and Controls - SMTP Outbound Controls tab of
the Server Configuration document, Domino rejects the
message and generates a restriction failure message.
message for restriction failures; otherwise, specify the path to
C:\DOMINO\DATA\RESTRICT.TXT.
continued
Mail
Field
Enter
Low-priority routing delays occur when MAIL.BOX receives

Delay
notification a message that is marked low priority and the Router waits to
process the message until the specified low-priority routing
time (12:00 AM to 6:00 AM by default). If low-priority delay
notifications are enabled for the message, the Router sends a
delay notification to the originators address.
low-priority delay notification; otherwise, specify the path to
C:\DOMINO\DATA\DELAY.TXT
Domino Release 5.0.x specified this file using the
MailTextFileForTransferDelays setting in the servers
NOTES.INI file. If this setting is present, it takes precedence
over the setting specified here.
The Router sends Quota warning notifications to users whose
Quota
mail files exceed their configured quota warning threshold.
warning
notification If you specified Text in Step 6, enter text to add to the default
quota warning notification; otherwise, specify the path to a
file containing the text for example,
C:\DOMINO\DATA\WARNING.TXT.
Quota error The Router sends Quota error notifications to users whose
notification mail files exceed their configured quota.
quota error notification; otherwise, specify the path to a file
C:\DOMINO\DATA\QUOTA.TXT.
For information on setting inbound mail restrictions see the topics

Restricting mail routing based on message size earlier in this
chapter and Restricting who can send Internet mail to your users
configuration.
Customizing Notes routing

To customize Notes routing in your organization, you can:
Schedule routing for optimal efficiency
Change the routing cost of connections between Domino servers
Restrict mail routing based on Domino domains, organizations, and

organizational units
Scheduling Notes routing

By default, when using Notes routing Domino can transfer messages
only to other servers in the same Notes Named Network (NNN). To
extend Notes routing beyond a single NNN you must create Connection
documents in the Domino Directory and specify a routing schedule.
Domino does not automatically create Connection documents for mail
routing.
Default schedule
By default, Connection documents instruct the Router to connect to the
destination server to transfer mail every six hours between 8:00 AM and
10:00 PM, or whenever the number of pending messages in MAIL.BOX
reaches 5. You can customize the schedule to specify the number of
pending messages that trigger routing, as well as the day, time range,
and repeat interval for a connection.
Using Connection documents to control routing within a Notes
Named Network (NNN)
You can use Connection documents to restrict routing within a NNN to a
specified schedule. Connection documents apply to both Notes routing
and SMTP routing. In the absence of any Connection documents, the
Router transfers all mail within a NNN immediately, except for
low-priority messages. If the Router is configured to use both SMTP and
Notes routing, it queues messages pending in MAIL.BOX for each
protocol separately. Regardless of the schedule, high-priority messages
continue to route immediately.
Forcing mail to route to a specific server
To force the server to immediately route all pending mail to another
server, use the Route command at the server console.
Routing schedules and low-priority messages
Routing schedules in Connection documents do not apply to low-priority
messages. Low-priority messages route only during the configured
low-priority mail interval, even among servers in the same Notes named
network.
For more information on changing the priority of large messages and

scheduling the low-priority mail interval, see the topics Restricting mail
routing based on message size and Setting transfer limits earlier in
this chapter.
To schedule Notes routing
1. Make sure that you have already created the necessary Connection
documents.
See the chapter Setting Up Server-to-Server Connections.
4. Select the Connection document for the server connection you want
to configure, and click Edit Connection.
6. Complete these fields in the Scheduled Connection section:
Field
Enter
Schedule
Choose one:
Enabled to use this schedule to control connections
between the specified servers.
Disabled to cause the server to ignore the schedule.
Call at times
One or more time ranges and/or specific times when you

want mail routing to occur each day for example, 8:00
AM - 5:00 PM, 11:00 PM, 2:00 AM. The default is 8:00 AM
- 10:00 PM.
Repeat interval The number of minutes between routing attempts; the

Days of week
The days of the week when the server should use this
schedule and route mail. The default is to use this
connection for each day of the week.
Mail
You can configure Domino to designate messages over a certain size as

low-priority and send them when the server is less busy.
8. Complete these fields in the Routing section, and then click Save &
Close:
Field
Enter
Routing task
Choose one or more:

Mail Routing (default) Enables Notes mail routing
between the servers
X400 Mail Routing Enables routing of X.400 mail
between servers in a system with an X.400 Message
Transfer Agent
SMTP Mail Routing Enables routing of Internet mail
to a server that can connect to the Internet
ccMail Routing Enables routing of cc:Mail mail
between servers in a system with a cc:Mail Message
Transfer Agent
None The Connection document is not used to route
mail between the servers
Route at once
The number of normal-priority messages that accumulate

before the server routes mail. The default is 5.
Routing cost
The relative cost of this server connection. Do not modify

this cost unless you are an experienced Domino
administrator.
Router type
How Domino routes mail between the servers.
configuration.
For more information on Router types, see the chapter Setting Up Mail
Routing.
1. Complete these fields in the Scheduled Connection section of the

Connection document:
Field
Enter
Schedule
Enabled
Call at times
12:00 AM - 12:00 PM
Repeat interval
Blank
Days of week
Select Sun, Mon, Tue, Wed, Thu, Fri, Sat
2. Complete this field in the Routing section of the Replication/Routing

tab.
Field
Enter
Route at once if
1 message pending
3. Update the routing configuration to ensure that the new schedule

takes effect.
Changing the routing cost for a connection

Notes routing assigns a routing cost to each connection and uses these
costs to select the most efficient way to route mail from one server to
another. The Router computes and stores information about these costs
in its routing tables. If there is more than one possible route for mail to
travel between the source server and the destination server for the
message, the Router uses routing cost information in the tables to
calculate the least-cost route for the message.
The Router uses information in Server, Domain, and Connection
documents to create the routing tables. A LAN connection has low cost; a
dialup modem connection has high cost. By default, each LAN
connection has a cost of 1, while each dialup modem connection has a
cost of 5.
If server connections are disrupted or a network fails, the Router selects
an alternate path and increases the cost for the path that failed.
How the Router chooses a route
1. It calculates and selects the least-cost route.
2. If the least-cost route fails for example, if there is no answer or if
the network times out the Router increases the cost of the initial
route by 1. For example, if a LAN connection between Server A and
Mail
Example: Scheduling immediate 24 x 7 routing

To route mail immediately 24 hours a day, 7 days a week, create a
routing schedule for a 24-hour, 7-day period. Then set routing to begin as
soon as MAIL.BOX contains a single pending message.
Server B initially has a cost of 1 but the connection fails during an

attempted transfer, the Router increases the cost of that LAN
connection between Server A and Server B to 2.
3. The next time the Router tries to transfer mail between servers, it
again looks for the least-cost route between those servers. If there is
an alternate route that is equal in cost and requires fewer hops, the
Router selects that alternate route. For example, if there are two
paths between Server A and Server B, each with a total cost of 4, the
Router examines the number of hops in each path. If one route
requires three hops but the other requires only two hops, the Router
uses the path that requires two hops because the costs are equal.
The Router resets the cost for a connection when:
The server receives an inbound connection from the failed server
The dynamic cost interval occurs
You stop and restart the Router
The routing tables reside in memory and are dynamic. When you restart
the server or modify a Connection, Server, Configuration Settings, or
Domain document, the Router rebuilds the routing tables.
To override the default routing cost
You can override the default setting for the routing cost for a connection.
You can change this setting only for connections between servers in
different Notes named networks. Change the default routing cost for a
connection only if you are an experienced Domino administrator.
Improperly changing routing costs can create routing loops and disable
the Routers selection of an alternate route.
1. Make sure that you have already created the necessary Connection
documents.
For more information on Connection documents, see the chapter
Setting Up Server-to-Server Connections.
4. Select the Connection document for the server connection you want
to configure, and click Edit Connection.
Field
Enter
Routing cost
A number from 1 to 10. The default is 1. The Router

chooses connections with lower cost first; for example,
the Router chooses a connection with a cost of 2 over a
connection with a cost of 3.
configuration.
Restricting mail routing based on Domino domains, organizations,

and organizational units
You can use two methods to restrict how mail routes over Notes routing
in your infrastructure.
Create Adjacent domain documents in the Domino Directory to keep

users from routing mail through your domain to another domain.
For example, if you have a connection from your domain, Acme, to
the Lotus domain and the IBM domain, you might set up an
Adjacent domain document to keep users in the Lotus domain from
routing to the IBM domain through the Acme domain. Using these
restrictions reduces the mail load on your system. Adjacent domain
documents keep users from using your domain as a Notes mail relay.
For more information on Adjacent domain documents, see the
Specify restrictions in the Configuration Settings document in the

Domino Directory to restrict mail from specified Domino domains.
To restrict Notes mail routing

4. Select the Configuration document for the mail server or servers you
want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - Restrictions tab.
Mail
6. Complete these fields in the Router Restrictions section, and then

click Save & Close:
Field
Enter
Allow mail
only from
domains
Domino domains from which the server accepts mail. If

you enter Domino domains in this field, only messages
from those domains can enter your domain over Notes
routing. Domino denies mail from all other Domino
domains. For example, if you enter Lotus in the field,
Domino accepts only messages sent from the Lotus domain
to your users. Domino denies messages sent from all other
Domino domains.
This restriction does not affect mail in the local Domino
domain.
Domino domains from which the server denies mail. If you

Deny mail
from domains enter Domino domains in this field, all messages except
those from the domains listed in this field can route to your
users. For example, if you enter Lotus in the field, Domino
accepts messages from all Domino domains except the
Lotus domain. Domino denies messages from the Lotus
domain.
This restriction does not affect mail in the local Domino
domain.
Allow mail
only from the
following
organizations
and
organizational
units
Organizations and/or organizational units from which the

server accepts mail. If you enter organizations and/or
organizational units in this field, only messages from users
in those organizations and/or organizational units can
enter your domain over Notes routing. Domino denies
mail from all other organizations and/or organizational
units. For example, if you enter */East/Lotus in the field,
Domino accepts only messages from the /East/Lotus
organizational unit to your users. Domino denies messages
from organizations and/or organizational units other than
*/East/Lotus.
Deny mail
only from the
following
organizations
and
organizational
units
Organizations and/or organizational units from which the

server does not accept mail. If you enter organizations or
organizational units in this field, all messages except those
from users in the organizations and/or organizational
units in this field can enter your domain over Notes
routing. Domino denies mail only from organizations
and/or organizational units in this field. For example, if
you enter */West/Lotus in the field, Domino accepts
messages from all organizations and organizational units
except /West/Lotus. Domino denies messages from the
/West/Lotus organizational unit.
configuration.
Customizing SMTP Routing

If you enabled SMTP routing, you can customize it by:
Stopping and starting the SMTP service
Changing the inbound and outbound SMTP port settings
Restricting inbound SMTP routing
Restricting outbound SMTP routing
Specifying inbound and outbound MIME settings
Stopping and starting the Domino SMTP service

The Domino SMTP service, or SMTP Server task, runs the SMTP listener,
which checks for incoming SMTP connections and messages. SMTP
messages can originate from any Internet host or another Domino Server
in your domain. For Domino to receive inbound SMTP mail, the SMTP
listener must be running on the server.
The SMTP service does not control SMTP routing. SMTP routing is
handled by the servers Router task.
If the SMTP listener task is enabled on the Basics tab of the Server
document, the SMTP service starts automatically when you start the
server. You can stop and start the SMTP service manually from the
Mail
Note If you specify the same entry in an Allow field and a Deny
field so there is a conflict between the two fields, Domino denies
messages for that entry. The Deny setting takes precedence for
security reasons. Avoid placing the same entry in both the Allow and
Deny fields for the same setting.
Domino Administrator client or the server console. The following table

shows how to restart, stop, and start the SMTP service using both
methods.
Task
From the Domino Administrator
From the server

console
Restart the 1.
SMTP
service
2.
3.
Enter:
Click the Server - Status tab and select the
Server Tasks view.
Restart Task
SMTP
Select SMTP Server from the list of tasks.
Click Tools - Task - Restart, and then click Yes.
Stop the
SMTP
service
1.

Server Tasks view.
Select SMTP Server from the list of tasks.
Click Tools - Task - Stop, and then click Yes
Start the
SMTP
service
1.
2.
3.
2.
3.
4.
5.

Server Tasks view.
Click Tools - Task - Start.
From the list of server tasks, select SMTP
Server.
Click Start Task.
Click Done to close the Start New Task dialog
box.
Enter:
Tell SMTP
quit
Enter:
Load SMTP
Note The SMTP Server task is represented in the server task list by
three related subtasks. The status of all three tasks changes when you
change the status of any one of them.
As an alternative to restarting the SMTP service to incorporate
configuration updates, you can use a console command to refresh SMTP
service parameters.
For information on using a console command to refresh the SMTP
configuration, see the chapter Setting Up Mail Routing.
Changing SMTP port settings

You can modify inbound and outbound SMTP port settings.
Inbound SMTP port settings determine how the Domino SMTP

listener receives SMTP connections from other servers. For inbound
connections, you can specify the port numbers, port status, and
authentication methods required for both TCP/IP and SSL ports.
For more information, refer to the topic Changing the inbound
SMTP port settings later in this chapter.
Outbound SMTP settings determine how Domino makes SMTP

connections to other servers. For outbound connections, you can
change the default port numbers and status of the TCP/IP and SSL
ports.
For more information, refer to the topic Changing the outbound
SMTP port settings later in this chapter.
Configuring SMTP authentication options on servers that use

On servers that use Internet Site documents, the SMTP service obtains
inbound port authentication settings from the Security tab of the SMTP
Site document, rather than from the Server document. As a result, when
Internet Site documents are used, the TCP/IP and SSL port
authentication settings described in the procedures that follow are not
available in the Server document. Settings in the Server document
continue to provide the inbound SMTP port number and status and
determine whether the Domino server allows incoming connections from
the authenticated user.
To determine whether the use of Internet Site documents is enabled for a
server, check the value of the following field on the Basics tab of the
Server document: Load Internet configurations from Server\Internet
Sites documents. If this field is set to Enabled, the server uses Internet
Site documents to configure all of its Internet protocols (SMTP, POP3,
IMAP, and so forth).
If the server uses Internet Site documents, and an Inbound SMTP Site
document is not present in the Domino Directory, or the authentication
options in a configured Inbound SMTP Site document are set to No, the
SMTP service rejects incoming connections. In each case, connecting
hosts receive the following error when attempting to authenticate with
the SMTP service:
This site is not enabled on the server.
For information on creating and using Internet Site documents, see the
Ensuring that SMTP clients can connect to a nonstandard port

Because remote SMTP clients attempt to connect to port 25 by default, if
you specify a different port number, be sure to configure connecting
clients to use the new port, otherwise inbound SMTP connections will
fail. This can cause routing problems, especially if the server with the
nonstandard SMTP port acts as a relay host for outbound Internet mail.
Mail
To configure your other Domino servers to transfer outbound SMTP mail

to a nonstandard SMTP port, change the Outbound SMTP setting on the
Port - Internet Ports - Mail tab of the Server document.
For example, if a server must initiate an SMTP session with a receiving
server on which the SMTP task is listening on port 26, set the SMTP
Outbound port to 26 on the Server document of the initiating server.
Configuring SMTP port security

To prevent unauthorized access to the SMTP Listener and to protect
SMTP sessions from eavesdropping, you can require users and servers to
provide name and password credentials to authenticate with the server,
and you can enable the use of SSL to encrypt both inbound and
outbound SMTP sessions.
On servers that support SSL, you can encrypt SMTP mail sessions by
having the server send and receive mail over the SSL port (port 465 by
default). Domino also supports negotiated SSL for both inbound and
outbound sessions, which allows for encryption over the TCP/IP port
between servers that support the STARTTLS command.
For information on the STARTTLS command, see the topic Securing
SMTP sessions using the STARTTLS command later in this chapter.
You can restrict access to the SMTP listener so that only users who are
allowed to access the server can connect to the servers inbound SMTP
port. For more information on securing the SMTP port, refer to the topic
Changing the inbound SMTP port settings later in this chapter. For
more information on restricting server access, see the chapter
Changing the inbound SMTP port settings

Inbound port settings affect how other SMTP hosts connect to Domino.
For inbound connections, you can specify TCP/IP port settings and SSL
port settings. For both ports you can define port numbers, port status,
and the supported authentication methods.
Configuring SMTP authentication options on servers that use
On servers that use Internet Site documents, the SMTP service obtains
port authentication settings from the Security tab of the SMTP Inbound
Site document, rather than from the Server document. As a result, when
Internet Site documents are used, you cannot use the Server document to
configure TCP/IP and SSL authentication settings for the SMTP port.

Site documents to configure all of its Internet protocols (SMTP, IMAP,
POP3, and so forth).
If the server uses Internet Site documents, then you must use Site
documents to configure all Internet protocols on the server. If an SMTP
Site document is not present in the Domino Directory, or the
authentication options in a configured SMTP Site document are set to
No, users cannot connect to the SMTP service. In each case, SMTP clients
receive the following error when attempting to connect to the SMTP
service:
Changing the default port number
By default, after you enable the SMTP task, it listens for client
connections on TCP/IP port 25 on the Domino server. The default SMTP
SSL port is port 465. In some cases for example, on partitioned servers
you might need to specify a port number other than the default to
avoid conflicts. You might also change the default port to a nonstandard
port number to hide it from clients attempting to connect to the default
port or if another application uses the default port on the server.
Disabling the SMTP inbound TCP/IP port or SSL port prevents other
servers from accessing the SMTP Listener on that port.
Note On servers with multiple TCP/IP ports, by default, the SMTP
service uses the port listed first in the NOTES.INI file as the preferred
path. You can configure the service to use a different port.
For information on configuring the SMTP service on a server with
multiple TCP/IP ports to use a specific TCP/IP port, see the chapter
Setting Up the Domino Network.
Changing the default SMTP greeting
You can modify the default reply that the SMTP service sends in
response to a connecting host. By default, the Domino SMTP server
reveals its host name and software version to connecting clients. For
security reasons, you can change the default greeting so that the server
Mail
Settings in the Server document still provide the port numbers and status
for the SMTP TCP/IP and SSL ports, and enable the SMTP ports to honor
server access restrictions.
does not disclose essential information. Use the variable SMTPGreeting

in the NOTES.INI file to customize the SMTP service greeting.
To change inbound SMTP TCP/IP port settings
then open the Server document for the server that runs the SMTP
service.
3. In the Mail (SMTP Inbound) column, complete these fields, and then
click Save & Close:
Field
Enter
TCP/IP port
number

for SMTP connections over TCP/IP. You can specify a
different port, but 25 works in most situations. When
specifying a nonstandard port, make sure the port is
not reserved for another service. Port numbers can be
any number from 1 to 65535.
TCP/IP port
status
Choose one:
Enabled (default) SMTP clients can connect to the
Domino SMTP service using the designated TCP/IP
port. Depending on the authentication options you
choose, users may have to supply a user name and
Internet password to connect.
Disabled SMTP clients cannot connect to the
Domino SMTP service using the TCP/IP port.
Enforce server
access settings
Choose one:
Yes Access to the SMTP listener is controlled by
the server access settings on the Security tab of the
Server document. Users and servers that are not
allowed to access the server cannot send mail to the
SMTP port. For this option to be effective you must
enable authentication for the port.
No (default) The SMTP listener ignores the server
access settings in the Server document. Users and
servers can send mail to the SMTP port, even if they
are denied other access to the server.
continued
Mail
Field
Enter
Authentication
options: Name &
password
Choose one:
Yes Sets the ESMTP AUTH extension for the
TCP/IP port. Domino advertises AUTH=LOGIN to
connecting SMTP clients. Clients must supply a user
name and Internet password to connect to the SMTP
service over the TCP/IP port and transfer mail.
Remote SMTP servers that do not support the AUTH
extension cannot connect to the SMTP service over
this port. When Name and password authentication
is enabled, you can specify whether authenticated
POP3 and IMAP users sending mail to the SMTP port
are subject to anti-relay enforcement.
No (default) Domino does not support
Name-and-password authentication over the TCP/IP
port. If you choose No, you must enable Anonymous
connections to allow SMTP connections to this port.
On servers supporting negotiated SSL on the inbound
TCP/IP port (STARTTLS), the setting in the SSL Name
& password field not the setting in the TCP/IP Name
& password field determines whether the server
accepts SMTP AUTH commands for SSL-over-TCP/IP
sessions. For information about enabling support for
STARTTLS, see the topic Supporting inbound SMTP
extensions later in this chapter.
Authentication
options:
Anonymous
If the TCP/IP port status is set to Enabled, choose one:

Yes (default) The SMTP service allows clients and
servers to connect to the TCP/IP port anonymously
to transfer mail. If both Name and password and
Anonymous authentication are enabled (set to Yes),
the port allows connections from SMTP hosts that
supply a name and password as well as those that
connect anonymously.
No The SMTP service does not allow anonymous
connections over the TCP/IP port. SMTP hosts can
connect to the TCP/IP port only if Name & password
authentication for the port is set to Yes, and the
connecting host must send the SMTP AUTH
command.
Note If you enable the TCP port, at least one authentication option
must be set to Yes to save the document.
Note To support inbound SMTP connections, the server must have
at least one SMTP port enabled and be running the SMTP task.
4. Restart the SMTP task to put the new settings into effect.
configuration updates, you can use a console command to refresh
SMTP service parameters.
If you change the default SMTP port, inbound SMTP connections fail if
the connecting host is not configured to use the new port. See the topic
Ensuring that SMTP clients can connect to a nonstandard port earlier
in this chapter for information about configuring Domino servers to
connect to nonstandard SMTP ports.
To change inbound SMTP SSL port settings
1. Familiarize yourself with the Domino security model.
2. To secure SMTP sessions using SSL, set up SSL on the Domino
server.
service.
5. In the Mail (SMTP Inbound) column, complete these fields, and then
click Save & Close:
Field
Enter
SSL port number

for SMTP connections over SSL. You can specify a
specifying a nonstandard port, make sure the port is not
reserved for another service. Port numbers can be any
number from 1 to 65535.
SSL port status
Choose one:
Enabled SMTP clients can connect to the Domino
SMTP service using the designated SSL port.
Disabled (default) SMTP clients cannot connect to
the Domino SMTP service using the designated SSL
port.
continued
Mail
Field
Enter
Authentication
options: Name &
password
Choose one:
Yes Enables the SSL port to support the SMTP
AUTH command. POP3 and IMAP clients, and
remote SMTP servers that send AUTH, must supply
a name and password to connect to the SMTP service
over the SSL port and transfer mail. To allow remote
SMTP servers that do not send the SMTP AUTH
command to connect to the SMTP service over this
port, set Anonymous authentication to Yes.
No (default) Domino does not support name and
password authentication for hosts connecting to the
SMTP service over the SSL port. If a connecting host
sends AUTH, Domino rejects the command and
returns an error indicating that the command is not
implemented. If you choose No, you must set
Anonymous authentication to Yes to allow SMTP
connections to this port.
On servers supporting negotiated SSL on the inbound
TCP/IP port (STARTTLS), the setting in the SSL Name
& password field not the setting in the TCP/IP
Name & password field determines whether the
server accepts SMTP AUTH commands for
SSL-over-TCP/IP sessions.
Authentication
options:
Anonymous
If the SSL port status field is set to Enabled, choose

one:
Yes (default) The SMTP service allows clients and
servers to connect to the SSL port anonymously to
transfer mail. If Anonymous is set to Yes and Name
and password authentication is also set to Yes, IMAP
and POP3 clients are prompted to supply a name
and password when connecting to this port, but
servers can connect anonymously.
No The SMTP service does not allow anonymous
connections over the SSL port. IMAP and POP3
clients, and servers that send the SMTP AUTH
command, may connect to the SSL port if you set
Name and password authentication for the port to
Yes.
6. Restart the SMTP task to put the new settings into effect.
configuration updates, you can use a console command to refresh
SMTP service parameters.
If you change the default SSL port, inbound SMTP SSL connections fail
unless the connecting host is configured to use the new port.
For information about configuring Domino servers to connect to
nonstandard SMTP ports, see the topic Ensuring that SMTP clients can
connect to a nonstandard port earlier in this chapter.
For information about enabling support for STARTTLS, see the topic
Securing SMTP sessions using the STARTTLS command later in this
chapter.
Changing outbound SMTP port settings

Outbound SMTP port settings affect how Domino connects to other
SMTP servers. Change the default port numbers and the status of the
TCP/IP and SSL ports to match the settings on servers to which this
server sends SMTP mail.
The outbound port settings apply to all outbound SMTP sessions. If you
change an outbound port number to a nonstandard value, the server
cannot establish SMTP connections with servers that listen for SMTP
requests on the standard port. Similarly, if you set up the server to send
SMTP over SSL only, disabling the outbound SMTP TCP/IP port, the
server cannot establish SMTP connections with a remote server that
accepts SMTP connections over the TCP/IP port only.
To change outbound SMTP port settings
service.
Field
Enter
TCP/IP port The number of the TCP/IP port on the remote server to
which Domino attempts to connect when initiating an SMTP
number
session. The default and industry standard port for SMTP
connections over TCP/IP is 25. Specify a nonstandard port
only if this Domino server makes all of its outbound SMTP
connections over TCP/IP to a server that uses the
nonstandard port.
TCP/IP port Choose one:
status
Enabled The Domino SMTP Router connects to the
designated TCP/IP port number on a remote server to
initiate an SMTP session. If the SSL port status is also set to
Enabled, the Router attempts to use the SSL port first and
uses the TCP/IP port only if it cannot connect to the SSL
port.
Disabled (default) The Domino SMTP Router cannot
initiate an SMTP session using the TCP/IP port on a
remote server.
Negotiated SSL The Domino SMTP Router connects to
the designated TCP/IP port on a remote server to initiate
an SMTP session. If the remote server advertises
STARTTLS during the EHLO greeting, Domino issues a
STARTTLS command to request that the remainder of the
session be encrypted using SSL. If the remote server does
not support STARTTLS, an unencrypted TCP/IP session
ensues.
SSL port
number
The number of the SSL port on the remote server to which

Domino attempts to connect when initiating an SMTP session.
The default and industry standard port for SMTP connections
over SSL is 465. Specify a nonstandard port only if this
Domino server makes all of its outbound SMTP connections
over SSL to a server that uses the nonstandard port.
SSL port
status
Choose one:
Enabled The Domino SMTP Router connects to the
designated SSL port number on a remote server to initiate
an SMTP session. If the Router cannot connect to the SSL
port and the TCP/IP port is also enabled on both the
Domino server and the remote server, Domino makes a
second attempt to connect, using the designated TCP/IP
port.
Disabled (default) The Domino SMTP Router cannot
initiate SMTP sessions over the SSL port of a remote
server.
Mail
3. In the Mail (SMTP Outbound) column, complete these fields, and

then click Save & Close:
Securing SMTP sessions using the STARTTLS extension

SMTP sessions conducted over a standard TCP/IP channel are
vulnerable to eavesdropping because the unencoded transmission can be
easily intercepted. To protect SMTP communications, servers can use
transport-layer security (TLS), more commonly known as SSL
encryption, to provide privacy and authentication.
Some servers support SSL for SMTP communications by sending and
receiving SMTP traffic through the SSL port (port 465 by default) only.
However, because this requires that both the sending and receiving
servers support SMTP over SSL, this solution isnt always practical.
To provide SSL security for SMTP transfers over TCP/IP, Domino
supports the use of negotiated SSL. In a negotiated SSL scheme, the
sending and receiving hosts each use the SMTP STARTTLS extension,
defined in RFC 2487, to signal their readiness to negotiate an SSL
connection. The receiving server displays the STARTTLS keyword in
response to the sending servers EHLO command. The sending server
issues the STARTTLS command to request the creation of a secure
connection. After the initial TLS handshake completes successfully, the
two parties proceed to set up an SSL channel between them. Both the
sending and receiving server must possess SSL certificates.
For more information on obtaining server certificates, see the chapter
Setting Up SSL on a Domino Server.
Supporting STARTTLS for outbound SMTP sessions
A Domino server configured to use negotiated SSL for outbound mail
connects to the receiving servers SMTP TCP/IP port (port 25 by default).
If the initial SMTP response from the receiving server indicates that it
supports the STARTTLS extension, Domino issues the STARTTLS
command to request the use of SSL to encrypt the rest of the session.
If the receiving server did not advertise support for STARTTLS in
response to the Domino servers EHLO command, the sending Domino
server continues with an unencrypted SMTP TCP/IP session.
To enable outbound STARTTLS support, set the SMTP outbound TCP/IP
port status to: Negotiated SSL.
Supporting STARTTLS for inbound SMTP sessions
You can configure Domino to support the STARTTLS command for
inbound SMTP transactions. When a Domino SMTP server is set to use
negotiated SSL for inbound sessions, the server advertises support for
STARTTLS in response to EHLO commands the TCP/IP port receives
from connecting hosts. A connecting host can then issue the STARTTLS
command to request an encrypted session.
To enable inbound STARTTLS support:
Enable the SMTP listener task.
Enable the SMTP inbound TCP/IP port.
Enable the STARTTLS ESMTP extension. This causes Domino to

advertise STARTTLS as one of its supported extensions in the
ESMTP EHLO greeting response.
(Optional) Enable name-and-password authentication for the SSL

port. Although SMTP sessions that use negotiated SSL are conducted
over the Domino TCP/IP port, Domino uses the authentication
options you set for the servers SSL port to determine how to handle
name-and-password arguments.
For information about enabling the ESMTP extension for inbound

STARTTLS, see the topic Supporting inbound SMTP extensions later in
this chapter
Requiring name and password authentication for SMTP STARTTLS
sessions
Enabling ESMTP support for negotiated SSL allows a server to accept
requests to use SSL over TCP/IP from remote servers that connect
anonymously. However, not all inbound connections are anonymous. A
connecting SMTP server may be configured to send Domino a name and
password by means of the ESMTP AUTH command.
To support connections from SMTP clients that send a name and
password during a negotiated SSL session, set the value of the Name &
password field for the SMTP inbound SSL port to Yes. You do not have
to enable the SSL port. If the SSL port does not support
name-and-password authentication, the Domino SMTP server rejects the
AUTH command from the remote server and returns an error indicating
that the command is not implemented.
Even though Domino receives the AUTH command over the TCP/IP
port, Domino uses the SSL name-and-password authentication settings to
determine whether to accept the AUTH request because it receives the
command in the context of an SSL session. The Name & password
authentication setting for the TCP/IP port is ignored.
Mail
If Domino is configured to require STARTTLS for SMTP sessions over

TCP/IP and a connecting host cannot meet this demand, no mail is sent
over the connection.
Restricting SMTP inbound routing

You can set up your Domino system to control, verify, and restrict
inbound mail. Restricting inbound mail routing prevents Domino from
accepting unwanted commercial e-mail (UCE) sent to your users and
consequently reduces the load on your system. You can set these
restrictions:
Set anti-relay restrictions
Enable DNS blacklist filters for SMTP connections
Verify and restrict inbound connections
Verify and restrict who can send inbound Internet mail to your users
Restrict who can receive Internet e-mail in your organization
Set inbound SMTP extensions
In addition, on servers that receive some of their inbound mail over

Notes routing, you can restrict routing based on Domino domains,
organizations, and organizational units
Error handling of messages rejected by SMTP inbound controls

The inbound SMTP restrictions are enforced by the SMTP Listener before
a message is accepted, rather than by the Router after a message is
already in the system. This difference in where restrictions are enforced
affects how errors are handled when a message is rejected. When a
Router restriction results in a message being rejected, Domino returns a
failure message stating the reason for the failure to the sender.
Domino-generated nondelivery reports contain default text, which you
can customize. For example, when you configure a maximum message
size for a server, Domino checks the size of the message only after it is
received in MAIL.BOX. If the message exceeds the configured size, the
Router generates a failure message to the sender.
However, if you set an SMTP restriction that causes Domino to reject an
inbound message, the SMTP listener returns a permanent error during
the SMTP transfer; the message never enters the server. In this case, it is
the responsibility of the originating SMTP server to generate a failure
message to the sender. For example, if both the receiving Domino SMTP
server and the sending SMTP server support the ESMTP SIZE extension,
and the Domino server is configured to honor a maximum message size,
when the Domino SMTP listener receives a message that exceeds the
defined limit, it rejects the message before it is ever received and returns
a permanent error to the sending server. You cannot use Domino
administrative tools to customize the servers SMTP response.
How Domino uses reverse DNS lookups to control inbound SMTP

sessions
Dominos inbound relay controls, DNS blacklist filters, and inbound
connection controls allow or deny mail based on where messages
originate. For these controls to work, Domino must be able to identify the
connecting hosts IP address, host name, and Internet domain.
Domino obtains this information from two sources: the IP stack and the
Domain Name Service (DNS). When a host originates a connection to the
Domino SMTP service, the connecting host passes its IP address to the IP
stack of the computer running the Domino server. The SMTP service
reads the IP address directly from this source.
For Domino to obtain host name and domain information, it must have
access to the Domain Name Service (DNS) and be able to locate a PTR
record for the connecting host. A PTR record resolves an IP address to a
host name.
To request a PTR record, the Domino SMTP listener performs a reverse
lookup to the DNS. From the host name returned by this query, Domino
parses out the domain name of the connecting host, comparing this
domain name to the list of local Internet domains in the Global domain
document. Hosts from domains listed in the Local primary Internet
domain or Alternate Internet domain aliases fields of the Global Domain
document are considered to be part of the local Internet domain; all
others are treated as external hosts.
Restricting inbound SMTP connections

To prevent your mail system from accepting unwanted mail, Domino
provides a set of controls that let you restrict incoming SMTP
connections. The Inbound Connection controls let you specify:
Whether Domino checks the names of connecting hosts in DNS
By host name or IP address, the remote hosts from which the server
allows and denies connections
To determine whether a connection attempt is allowed or denied, the

Domino SMTP task first checks the remote hosts IP address, which the
servers TCP/IP stack reads from the incoming IP packet headers. If the
IP address does not match any entry in the Inbound Connection control
Mail
Using Extension Manager to customize the server's SMTP response

You can control the content of SMTP responses using SMTP logical
function hooks available in the Extension Manager services of the IBM
Lotus C API Toolkit for Notes/Domino 6. For additional information,
and to download the toolkit, see the web site at
http://www.lotus.com/capi.
fields, the SMTP task performs a second check, querying DNS to obtain
the host name for the given address. If the query is successful, Domino
compares the name obtained against the host names in Allow and Deny
fields.
If you create a separate Configuration Settings document for your
internal SMTP servers, you can use the inbound connection controls to
ensure that these internal servers accept SMTP connections from specific
SMTP hosts only. For example, configure servers to allow SMTP
connections only from servers that receive mail from the Internet.
Restricting connections in this way prevents users with POP3 or IMAP
clients from sending mail through the server, helps you define valid
outbound routing paths, and limits the load on the server.
In addition to these inbound connection controls, Domino provides two
other means for blocking connections: DNS blacklist filters and access to
the SMTP Listener through Domino Extension Manager (EM) services.
DNS blacklist filters enable a server to check a host against one or more
blacklists during the SMTP conversation. If a connecting host matches an
entry in a blacklist, you can configure the server to reject the connection,
tag any received messages, or record the transaction in the Notes Log.
For more information on DNS blacklist filters, see the topic Enabling
DNS blacklist filters for SMTP connections later in this chapter.
Extension Manager (EM) services allow developers to access some
functions of the SMTP Listener task. The Extension Manager (EM) allows
an executable program library, such as a dynamic link library or shared
object library, to register a callback routine that will be called before,
after, or before and after Domino performs selected internal operations.
Using EM hooks in the SMTP Listener can extend current functionality
by providing:
Additional anti-spam controls
Custom address translation
Custom SMTP responses
Interception of messages
The Domino C API header file EXTMGR.H, included in the Software

Development Kit, defines symbols for the supported Extension Manager
notification events and types. For additional information on the
Extension Manager and registering callback routines, see the Lotus C API
Toolkit for Notes/Domino 6. The toolkit is available at

servers you want to restrict mail on, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound
Controls tab.
6. Complete these fields in the Inbound Connection Controls section
and then click Save & Close:
Field
Enter
Verify
connecting host
name in DNS
Choose one:
Enabled Domino verifies the name of the
connecting host by performing a reverse DNS lookup.
Domino checks DNS for a PTR record that matches
the IP address of the connecting host to a host name.
If Domino cannot determine the name of the remote
host because DNS is not available or no PTR record
exists, it does not allow the host to transfer mail.
Although Domino accepts the initial connection, later
in the SMTP transaction it returns an error to the
connecting host in response to the MAIL FROM
command. Internet SMTP hosts are not required to
have PTR entries in DNS. As a result, when this field
is enabled, the SMTP task may reject connections
from valid SMTP hosts.
Disabled (default) Domino does not check DNS to
verify the name of the connecting host.
continued
Mail
To restrict inbound SMTP connection

Field
Enter
Allow
connections only
from the
following SMTP
Internet host
names/IP
addresses
The host names and/or IP addresses allowed to connect

to the SMTP service on this server. If you enter host
names and/or IP addresses in this field, only servers
matching these entries can connect to the SMTP listener;
connection requests from all other servers are denied.
Enter IP addresses in brackets for example,
[192.168.10.17].
Host name entries may be complete, as in the fully
qualified host name of a particular server, or partial and
imply the existence of a wildcard. That is, if you enter:
abc.com
Domino extends accepts only connections from mail
hosts in the domains represented by *abc.com, that is, all
host names ending in abc.com, including smtp.abc.com
and mailhost.abc.com. Domino rejects all other
connection requests.
If you specify host name entries, each time a host
connects, Domino checks DNS for a PTR record for the
connecting host. If Domino cannot resolve the IP
address to a host name because DNS is unavailable or
no PTR record exists, no mail is accepted from the
connection.
Deny
connections from
the following
SMTP Internet
host names/IP
addresses
The host names and/or IP addresses that are not

allowed to connect to the SMTP service on this server. If
you enter host names and/or IP addresses in this field,
all servers except those matching entries in this field can
connect to the SMTP listener; connection requests are
denied only for servers matching the entries in this field.
Enter IP addresses in brackets for example,
[192.168.10.17].
Host name entries may be complete, as in the fully
qualified host name of a particular server, or partial and
use an implied wildcard. That is, if you enter:
abc.com
Domino implicitly extends the restriction to all mail
hosts within the denied domain, denying connections
from *abc.com, that is, all hosts in the abc.com domain,
including smtp.abc.com and mailhost.abc.com.
The entry abc.com does not prevent connections from
xyzabc.com.
Do not use a leading dot (.) in an entry; for example,
.abc.com. Because Domino does not match the leading
dot, the entry .abc.com does not prevent connections
originating from the domain abc.com.
Note Be careful not to specify the same entry in an Allow field and a
Deny field because Domino will deny messages for that entry. The Deny
setting takes precedence for security reasons.
Restricting the total number of inbound SMTP sessions
By default, the SMTP service supports an unlimited number of inbound
sessions; that is, as many connections as the servers resources physically
permit. To restrict the number of concurrent SMTP sessions that a server
accepts, set the variable SMTPMaxSessions in the servers NOTES.INI
file, where xxx is the maximum number of sessions allowed without any
buffering. When the specified number of inbound SMTP connections is
reached, the server refuses additional connections and returns the
following error:
421 Server.domain.com SMTP service not available, closing
transmission channel
Preventing unauthorized SMTP hosts from using Domino as a relay

To protect SMTP servers from unauthorized relaying, Domino provides
inbound relay controls used to define the hosts to which and from which
a server can relay messages. The Domino SMTP listener denies requests
to relay messages to or from unauthorized hosts.
Setting and enforcing inbound relay controls

To prevent misuse of your system, configure Domino to prevent open
relaying, while allowing relays originating from and destined for known
domains and hosts. By default, a new Domino SMTP server prevents
external hosts from relaying mail to any destination. You can further
customize Dominos anti-relay controls to specify when relays are and
are not allowed.
The Router/SMTP - Restrictions and Controls - SMTP Inbound Controls
tab of the Configuration Settings document provides two sets of controls
for managing relay access:
Inbound relay controls
Inbound relay enforcement
Use the Inbound relay controls to restrict relays by destination and

origin. Use the relay enforcement controls to selectively apply the relay
restrictions based on the originators relation to the local Internet domain,
host name, or authentication status.
Mail
7. Reload the SMTP task or update the SMTP configuration to put

changes into effect.
Open relays
An SMTP server that indiscriminately accepts mail from outside the local
Internet domain and attempts to dispatch it to another external
destination is known variously as a spam relay, third-party relay, or
open relay host (open relay, for short). Leaving a mail server open to use
by anonymous third parties is generally considered irresponsible, largely
because open relays are often the target of Internet mass-mailers who use
them to distribute unsolicited commercial e-mail (UCE), commonly
referred to as electronic junkmail or spam. Spam vendors use open relays
as waypoints between themselves and their target recipients, allowing
them to distribute vast quantities of mail anonymously.
When someone reads a spam message that has been relayed through one
of your SMTP servers, the message appears to originate in your Internet
domain. In other words, your organization seems to be linked with the
spam source.
Not only does relaying spam reflect badly on your organization, but
there are other more serious and costly implications. Relayed mail
consumes network bandwidth and server resources, reducing your
systems ability to handle legitimate mail. As mail backs up,
administrators and help desk personnel are faced with service
interruptions and the task of sorting out the backlog of undeliverable
messages. Failure to restrict access to an open relay could result in the
server being reported on Internet blacklists. Because SMTP hosts in many
organizations will not accept mail from blacklisted servers, if your
outbound mail server is blacklisted, your organization may be unable to
transfer mail to other Internet domains.
Setting inbound relay controls

To block relays to a specific domain or from a specific host, set
restrictions in the inbound relay controls on the Router/SMTP Restrictions and Controls - SMTP Inbound Controls tab of the
Use the inbound relay controls to define:
The destination domains to which you allow and deny relays
The originating hosts from which you allow and deny relays
Note In determining whether to allow a relay, Domino checks the

original sender, not just the last hop domain. This prevents people from
routing from a denied source through an accepted one to your domain.

servers you want to administer and click Edit Configuration.
Controls tab.
6. Complete these fields in the Inbound Relay Controls section, and
Inbound Relay Controls
Field
Enter
Allow messages to be
sent only to the
following external
Internet domains
Internet domains to which Domino can relay

messages. Domino relays messages to recipients in
the specified domains only. Messages for recipients
in other external Internet domains are denied.
For example, if you enter abc.com and xyz.com in
this field, Domino accepts only messages to
recipients with addresses that end in abc.com or
xyz.com domains. Messages for recipients in other
domains are denied.
To name a domain explicitly, prefix an @ sign to
the entry. For example, if you enter @xyz.com the
server relays messages only if the domain part of
the address matches xyz.com exactly, such as
User@xyz.com. Messages to addresses in other
domains that end in xyz.com, such as
User@uvwxyz.com or User@abc.xyz.com, are
denied.
Prefix a percent sign (%) to specify the name of a
Domino domain to which mail can be sent; for
example, enter %AcmeEast to specify that the
server can send mail to the Domino domain
AcmeEast.
continued
Mail
To set inbound relay controls


Field
Enter
Deny messages to be
sent to the following
external Internet
domains
Internet domains to which Domino will not relay

messages. An asterisk (*) in this field prevents
Domino from relaying messages to any external
Internet domain.
Domino denies only messages destined for
recipient addresses in the specified domains. All
other messages may relay.
For example, if you enter abc.com in the field,
Domino relays messages to recipients in all
external Internet domains except abc.com. Domino
denies messages for recipients in the abc.com
domain.
To name a domain explicitly, prefix an @ sign to
the entry. For example, if you enter @xyz.com, the
server rejects messages addressed to users if the
domain part of the address matches xyz.com
exactly, such as user@xyz.com, but allows
messages to relay to other domains that end in
xyz.com, such as user@server.xyz.com.
Prefix a percent sign (%) to specify a Domino
domain name; for example, entering %AcmeEast
specifies the Domino domain AcmeEast. This lets
you prevent SMTP users from sending mail to
certain internal Domino domains or even foreign
domain servers, such as FAX systems.
Allow messages only

from the following
Internet hosts to be
sent to external
Internet domains
Specifies the hosts or domains that the Domino

SMTP service allows to relay outbound Internet
mail. If this field contains valid entries, Domino
allows only servers matching these entries to relay.
Message relays from other servers are denied.
Enter host names or IP addresses to designate the
sites that are authorized to use Domino to relay
messages to recipients outside your local Internet
domain. For example, if you enter lotus.com or
ibm.com in the field, Domino accepts messages for
recipients in external Internet domains only from
servers with host names that end in lotus.com or
ibm.com. Domino rejects messages for external
recipients from any server not listed in this field.
continued
Mail

Field
Enter
Deny messages from

the following Internet
hosts to be sent to
external Internet
domains
Specifies the hosts or domains that the Domino

SMTP service does not allow to relay outbound
Internet mail. If this field contains valid entries,
Domino denies message relays from servers
matching those entries. Domino allows message
relays from all other servers.
Enter host names or IP addresses to designate the
sites that cannot use Domino to relay messages to
recipients outside the local Internet domain.
For example, you enter lotus.com in the field.
Domino accepts messages to recipients in external
Internet domains from all servers except those with
host names ending in lotus.com. Domino denies
messages to recipients in external Internet domains
from servers in the lotus.com domain.
An asterisk (*) in this field prevents Domino from
relaying messages from any host subject to the
relay controls.
7. Reload the SMTP task, or update the SMTP configuration to put the
You can use an asterisk (*) to indicate all domains. For example,
putting * in an Allow field allows all hosts in all domains to
perform that operation.
Wildcards may be used in place of an entire subnet address; for
example, [127.*.0.1]. Wildcards are not valid for representing
values in a range for example, the entry [123.234.45-*.0-255] is
not valid because the asterisk is used to represent the high-end
value of the range that begins with 45.
When entering multiple addresses, separate them with carriage
returns; after the document is saved, Domino automatically
reformats the list, inserting semicolons between the entries.
When entering an IP address, enclose it within square brackets; for
example, [127.0.0.1].
How Domino resolves conflicts between settings in the inbound
relay controls
When there is a conflict between the allowed and denied relay
destinations, and the allowed/denied relay sources, the entry in the
Allow field takes precedence. Thus, a host that you explicitly allow to
relay can always relay to any destination, including denied destinations.
Similarly, if you allow relays to a given domain, all hosts can relay to that
destination, including hosts to which you have explicitly denied relaying.

Denied hosts cannot relay to domains other than those that you
specifically list in the Allow field. The following table provides several
examples of how Domino resolves conflicts between entries in the Allow
and Deny fields of the Inbound relay controls.
Example of conflict between an allowed relay destination and denied
relay source
Field
Entry
Results of settings
Allow messages to be sent only xyz.com

to the following external internet
domains:
All hosts can relay to

xyz.com, including
smtp.efg.com, which is a
denied host.
Deny messages from the

following internet hosts to be
sent to external internet
domains: (* means all)
smtp.efg.com cannot relay to

any destination, except
xyz.com, which is explicitly
allowed.
smtp.efg.com
Example of conflict between a denied relay destination and allowed

relay source
Field
Entry
Results of settings
Deny messages to be sent to the qrs.com

following external internet
domains: (* means all)
No relays are allowed to

qrs.com, except relays
originating from
relay.abc.com, which is
specifically allowed.
Allow messages only from the

following internet hosts to be
sent to external internet
domains:
Relay.abc.com can relay to

any destination, including
qrs.com, which is a denied
destination.
relay.abc.com
Note This differs from the behavior of Domino Release 5, where if you
denied relays to a destination domain, an allowed source host could not
relay to the denied domain, and a denied source could not relay to any
destination. You can revert to the Release 5 behavior by setting the
variable in the NOTES.INI file.
For information on the NOTES.INI setting
SMTPRelayAllowHostsandDomains, which is required to make the
inbound relay controls behave as they did in Domino Release 5, see the
Field
Entry
Allow messages to be sent only to the following

external internet domains:
xyz.com, abc.com, qrs.com
Deny messages to be sent to the following external xyz.com

internet domains: (* means all)
Specifying enforcement of inbound relay controls

When you first create a Configuration Settings document for a server, by
default, the SMTP inbound relay controls, or anti-relay settings, apply to
all external hosts only, that is, to hosts that are not located in the local
Internet domain. After you set inbound relay controls, you can customize
how Domino applies them by selecting inbound relay enforcement
options.
The available options allow you to specify how strictly to enforce the
relay controls by letting you exempt certain hosts from enforcement. You
can exempt hosts from relay enforcement based on:
Domain location By default, Domino enforces relay controls for

hosts outside the local Internet domain only. You can enforce stricter
control by applying them to all connecting hosts or relax enforcement
entirely so Domino does not perform any relay checks (not
recommended).
Authentication status By default, Domino applies relay controls to

authenticated SMTP sessions. You can relax enforcement by
exempting all authenticated users from relay checks.
Host name or IP address By default, all external hosts are subject

to relay controls. You can specify a list of hosts (by IP address or host
name) to exempt from relay checks.
Applying relay restrictions to internal hosts

By default, Domino enforces anti-relay settings for external hosts only.
Internal hosts are exempt from anti-relay checks so Domino does not
consider an internal host as a possible relay, even if its explicitly listed in
the Inbound relay controls Deny messages from the following Internet
hosts to be sent to external Internet domains field.
Mail
Example of conflict between allowed and denied relay destinations

If the same entry is placed in the list of allowed and denied destinations,
or the list of allowed and denied sources, Domino honors the entry in the
Deny list. For example, Domino rejects relays to xyz.com if you configure
the relay controls as follows:
Depending on your environment, you may want to extend the scope of

enforcement by applying relay restrictions to both internal and external
hosts. This is equivalent to setting the variable SMTPAllHostsExternal=1
in the NOTES.INI file.
Applying relay enforcement to internal hosts lets you achieve more
secure and controlled routing. For example, you can configure your
Domino SMTP server so that only other Domino mail servers are allowed
to relay. By doing so you can prevent internal users who run other mail
clients (for example, POP or IMAP clients), as well as servers in other
internal mail systems, from using the Domino SMTP server to send mail
to the Internet.
You might also enable relay enforcement for internal hosts if you have a
Domino SMTP server that receives mail from a dual-interface firewall
server. For security purposes, some organizations may not connect their
Domino SMTP servers directly to the Internet, choosing instead to set up
an internal SMTP relay host or firewall to receive Internet mail destined
for the organizations Internet domain. The relay or firewall then routes
the mail to a Domino SMTP server, which, in turn, transfers it to the
organizations internal mail servers.
A host in the local Internet domain can always relay to external Internet
domains unless it is explicitly denied by an entry in the field Deny
messages from the following internet hosts to be sent to external internet
domains.
If the internal relay or the firewall does not implement its own relay
controls, the Domino SMTP server may then receive mail that is not
destined for a local user. If the Domino server is set up to perform
anti-relay enforcement on external hosts only, then mail received from
the internal relay or firewall is not subject to the Inbound Relay Controls
because the sending system, the relay or the firewall, belongs to the same
local Internet domain. Thus, when the Router determines that the
Internet address listed in the RCPT TO command has no match in the
$Users view in the Domino Directory, it routes the message back out to
the Internet.
Allowing relays from authenticated users connecting from outside
the local domain
By default, if you deny relaying for a domain or set of domains (for
example, all external domains), all hosts in the denied domains are
subject to the relay controls. This level of restriction prevents remote
IMAP or POP3 clients that connect to Domino by way of Internet service
providers (ISPs) in external domains from sending outbound Internet
mail because Domino does not recognize the source of the message as a
valid relay origin.
Specifying enforcement exceptions based on host name or IP

address
By default, after you deny relaying for a domain, all hosts in that domain
are subject to the relay controls. You can customize relay enforcement to
allow specific clients or servers in a domain to relay by entering host
names or IP addresses in the field Exclude these connecting hosts from
anti-relay checks. For each specified exception, Domino does not
enforce the inbound relay controls. Use exceptions to allow hosts outside
the local Internet domain to use the Domino SMTP server as a relay to
send and receive their mail from the Internet, while still preventing
Domino from being used as an open relay by unauthorized Internet
hosts.
Note Because many ISPs use the dynamic host control protocol (DHCP)
to assign IP addresses to each connecting user, a users IP address may
differ from session to session. As a result, specifying enforcement
exceptions based on host name or IP address is not effective for ensuring
relay access for IMAP and POP3 users who connect to Domino from an
ISP. To ensure relay access for these users, enable enforcement
exceptions for authenticated users.
For more information on relay hosts and Global domain documents, see
To specify relay enforcement
Controls tab.
Mail
To ensure that Domino allows POP3 or IMAP users to send outbound

Internet mail, you can customize relay enforcement to allow all
authenticated users to relay. After the Domino SMTP listener determines
that a connecting host has been authenticated, it treats the connection as
though it originated from a local user and exempts it from the Inbound
relay controls.
6. Complete these fields in the Inbound Relay Enforcement section, and

Inbound Relay Enforcement
Field
Description
Specifies the connections for which the server enforces

Perform
the inbound relay controls. Choose one:
Anti-relay
enforcement for External hosts (default) The server applies the
these connecting
inbound relay controls only to hosts that connect to it
hosts
from outside the local Internet domain. Hosts in the
local Internet domain are exempt from anti-relay
restrictions. The local Internet domain is defined by
either a Global Domain document, if one exists, or as
the Internet domain of the host server.
All connecting hosts The server applies the
Inbound relay controls to all hosts attempting to relay
mail to external Internet domains.
None The server ignores the settings in the
Inbound relay controls. All hosts can always relay.
Exceptions for
authenticated
users
Specifies whether users who supply login credentials

when connecting to the server are exempt from
enforcement of the inbound relay controls. Choose one:
Perform anti-relay checks for authenticated users
The server does not allow exceptions for
authenticated users. Authenticated users are subject
to the same enforcement as non-authenticated users.
Allow all authenticated users to relay User who
log in with a valid name and password are exempt
from the applicable inbound relay controls. Use this
to enable relaying by POP3 or IMAP users who
connect to the network from ISP accounts outside the
local Internet domain.
Exclude these
connecting hosts
from anti-relay
checks
You create an exceptions list containing the IP addresses

or host names of hosts that relay to any permitted
domain. For each specified exception, the inbound relay
controls will not be enforced. Enter the IP addresses or
host names of hosts to be exempted from the restrictions
specified in the Inbound relay controls section.
When entering an IP address, enclose it within square
brackets; for example, [127.0.0.1]. You can use wildcards
to represent an entire subnet address, but not to
represent values in a range. For example, [127.*.0.1] is
valid; [123.123.12-*.123] is not.
7. Reload the SMTP task or update the SMTP configuration to put

2. The server performs a reverse DNS lookup, querying DNS to find the
host name that matches the connecting hosts IP address. If the
address resolves to a name in one of the local Internet domains, the
host is considered internal. IP addresses that resolve to host names
outside the local Internet domains or that do not have DNS entries
are considered external.
3. The server checks the setting in the field Perform Anti-Relay
enforcement for these connecting hosts to determine whether
anti-relay controls are enabled, and if so, whether they apply to all
hosts or external hosts only. If connections from the sending domain
are not subject to inbound relay controls, the server allows relays for
this session.
4. If the relay controls apply, Domino next checks whether the host
name appears in the field Exclude these connecting hosts from
anti-relay checks. If the host name is found, the server allows relays
for this session.
5. If the relay controls still apply and the connecting host successfully
authenticated with the server, the server checks the field Exceptions
for authenticated users to determine whether authenticated users
are exempt from the inbound relay checks. If authenticated users are
exempt, the server allows relays for this session.
Note A connecting host provides authentication credentials only
when Domino requests them. Because Domino closes the session if
authentication is not successful, there is no case where Domino needs
to determine whether a host that could not authenticate might be
allowed to relay.
6. The SMTP listener receives RCPT TO commands from the
connecting host.
7. The server examines each recipient address to see if the message
would be a relay to an external domain. If so, the server checks the
Inbound relay controls to determine:
Whether the connecting host is allowed to relay
Whether relays are allowed to the target domain
Matching for domain is performed by looking for the restricted
domain name as a trailing substring of the recipients domain. If you
deny the domain spamme.com, you also deny the domain
you.spamme.com. Rejected recipients receive a failure status in
response to the RCPT commands.
Mail
How inbound anti-relay settings control message transfer to

external Internet domains
1. The SMTP listener receives a connection request.
Enabling DNS blacklist filters for SMTP connections

To prevent unsolicited commercial e-mail (UCE), or spam, from entering
your system, you can set up Domino to check whether incoming SMTP
connections originate from servers listed in one or more DNS blacklists
(DNSBLs). DNSBLs are databases that keep a record of Internet SMTP
hosts that are known sources of spam or permit third-party, open
relaying.
When DNS blacklist filters are enabled, for each incoming SMTP
connection Domino performs a DNS query against the blacklists at the
specified sites. If a connecting host is found on the list, Domino reports
the event in a console message and in an entry to the Mail Routing
Events view of the Notes Log. Both the console message and log entry
provide the host name and IP address of the server, and the name of the
site where the server was listed.
In addition to logging the event, you can configure Domino to reject
messages from hosts on the blacklist or to add a special Notes item to flag
messages accepted from hosts on the list.
Specifying the DNS blacklist sites to check
After you enable the DNS blacklist filters, you can specify the site or sites
the SMTP task uses to determine if a connecting host is a known open
relay or spam source. Specify sites that support IP-based DNS blacklist
queries.
If Domino finds a match for a connecting host in one of the blacklists, it
does not continue checking the lists for the other configured sites.
For performance reasons, its best to limit the number of sites because
Domino performs a DNS lookup to each site for each connection.
You can choose from a number of publicly available and private, paid
subscription services that maintain DNS blacklists. When using a public
blacklist service, Domino performs DNS queries over the Internet. In
some cases, it may take a significant amount of time to resolve DNS
queries submitted to an Internet site. If the network latency of DNS
queries made over the Internet results in slowed performance, consider
contracting with a private service that allows zone transfer, so that
Domino can perform the required DNS lookups to a local host. During a
zone transfer, the contents of the DNS zone file at the service provider
are copied to a DNS server in the local network.
Each blacklist service uses its own criteria for adding servers to its list.
Blacklist sites use automated tests and other methods to confirm whether
a suspected server is sending out spam or acting as an open relay. The
more restrictive blacklist sites add servers to their list as soon as they fail
By searching the Internet, you can find Internet sites that provide
periodic reports on the number of entries in various DNS blacklist
services.
Hosts that are exempt from DNS blacklist checks
To avoid unnecessary DNS lookups, Domino performs DNS blacklist
checks only on hosts that are subject to relay checks, as specified in the
SMTP inbound relay restrictions. Any host that is authorized to relay is
exempt from blacklist checks. For example, by default, Domino enforces
the inbound relay restrictions only for external hosts (Router/SMTP Restrictions and Controls - SMTP Inbound Controls - Perform Anti-Relay
enforcement for these connecting hosts). If the default setting is used,
internal hosts are not subject to relay controls and thus are also exempt
from blacklist checks.
For more information on configuring relay enforcement, refer to the topic
Setting inbound relay controls to prevent unauthorized mail relaying
Specifying how Domino handles connections from hosts found in a
DNS blacklist
You can configure Domino to take the following actions when it finds a
connecting host on one of the blacklists:
Log only
Log and tag message
Log and reject message
In each case, the server records the following information in the Notes
log: the hosts IP address and host name (if a reverse DNS lookup can
determine this information) and the name of the site that listed the host.
When tagging messages, Domino adds a special Note item to messages
received from hosts found on a blacklist. After Domino determines that a
connecting host is on the blacklist, it adds the Note item, $DNSBLSite, to
each message it accepts from the host before depositing the message in
MAIL.BOX. The value of a $DNSBLSite item is the blacklist site in which
the host was found. Administrators can use the $DNSBLSite note item to
provide custom handling of messages received from hosts listed in a
blacklist. For example, you can test for the presence of the item through
Mail
the automated tests and regardless of whether the server is verified as a

source of spam. Other less restrictive sites list a server only if its
administrator fails to close the server to third-party relaying after a
specified grace period or if the server plays host to known spammers.
the use of formula language in an agent or view and provide conditional

handling of messages that contain the item, such as moving the messages
to a special database.
When considering what action to take when Domino finds a host on the
blacklist, choose an action thats consistent with the policies of the DNS
blacklist site you use. For instance, if the service you use is very
restrictive, its blacklist may include false positives; that is, it may
blacklist hosts that are not known sources of spam. As a result, if you
take the action of rejecting mail from any host found on the blacklist, it
could prevent the receipt of important messages.
Use restraint when taking action, particularly if you use the blacklist of a
more restrictive site. The action you select applies to each of the specified
blacklist sites. That is, you cannot configure Domino to deny connections
for hosts found on one sites list and log the event only for hosts found on
another sites list.
DNS blacklist statistics
The SMTP task maintains statistics that track the total number of
connecting hosts that were found on the combined DNSBL of all sites
combined, as well as how many were found on the DNSBL of each
configured site. Because the statistics are maintained by the SMTP task,
they are cumulative for the life of the task only and are lost when the
task stops.
You can view the statistics from the Domino Administrator or by using
the SHOW STAT SMTP command from the server console. You can
further expand the statistics to learn the number of times a given IP
address is found on one of the configured DNSBLs. To collect the
expanded information, you set the variable SMTPExpandDNSBLStats in
the NOTES.INI file on the server. Because of the large numbers
generated by the expanded set of statistics, Domino does not record the
expanded statistics by default.
Note Domino uses IP version 4 (IPv4) addresses when querying DNS
blacklist sites to find out if a connecting host is listed. If the connecting
host has an IP version 6 (IPv6) address, Domino skips the DNSBL check
for that host.
Changing the default error message
When denying a blacklisted host, Domino returns to it a default SMTP
response, which includes the remote hosts IP address and the blacklist
site that listed the host. You can customize this response in the Custom
error message for denied hosts field in the Configuration Settings
document. The text of a customized response can include the string
To enable DNS blacklist filters

servers where you want to enable DNS blacklist filters, and click Edit
Configuration.
Controls tab.
6. Complete the following fields in the DNS Blacklist Filters section,
Field
Enter
DNS Blacklist
filters
Choose one:
Enabled When Domino receives an SMTP connection
request, it checks whether the connecting host is listed
in the blacklist at the specified sites.
Disabled Domino does not check whether a
connecting host is on the blacklist.
DNS Blacklist
sites
If DNS blacklist filters are enabled, specify the DNSBL

sites to check when Domino receives an SMTP connection
request.
Desired action Choose one:

when
Log When Domino finds that a connecting host is on the
connecting
blacklist, it accepts messages from the host and records the
host is found
host name and IP address of the connecting server and the
in a DNS
name of the site where the server was listed.
Blacklist
Log and tag message When Domino finds that a
connecting host is on the blacklist, it accepts messages
from the hosts, logs the host name and IP address of the
connecting server, and the name of the site where the
server was listed, and adds the Notes item $DNSBLSites
to each accepted message.
Log and reject message When Domino finds that a
connecting host is on the blacklist, it rejects the connection
and returns a configurable error message to the host.
continued
Mail
format specifier %s to represent a denied hosts IP address and the

DNSBL site where the host was found. Refer to the table in the following
procedure for more information.
Field
Enter
Custom SMTP
error response
for rejected
messages
Enter the text of the error message Domino returns when

denying a connection because it found the host in the DNS
blacklist. The default error message indicates that the
connection was denied for policy reasons.
You can use the format specifier %s to specify the IP
address of the denied host and the DNS blacklist site
where Domino found the host listed. For example, if you
enter the following:
Your host %s was found in the DNS Blacklist at %s
whenever Domino denies a connection, it returns an error

to the host, in which it replaces the first instance of %s
with the IP address of the host, and the second instance
with the DNS blacklist site name. Thus, if you entered the
text in the preceding example, a denied host receives an
error such as:
Your host 127.0.0.2 was found in the DNS
Blacklist at blackholes.mail-abuse.org
7. Reload the SMTP task, or update the SMTP configuration to put

Restricting who can send Internet mail to your users

Unsolicited commercial e-mail (UCE) can flood your server with
numerous copies of the same message. Accepting UCE reduces
performance and consumes system resources. You can specify
restrictions to prevent UCE from being routed to or relayed through your
server. Specifying restrictions prevents malicious users from using your
system to spoof addresses or send UCE.
To save system resources, before it accepts a message, the Domino SMTP
listener checks the Mail From address specified in the message envelope
during the SMTP transaction. If you set the Domino server to deny mail
from a particular source, Domino denies it whenever that source is
encountered for example, if users from a denied domain send mail
through a relay, Domino denies it based on its origin from that domain.
Domino creates an entry in the log file (LOG.NSF) whenever a message is
rejected.
To restrict who can send Internet mail to your users

Controls tab.
6. Complete these fields in the Inbound Sender Controls section, and
Inbound Sender Controls
Field
Enter
Verify senders
domain in DNS
Choose one:
Enabled Domino verifies that the senders
domain exists, by checking the DNS for an MX,
CNAME, or A record that matches the domain part
of the address in the MAIL FROM command
received from the sending host. If no match is
found, Domino rejects inbound mail from the host.
This can result in Domino rejecting mail from
legitimate hosts that do not have these records in
their DNS entries.
Disabled (default) Domino does not check DNS
to verify that the senders domain exists.
Allow messages
only from the
following Internet
addresses/
domains
Internet addresses from which the server accepts

messages. If you enter addresses in this field, only
messages with senders matching those addresses can
send Internet mail to users in your local Internet
domain. Mail from all other addresses is denied.
During the SMTP conversation, the Domino SMTP
listener compares the address in the MAIL FROM
command received from the connecting host with the
entries in this field.
For example, if you enter lotus.com in the field,
Domino accepts incoming mail only if the address in
the MAIL FROM command ends in lotus.com.
Domino denies messages from all other Internet
addresses.
You can create a Notes group containing a list of
addresses from which to allow messages and enter the
group name in this field. A group entry is valid only if
it does not contain a domain part or dot (.). For
example, the group with the name group1 is valid, but
the groups named iris.com or group2@iris are not.
continued
Mail

Inbound Sender Controls

Field
Enter
Deny messages
from the following
Internet
addresses/
domains
Internet addresses from which the server does not

accept messages.
During the SMTP conversation, the Domino SMTP
listener compares the address in the MAIL FROM
command received from the connecting host with the
entries in this field.
If you enter addresses in this field, all messages except
those matching addresses listed in this field can route
to your users. Mail is denied only from addresses
matching the entries in this field.
For example, if you enter lotus.com in the field,
Domino accepts messages from all Internet addresses
and domains except those ending in lotus.com.
Domino denies messages from senders whose
addresses end in lotus.com.
addresses from which to deny messages and enter the
group name in this field. A group entry is valid only if
it does not contain a domain part or dot (.). For
example, the group with the name group1 is valid, but
the groups named iris.com or group2@iris are not.

Restricting users from receiving Internet mail

Domino provides SMTP intended recipient filters that let you control the
users for whom the server accepts mail sent over SMTP connections. One
filter triggers a directory lookup that enables the server to verify that an
intended recipient exists before accepting a message. The other two
filters let you explicitly specify the Internet addresses that can and cannot
receive mail. To ensure that you dont unintentionally block desirable
mail, use discretion when applying these settings.
During the SMTP conversation, the connecting host sends the Domino
SMTP listener a RCPT TO command, which specifies the recipients
Internet address. Each of the Inbound Intended Recipient Controls works
by examining the addresses specified as arguments to the RCPT TO
command. For example, if you enable directory verification and the
address specified in the RCPT TO command is in the local Internet
Note Because enabling this setting results in messages for recipients not
found in the directory being rejected, do not use this setting in
environments that require mail to be forwarded to a smart host for
further processing.
The Allow messages setting lets you list Internet addresses that are
allowed to receive mail. If the RCPT TO command contains one of the
specified addresses, the SMTP listener accepts the message; messages for
all other recipients are rejected. The Deny messages setting lets you
explicitly deny mail to certain addresses. If the RCPT To command
contains a denied address, the SMTP listener rejects the message, but
messages for all other recipients are accepted.
Note If the server supports Local Part name lookups, users whose
addresses are listed in the Deny field may still receive mail addressed to
any alternate Internet addresses configured for them. To ensure greater
control, specify the Internet address in each users Person document and
allow users to receive inbound mail destined for their fullname addresses
only.
For information on restricting how Domino looks up recipient names, see
Controls tab.
Mail
domain, the SMTP listener refers to the Domino Directory to determine

whether the address is valid. Messages for invalid addresses are rejected,
preventing them from becoming dead messages in MAIL.BOX.
6. Complete these fields in the Inbound Intended Recipients Controls

section, and then click Save & Close:
Field
Description
Verify that local

domain recipients
exist in the Domino
Directory
Specifies whether the SMTP listener checks recipient

names specified in RCPT TO commands against
entries in the Domino Directory
Choose one:
Enabled If the domain part of an address
specified in an SMTP RCPT TO command
matches one of the configured local Internet
domains, the SMTP listener checks all configured
directories to determine whether the specified
recipient is a valid user. If all lookups complete
successfully and no matching user name is found,
the SMTP server returns a 550 permanent failure
response indicating that the user is unknown. For
example:
550 bad_user@yourdomain.com ... No such
user
Choosing this setting can help prevent messages

sent to nonexistent users (for example, spam
messages and messages intended for users who
have left the organization) from accumulating in
MAIL.BOX as dead mail.
To avoid messages from being rejected as a result
of directory unavailability, Domino accepts
messages when an attempted directory lookup
does not complete successfully.
To avoid unnecessary directory lookups, Domino
applies this setting only after performing all other
configured SMTP inbound checks (inbound relay,
sender, and recipient controls).
When this setting is enabled, the server cannot
relay mail to a smart host because Domino rejects
messages addressed to local domain recipients
who are not listed in the Domino Directory.
Disabled (default) The SMTP listener does not
check whether local domain recipients specified in
the RCPT TO command are listed in the Domino
Directory.
continued
Description
Allow messages
intended only for
the following
Internet addresses
Internet addresses that are within the local Internet

domain and that are allowed to receive mail from
the Internet. If you enter addresses in this field, only
those recipients can receive Internet mail. Domino
denies mail for all other recipients.
addresses allowed to receive mail from the Internet
and enter the group name in this field. A group
entry is valid only if it does not contain a domain
part or dot (.). For example, the group with the
name group1 is valid, but the groups named
yourdomain.com or group2@yourdomain are not.
Deny messages
intended for the
following Internet
addresses
Internet addresses within the local Internet domain

that are prohibited from receiving mail from the
Internet. If you enter addresses in this field, all
addresses except those listed in this field can receive
Internet mail. Domino denies mail for only the
addresses in this field.
addresses that cannot receive mail from the Internet
and enter the group name in this field. A group
entry is valid only if it does not contain a domain
part or dot (.). For example, the group with the
name group1 is valid, but the groups named
yourdomain.com or group2@yourdomain are not.
Note The SMTP listener accepts messages addressed to any variant

of a users name that is not explicitly denied and that is otherwise
acceptable to Domino. For example, if you deny mail to
Kieran.Campion@acme.com, a message addressed to
Kcampion@acme.com may be accepted and delivered to the same
user.
Mail
Field
Supporting inbound SMTP extensions

Domino supports a number of extended SMTP (ESMTP) functions.
These include the ability to combine (or pipeline) commands, set the
server to check message size before accepting transfer, create a secure
SSL connection with another server, and create delivery status
notifications in MIME format. You enable or disable each of these options
in the Configuration Settings document for the server or servers for
which you want to use these extensions.
5. Click the Router/SMTP - Advanced - Commands and Extensions
tab.
6. Complete these fields in the Inbound SMTP Commands and
Extensions section, and then click Save & Close:
Field
Enter
SIZE extension
Choose one:
Enabled (default) Domino declares its maximum
message size to connecting hosts and checks the
sending hosts estimates of message size before
accepting transfer. If the sender indicates that a
message to be transferred is larger than the
maximum size, Domino returns an error indicating
that it will not accept the message.
Disabled Domino does not advertise its maximum
message size or check inbound message size before
transfer.
For information about setting the maximum message
size, see the topic Restricting mail routing based on
message size earlier in this chapter
Pipelining
extension
Choose one:
Enabled (default) Improves performance by
allowing Domino to accept multiple SMTP
commands in the same network packet.
Disabled Domino does not accept multiple SMTP
commands in a single packet.
continued
Mail
Field
Enter
DSN extension
Choose one:
Enabled Domino supports incoming requests to
return delivery status notifications to the sender for
failed, delayed, delivered, and relayed messages.
Domino sends delay reports for low-priority
messages held until the low-priority routing time to
the sender of an SMTP message upon request.
Disabled (default) Domino does not return
delivery status notifications for SMTP messages.
8-bit MIME
extension
Choose one:
Enabled Domino accepts 8-bit messages as is,
allowing reception of unencoded multinational
characters.
Disabled (default) Domino requires inbound
messages containing 8-bit characters to be sent using
7-bit ASCII encoding.
HELP command
Choose one:
Enabled (default) In response to the Help command,
Domino displays a list of supported commands.
Disabled Domino ignores the Help command.
VRFY command
Choose one:
Enabled Domino accepts inbound requests to
verify user names.
Disabled (default) Domino denies requests to
verify user names.
EXPN command
Choose one:
Enabled Domino expands mailing lists or groups
to show individual recipient names.
Disabled (default) Domino does not expand lists
and groups.
ETRN command Choose one:

Enabled Domino accepts inbound pull requests
from other SMTP hosts to transfer messages destined
for the calling server. Enabling ETRN support allows
for more efficient use of bandwidth resources by
allowing a remote SMTP host to request pending
messages at the same time it transfers messages to
the Domino server.
Disabled (default) Domino does not accept
inbound pull requests from other SMTP hosts.
continued
Field
Enter
Choose one:
SSL negotiated
over TCP/IP port Enabled Domino supports the STARTTLS
command, allowing it to create an encrypted SSL
channel over the SMTP TCP/IP port.
Required Domino accepts inbound SMTP
connections over the TCP/IP port only from hosts
that issue the STARTTLS command.
Disabled (default) Domino does not allow secure
SSL connections over the SMTP TCP/IP port.
After accepting the STARTTLS command from a remote
server, Domino uses settings for the servers SSL port to
govern authentication for the sessions. For Domino to
authenticate remote hosts that use the SMTP AUTH
command, Name & Password authentication must be
enabled for the Domino SSL port.
For more information about the authentication settings required to

support STARTTLS, see the topic Securing SMTP sessions using the
STARTTLS command earlier in this chapter.
Note Enabling VRFY and EXPN allows people outside your
organization to expand group names and to check for valid e-mail
addresses in your organization. You may not want to enable these
extensions for security reasons.
To prevent an SMTP server from sending outbound messages that
exceed the specified maximum size on the destination server, set the
outbound SMTP SIZE extension.
For information on enabling the outbound SMTP SIZE extension, see the
topic Supporting outbound SMTP extensions later in this chapter.
Restricting outbound mail routing

You can control outbound messages from your system to external
Internet domains by restricting who can send these messages and by
enabling extended SMTP (ESMTP) outbound features. You can set these
restrictions to:
Restrict who can send mail to the Internet
Set outbound SMTP extensions
You can control the transfer of outbound mail from your organization to
the Internet. Domino provides two methods for restricting outbound
Internet mail:
Outbound sender controls - These controls specify which users in

your organization are allowed to send mail to the Internet.
Outbound recipient controls - These controls specify the Internet

destinations to which users can send mail.
Setting outbound sender controls

The outbound sender controls let you specify who can and cannot send
mail to the Internet. The controls are implemented in two sets of Allow
and Deny lists:
Internet addresses of users who can/cannot send mail to the Internet
Notes addresses of users who can/cannot send mail to the Internet
Domino sends a restriction failure message to restricted users who

attempt to send outbound mail. You can customize the text of mail
failure messages.
For more information, see the topic Customizing the text of mail failure
messages earlier in this chapter.
The Outbound sender controls are not intended to restrict SMTP relay
access. To configure relay restrictions, use the Inbound Relay Controls on
the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls
tab of the Configuration Settings document.
For more information on setting the inbound relay controls, see the topic
Setting inbound relay controls earlier in this chapter.
Note Because you might unintentionally block desired mail, be careful
when you use these fields.
5. Click the Router/SMTP - Restrictions and Controls - SMTP
Outbound Controls tab.
Mail
Restricting users from sending Internet mail
6. Complete these fields in the Outbound Sender Controls section, and

Outbound Sender Controls
Field
Description
Allow messages only

from the following
Internet addresses to be
sent to the Internet
Specifies the RFC 821 Internet addresses of users

in the local Internet domain from whom Domino
accepts mail destined for Internet addresses
outside the local Internet domain. If this field
contains entries, Domino accepts outbound
Internet mail from the specified Internet
addresses only and rejects outbound Internet
mail sent from other addresses. Rejected mail is
returned to the sender.
Enter Internet addresses in the form
user@domain.com, or enter the name of a Notes
group containing a list of Internet addresses
allowed to send mail to the Internet. Domino
expands entries for groups only if the group
name can be found in the primary Domino
Directory.
Wildcards (for example, *acme.com) and isolated
Internet domain suffixes (for example, acme.com)
are not acceptable values in this field.
Deny messages from

the following Internet
addresses to be sent to
the Internet
Specifies the RFC 821 Internet addresses of users

in the local Internet domain from which Domino
does not accept mail destined for external
Internet addresses. If this field contains entries,
Domino rejects outbound Internet mail sent from
the specified Internet addresses and returns it to
the sender. All other users can send Internet
mail.
Enter Internet addresses in the form
user@domain.com, or enter the name of a Notes
group listing the Internet addresses from which
to deny outbound Internet mail. Domino
expands entries for groups only if the group
name can be found in the primary Domino
Directory.
Wildcards (for example, *acme.com) and isolated
Internet domain suffixes (for example, acme.com)
are not acceptable values in this field.
continued
Mail
Outbound Sender Controls

Field
Description
Allow messages only

from the following
Notes addresses to be
sent to the Internet
Specifies the Notes user names from which

Domino accepts mail destined for external
Internet addresses. If this field contains entries,
Domino accepts outbound Internet mail from the
specified entries only and rejects outbound
Internet mail sent from all other Notes addresses.
Rejected mail is returned to the sender.
Enter fully qualified Notes addresses in the form
User/Organizational_unit/Organization, or
enter the name of a Notes group whose members
you want to prevent from sending Internet mail.
Domino expands entries for groups only if the
group name can be found in the primary Domino
Directory.
Deny messages from

the following Notes
addresses to be sent to
the Internet
Specifies the Notes user names from which

Domino does not accept mail destined for
external Internet addresses. If this field contains
entries, Domino rejects outbound Internet mail
sent from the specified entries and returns it to
the sender. Domino accepts outbound Internet
mail from all other Notes addresses.
Enter fully qualified Notes addresses in the form
User/Organizational_unit/Organization or the
name of a Notes group whose members you
want to prevent from sending Internet mail.
Domino expands entries for groups only if the
group name can be found in the primary Domino
Directory.
Note Group entries cannot contain a domain qualifier (@ sign). For

example, an entry for a group with the name DenyMail is valid, but
if you add the domain name to the entry, as in Denymail@acme,
Domino does not expand the entry to determine its members. This
restriction applies to nested groups also. That is, if the group
DenyMail includes Sales@AcmeWest as a member, Domino does not
expand Sales@AcmeWest to determine its members.
configuration.
The outbound sender controls are not intended to control relaying. For
information on controlling message relaying, see the topic Setting
inbound relay controls earlier in this chapter.
Setting outbound recipient controls
The Outbound recipient controls let you specify the Internet domains,
and host names users are allowed to and denied from sending mail to.
The controls consist of a set of pair of lists, one specifying the Internet
domains or host names to which users can send mail and another listing
the domains and host names to which users cannot send mail.
5. Click the Router/SMTP - Restrictions and Controls - SMTP
Outbound Controls tab.
6. Complete these fields in the Outbound Recipient Controls section,
Outbound recipient controls
Field
Description
Allow messages
only to recipients in
the following
Internet domains or
host names
Specifies the Internet domains, such as acme.com,

and Internet host names, such as mailhost.acme.com,
to which Domino can send mail. If there are entries in
this field, users can send Internet mail to the specified
entries only. Domino denies mail to all other
domains or host names.
If you specify an Internet domain, users can send
mail to any host or sub-domain in that domain.
Domino matches entries against the last part of
domain names or host names, so entering
host.acme.com allows mail to mail.host.acme.com as
well inbound.host.acme.com.
If you list a host name that matches an MX record for
a domain, Domino allows mail to all recipients in
that domain. For example, if mailhost.acme.com
exactly matches the name of an MX host in the DNS
for the domain acme.com, entering it in this field
allows all mail to that domain.
continued
Mail
Outbound recipient controls

Field
Description
Deny messages to
recipients in the
following Internet
domains or host
names
Specifies the Internet domains, such as acme.com,

and Internet host names, such as mailhost.acme.com,
to which Domino cannot send mail. Domino allows
mail to all other domains or host names. Domino
matches entries against the last part of domain names
or host names, so entering host.acme.com denies mail
to smtp.host.acme.com as well as
inbound.host.acme.com.
If you enter a host name that matches an MX record
for a domain, mail to all host names / MX records for
that domain is denied. Thus, specifying a host name
that matches an MX record for a domain denies all
mail to that domain.
configuration.
Note For security reasons, if there is a conflict between the two fields for
a given setting, entries in the Deny field take precedence. For example, if
acme.com appears in both the Allow messages only to recipients in the
following Internet domains or host names field and the corresponding
Deny messages field, Domino denies messages sent to acme.com. Be
careful not to have the same entry in an Allow field and a Deny field for
the same setting.
Note Domino checks each address to see if it is an Internet address or a
Notes address. The Router then applies the restrictions specified for that
type of address.
Note If you are entering multiple names in a field, consider creating a
group and entering the group name in the field. Domino expands the
group into a list of members. If you update the group list in this
document or edit the group members in the Domino Directory, changes
do not take effect immediately.
Supporting outbound SMTP extensions

Domino supports outbound extended SMTP (ESMTP) features to interact
with other messaging servers. These extensions are controlled in the

5. Click the Router/SMTP - Advanced - Commands and Extensions
tab.
6. Complete these fields in the Outbound SMTP Commands and
Extensions section, and then click Save & Close:
Field
Enter
SIZE extension
Choose one:
Enabled (default) If the destination SMTP host
also supports the SIZE extension, Domino declares
the estimated size of messages before transfer.
Disabled Domino does not declare message size
before transferring messages to another SMTP server.
Pipelining
extension
Choose one:
Enabled (default) If the remote SMTP host also
supports pipelining, Domino sends multiple SMTP
commands in the same network packet to improve
performance.
Disabled Domino sends each SMTP command in a
separate packet.
DSN extension
Choose one:
Enabled When sending a message to a server that
also supports the DSN extension, Domino appends a
NOTIFY parameter to the SMTP RCPT TO command to
request a particular type of delivery status notification
for the message. For messages sent from Notes clients,
Domino uses the Delivery report options specified by
the client (Confirm delivery; Trace entire path;
Delivered) to determine the type of DSN requested.
Disabled (default) Domino does not send DSN
requests.
8-bit MIME
extension
Choose one:
Enabled When sending a message to a remote server
that also supports 8-bit MIME, Domino improves
performance by sending messages containing multinational characters as is, without first encoding them.
Disabled (default) Domino encodes messages
containing 8-bit characters as 7-bit ASCII before
sending.

Mail journaling
By default, after the Router processes a message, it does not retain a copy
of the message. That is, after ServerA successfully sends a message to
ServerB, the Router on ServerA deletes the message from its MAIL.BOX
database. Likewise, when ServerB successfully transfers or delivers the
message to the next server on the routing path, the Router on ServerB
removes the message from its MAIL.BOX database.
To comply with laws or regulations that apply to your business, your
organization may be required to save a copy of every message processed
by the local mail system and permanently store or otherwise process the
message copies. For example, government agencies such as the Securities
and Exchange Commission (SEC) require a business to retain all
messages related to the transactions they undertake.
Mail journaling enables administrators to capture a copy of specified
messages that the Router processes by the Domino system. Journaling
can capture all messages handled by the Router or only messages that
meet specific defined criteria. When mail journaling is enabled, Domino
examines messages as they pass through MAIL.BOX and saves copies of
selected messages to a Domino Mail Journaling database
(MAILJRN.NSF) for later retrieval and review. Mail journaling works in
conjunction with mail rules, so that you create a journaling rule to specify
the criteria for which messages to journal. For example, you can journal
messages sent to or from specific people, groups, or domains. Before
depositing messages in the Mail Journaling database, the Router encrypts
them to ensure that only authorized persons can examine them.
Journaling does not disrupt the normal routing of a message. After the
Router copies a message to the Mail Journaling database, it continues to
dispatch the message to its intended recipient.
Domino mail journaling differs from message archiving. Journaling
works dynamically, making a copy of each message as it passes through
MAIL.BOX to its destination and placing the copy in the Mail Journaling
database. A copy of the message is retained, even if the recipient, or an
agent acting on the recipients mail file, deletes it immediately upon
delivery. Archiving is used to reduce the size of an active mail file
database by deleting messages from one location and moving them to an
Mail
configuration.
offline database, usually in another location, for long-term storage.

Archiving acts on messages that have already been delivered. Journaling
is performed automatically by the server; while archiving is a manual
operation, performed by end users on their own mail files. End users can
search for and retrieve messages from a mail file archive, but only an
authorized administrator can examine a Mail Journaling database.
You can use Domino mail journaling in conjunction with third-party
archiving programs to fulfill long-term storage needs.
To provide access to certain journaling routines, Domino implements
several Extension Manager (EM) hooks. EM hooks enable an executable
program library, such as a dynamic link library or shared object library,
to register a callback routine that will be called before, after, or before
and after Domino performs selected internal operations. Using EM
hooks, developers can customize mail processing. For example, EM
hooks to the Journaling task could be used in conjunction with a
third-party archiving program to route certain messages directly to an
archive center. For more information about Extension Manager, see the
IBM Lotus C API Toolkit for Notes/Domino 6. The toolkit is available at
Setting up mail journaling

There are two steps to configure journaling:
Setting up the Mail Journaling database
Specifying which messages to journal
Setting up the Mail Journaling database

By default, mail journaling is not enabled. You enable journaling from
the Configuration Settings document. To set up the Mail Journaling
database, you specify where to store journaled messages and then set
options for managing the security and size of the database.
After you enable journaling, Domino automatically creates the Mail
Journaling database in the specified location.
To set up the Mail Journaling database
servers where you want to journal mail, and click Edit Configuration.
Mail
5. Click the Router/SMTP - Advanced - Journaling tab.

6. Complete the following fields, and then click Save & Close:
Field
Description
Journaling
Specifies whether the server supports mail journaling.

Choose one:
Enabled Domino supports mail journaling on the
servers governed by this document. To journal mail,
create a server mail rule with the action Journal this
message.
Disabled (default) Mail journaling is not supported on
the servers governed by this document.
Specifies the names of Notes message fields that Domino

Field
does not encrypt when adding messages to the Mail
encryption
exclusion list Journaling database. Encrypted fields cannot be displayed in
a view. List any fields you want to display in a view. By
default, the following fields are not encrypted: Form, From,
Principal, and PostedDate.
When using a mail-in database for journaling, Domino does
not automatically encrypt messages added to the database.
To encrypt messages in a mail-in database use the Mail-in
database document to specify encryption of incoming
messages.
Method
Specifies the location of the Mail Journaling database.

Choose one:
Copy to local database (default) The Router copies each
journaled message to a database on the local server. If it
does not already exist, Domino creates a local Mail
Journaling database on the server. If the Configuration
Settings document applies to multiple servers, Domino
creates a unique Mail Journaling database on each server.
Send to mail-in database The Router copies each
journaled message and sends it to a specified mail-in
database. The specified database must already exist and
must have a Mail-in database document in the Domino
Directory. The mail-in database used for journaling may
be on any Domino server, including the local server.
Specify the mail file where journaled messages are to be
sent in the Mail Destination field. When using a mail-in
database for journaling, be sure to encrypt messages when
adding them to the database. To encrypt messages sent to
a mail-in database, enable encryption on the
Administration tab of the Mail-in database document.
continued
Field
Description
Database
name
If you specified Copy to local database as the journaling

method, specify the file name you want Domino to use when
it creates the Mail Journaling database. The default name is
MAILJRN.NSF.
Mail
destination
If you specified Send to mail-in database as the journaling

method, use this field to enter the name of the mail-in database
to which the Router forwards messages to be journaled.
Click the down-arrow to select the name of the mail-in
database from the Domino Directory.
You must create the mail-in database beforehand; Domino
does not automatically create mail-in databases for journaling.
Encrypt on
behalf of
user
If you specified Copy to local database as the journaling

method, enter the fully qualified Notes Name of the user
whose certified public key Domino uses to encrypt messages
added to the database. To ensure privacy, consider creating a
special user ID for reviewing journaled messages, and
protect the ID with multiple passwords.
To encrypt messages sent to a mail-in database, enable
encryption on the Administration tab of the Mail-in database
document.
Database
For local Mail Journaling databases, the entry in this field
Management specifies how Domino controls the size of the Mail Journaling
- Method
database. When the database management method in effect
calls for Domino to create a new Mail Journaling database, on
the day that it creates the new database, it does so at
approximately 12:00 AM. Choose one of the following methods:
Periodic Rollover (default) When the current Mail
journaling database reaches the age specified in the
Periodicity field, Domino renames the existing Mail
Journaling database and creates a new Mail Journaling
database with the original name.
None Domino does not automatically control the size
of the Mail Journaling database. If you do not use one of
the available methods for controlling database size
automatically, be sure to monitor the database size and
use appropriate tools to archive the journal data.
Purge/Compact Domino deletes documents from the
database after the number of days specified in the Data
Retention field and then compacts the database.
Size Rollover When the current database reaches the
size specified in the Maximum size field, Domino renames
the database and creates a new Mail Journaling database
with the original name.
continued
Mail
Field
Description
Periodicity
If you specified Periodic Rollover in the preceding field,

Domino displays this field for specifying the length, in days,
of the rollover interval. The default value is 1 day.
Data
Retention
If you specified Purge/Compact in the Database

Management-Method field, Domino displays this field for
specifying the time, in days, that a message remains in the
Mail Journaling database before being deleted.
Maximum
size
If you specified Size Rollover in the Database

Management-Method field, Domino displays this field for
specifying a size limit, in megabytes (MB), for the Mail
journaling database. After the database reaches the specified
size, Domino renames it and creates a new one.
configuration.
For information on Mail-in database documents, see the chapter Rolling
Out Databases.
For more information on the different journaling and database
management methods, and on securing the Mail Journaling database, see
the topic Managing the Mail Journaling database later in this chapter.
Managing the Mail Journaling database

When setting up the Mail Journaling database, you must specify:
The journaling method
Security settings
How to manage database size
Specifying the journaling method

There are two methods available for journaling messages, copying
messages to a local database (local journaling) and forwarding messages
to a mail-in database (remote journaling). In local journaling the Router
moves messages from MAIL.BOX to a Mail Journaling database on the
same server. If you enable local journaling on more than one server, each
server maintains its own unique Mail Journaling database. Since local
journaling doesnt require messages to be transferred between servers to
reach the Mail Journaling database, this is the preferred method for
minimizing network traffic.
Remote journaling lets you journal messages from multiple servers to a

single location, sending them to the mail-in database specified in the
Mail Destination field. Domino does not automatically create mail-in
databases for journaling; you must manually create both the destination
database and the necessary Mail-in database document.
Using a mail-in database to journal messages greatly increases mail
traffic, since messages must travel over the network to be deposited in
the Mail Journaling database.
For information about using Mail-in databases, see the chapter Rolling
Out Databases.
Managing security of the Mail Journaling database
The Mail Journaling database contains private information about many
people. Domino employs two methods to restrict access to the Mail
Journaling database. First, it conceals the database from users. By default,
Domino makes the Mail Journaling database invisible to users; that is,
the database does not appear in the Open database dialog box when a
user opens a new database. To display the database, check Show in
Open Database dialog on the Design tab of the Database properties
dialog box.
Second, when local journaling is enabled, Domino encrypts the
information in the Mail Journaling database, using the Certified public
key of a specified Notes user. To specify the ID to use when encrypting
messages, enter a user name in the field Encrypt on behalf of user. By
default, Domino exempts certain summary information fields from
encryption so that the information they contain can be used in database
views. You can specify other fields to exempt in the field, Field
encryption exclusion list.
Setting up a Mail Journaling user
To maximize security, create and register a special user ID for the Mail
Journaling database and assign multiple passwords to the ID. Distribute
passwords in such a way that no one person knows them all, so that the
consent of multiple parties is required to view the contents of the
database.
For information on assigning multiple passwords to an ID, see the
chapter Protecting and Managing Notes IDs.
The users name is preserved in the ACL during daily rollovers and size
rollovers, but if you remove the Mail Journaling database, the next time
the server starts, it automatically creates a new database using the
original ACL. You must add the ID used for encryption to the database
ACL again.
Enabling encryption for remotely journaled messages
By default, mail-in databases do not encrypt incoming mail. To ensure
privacy when sending journaled messages to a mail-in database, enable
the mail-in database to encrypt incoming mail. When enabling
encryption for a mail-in database, you select a user whose Notes certified
public key Domino uses to encrypt messages stored in the database.
For more information on setting up a mail-in database, see the chapter
Rolling Out Databases.
No encryption of previously encrypted messages
A message that Notes has previously encrypted for its recipients is not
re-encrypted with the certified public key of the specified Journal user.
As a result, when depositing encrypted messages in the Mail Journaling
database, Domino preserves the original encryption, so that the message
content cannot be decrypted with the ID of the designated Mail
Journaling user, unless, of course, that user was included in the original
recipient list. A Mail Journaling user who was not on the recipient list
can view header information only.
Mail
Providing access to the Mail Journaling database for users who are not
server administrators
Domino encrypts journaled messages with the user ID specified on the
Router/SMTP - Advanced - Journaling tab of the Configuration Settings
document. The ID you specify can be the ID of an existing server
administrator or another user ID. By default the ACL of the Mail
Journaling database includes only users listed in the Administrators field
of the Server documents Security tab. If the ID for encrypting messages
does not belong to a server administrator, you must add this user to the
database ACL before the user can access the database.
Managing the size of the Mail Journaling database

Depending on how you set up journaling rules, the size of the Mail
Journaling database may increase rapidly. Domino provides several
methods for automatically controlling the database size:
Size management method Description
Periodic Rollover
(Default) Domino creates a new Mail Journaling

database at an interval in specified in days, The default
interval is one day. The new database takes its name
from the name of the current database (for example,
MAILJRN.NSF) and is created at approximately 12:00
AM of the specified day. Domino renames the current
database using the format:
MJ<date>.NSF
where <date> is an 8-digit number representing the

current date in a format specified by the operating
systems international date settings. For example, if the
server defines dates in MMDDYYYY format, the
current database is renamed to MJ09032002.NSF.
Purge/Compact
Domino deletes documents from the database after a

specified number of days and then compacts the
database to eliminate deletion stubs and white space.
Size Rollover
Domino creates a new Mail journaling database when

the current database reaches a specified size, renaming
the old database using the format:
MJXXXXXX.NSF
where XXXXXX represents a number series starting at

000001 and increasing by 1 with each successive
rollover, for example, MJ000001.NSF, followed by
MJ000002.NSF, and so forth. If a database with the next
name in the sequence already exists on the server,
Domino uses the next number in the sequence. The
new Mail journaling database uses the original
database name (for example, MAILJRN.NSF). Because
Domino may be unable to determine the exact size of
any message attachments before adding a message to
the Mail journaling database, the database may exceed
the maximum size after the addition of a new message.
If this happens, the next message added to the database
triggers creation of the new database.
These methods for controlling database size are not available if you use a
mail-in database for journaling messages. If you select this method of
journaling, be sure to monitor the database size and use appropriate tools
to archive data to another location.
Mail
Specifying messages to journal

After you enable journaling, set mail rules on the Configuration Settings
document to specify which messages to journal.
For information about setting mail rules, see the topic Setting server
mail rules earlier in this chapter.
If you specify All documents and a message is returned as undeliverable,
Domino journals the delivery failure report as well as the original
message.
When Domino journals a message, it sets a journal flag on the message
before transferring it to the next server on the route. This ensures that
servers later in the routing path do not journal the message again. When
the Router on the destination mail server delivers the message to the
users mail file it removes the journal flag so to that the user remains
unaware that the message was been journaled.
On servers running the ISpy task, this task sends mail probes in the form
of trace messages to test mail connectivity approximately every five
minutes. Under normal use, the ISpy task automatically deletes these
probes from the ISpy mail-in database and the only trace of them are
entries in the Routing events view of the server log file and on the server
console. However, if you enable a journaling rule on these servers and
specify the condition All documents, the Mail Journaling database will
capture each trace message that the ISpy task sends. To prevent the Mail
Journaling database from filling up with these entries, configure a rule
exception for messages where the sender includes ISpy.
Retrieving messages from the Mail Journaling database

Administrators can examine the contents of the Mail Journaling database
by logging in as the user for whom Domino encrypts journaled messages.
A user who is listed in the database ACL, but who is not the specified
journal user (and thus does not own the correct private decryption key),
may be able to access the Mail Journaling database but will receive the
following error when attempting to open messages in the database:
You cannot access portions of this document because it is
encrypted and was not intended for you.
By default, the Mail Journaling database does not appear in the Open
database dialog box. You can open the database by specifying its file
name for example MAILJRN.NSF in the Filename field in the Open
Database dialog box. To list the database in the Open Database dialog
box, check Show in Open Database dialog on the Design tab of the
Database properties dialog box.
To facilitate searches and provide quick information about journaled

messages, the Mail Journaling database provides a full-text index and
several views. You can create views or customize existing ones to better
determine the characteristics of your mail traffic.
Note Notes database views do not display encrypted fields. By default,
Domino encrypts the subject field of messages added to the Mail
Journaling database, when you open a view of the database, the Subject
column may be blank. To display message subjects, add Subject to the
Field encryption exclusion list.
For information on how to specify the fields to encrypt when journaling
mail, see the topic Setting up the Mail Journaling database earlier in
this chapter.
View name
Description
By
Hierarchy
Displays messages by the Internet domain hierarchy (for messages

received over SMTP) or Notes organizational certifier hierarchy (for
messages received over Notes routing) of the sender. The Count
column displays separate message totals for all messages, for
messages received from each node in the hierarchy, and for
messages received from each sender. Expand entries for each node
to view messages in descending order by date and time (most recent
message first). In addition to the date, individual message entries
display the size in bytes and the message subject, if that field is
specified in the Field Encryption Exclusion list.
By Sender
Displays messages by the name of the sender. Senders may be

listed more than once: by their Internet address for messages
received by the server over SMTP routing and by their Notes
address for messages received over Notes routing. The Count
column displays the total number of messages routed and the
number of messages from each sender. Expand sender entries to
view messages in descending order by date and time (most
recent message first). In addition to the date, individual message
entries display the size in bytes and the message subject, if that
field is specified in the Field Encryption Exclusion list.
By Size
Displays messages in descending order by size in bytes. Click the

column head to reverse the order. Individual message entries
display the message date, sender (From), and subject, if that field
is specified in the Field Encryption Exclusion list.
By Date
(Default) Displays messages in ascending order by date, with the

most recent date last. The Count column displays the number of
messages routed on each date. Expand date entries to view
messages sorted in descending order by time, with the most
recent message listed first. Individual message entries display the
message time, sender (From), and subject, if that field is specified
in the Field Encryption Exclusion list.
continued
Mail
View name
Description
By Form
Displays messages in ascending alphabetical order by the name

of the Notes message form used; for example, Delivery report,
Memo, Reply, Trace Report, and so forth. Uncategorized forms
are listed last. The Count column displays the number of
messages routed for each form type. Expand form entries to view
messages sorted in ascending order by date and time. Individual
message entries display the message date, sender (From), and
subject, if that field is specified in the Field Encryption Exclusion
list.
Displays messages in ascending order by attachment size in

By
Attachments bytes. Column totals provide the average size in bytes of
journaled attachments and the total size of all journaled
attachments. Individual message entries display the attachment
name, sender (From), date, and subject, if that field is specified in
the Field Encryption Exclusion list.
Viewing messages that use forms not included in the Mail

Journaling database
The Mail Journaling database does not include all of the form types that
can be used to send messages. If a message copied to the database was
sent using a form that is not part of the Mail Journaling database design,
the database substitutes the memo form to display the message. To view
the document using the original form type, copy the form design element
into the design of this database.
For information about copying forms into the database design, see Lotus
Domino Designer 6 Help.
Setting inbound and outbound MIME and character set options

You can control how servers convert MIME items and international
character sets for inbound and outbound messages by specifying options
on the Configuration Settings document.
You can specify settings for the following:
Return receipt processing
Primary and secondary character set groups
Message conversion options
Font and message options for international languages
Advanced inbound MIME options
Advanced outbound MIME options
Mapping MIME types to file extensions

Enabling Domino to process return receipts for SMTP messages

When a Notes mail user sends a message to another Notes user and
selects the Return Receipt delivery option, the mail client adds the Notes
ReturnReceipt item to the message. The ReturnReceipt item on a Notes
mail message prompts the recipients Notes client to generate a
notification (the receipt) to the sender when the recipient opens the
message.
By default, Notes return receipts are not compatible with SMTP
messages, which use MIME headers to identify return receipt requests.
For return receipts to work seamlessly when a Notes message is
converted to MIME and vice versa, you must set up Domino to translate
between the two formats.
Enabling return receipts lets Domino honor return-receipt requests on
inbound SMTP mail and add return-receipt requests to outbound SMTP
mail. On inbound messages, Domino converts MIME return-receipt
headers to Notes ReadReceipt requests before delivering the message.
On outbound Internet mail, Domino maps a Notes return receipt request
to the MIME header specified in the Return Receipt Mapping field.
There are two MIME headers that can be used to request a read receipt.
You can specify which header Domino uses for outbound mail when
converting a Notes return-receipt request into a MIME return-receipt
request. The Return-Receipt-To header is the older method; the
Disposition-Notification-To header is the newer, preferred method.
Choose the method supported by the majority of the systems to which
your organization sends mail. For return receipts to work, the receiving
server and client must both support the header used. Newer mail clients
may not support the older header.
When you disable return receipts, Domino ignores the Return-Receipt-To
or Disposition-Notification-To headers on inbound SMTP mail and does
not return the return receipt to the sender. It also does not convert Notes
client requests for return receipts into a corresponding MIME header field.
Note Disabling return-receipt support affects SMTP messages only.
Internal messages sent over Notes routing continue to process return
receipts.
Enabling return receipts in your system does not guarantee that your
users will receive return receipts every time they are requested. The
Internet mail specifications do not require servers or clients to honor
return-receipt requests. If the recipients server does not honor the
request, it is ignored. Generally, large organizations with LAN-based
mail systems that provide their own internal return-receipt features
Requesting Return Receipts from an IMAP or POP client

Disabling return receipts on a server does not affect non-Notes clients. If
users request return receipts for messages sent from an IMAP or POP
client, such as Microsoft Outlook or Netscape Messenger, the client
generates the proper MIME header (that is, either a Return-Receipt-To or
Disposition-Notification-To field in the header). Domino does not strip
the messages of the return receipt request. Domino leaves existing MIME
headers intact on outbound messages and sends a MIME message that
asks the receiving server to send a receipt when it delivers the message.
To enable return receipts
5. Click the MIME - Conversion Options - General tab.
6. Complete these fields, and then Click Save & Close:
Field
Description
Return
Receipts
Choose one:
Enabled to allow the sender of a message to receive a return
receipt.
Disabled to prevent the sender of a message from receiving a
return receipt.
Choose one:
Return
Receipt Use Disposition-Notification-To (default) When converting
Mapping
an outbound Notes message that includes a return receipt
request into MIME format, the server converts the Notes
ReturnReceipt item into the MIME header item
Disposition-Notification-To.
Use Return-Receipt-To When converting an outbound
Notes message that includes a return receipt request into
MIME format, the server converts the Notes ReturnReceipt
item into the MIME header item Return-Receipt-To.
This field appears only if you enable Return Receipts.
Mail
implement return-receipts over SMTP, while commercial Internet mail

systems, such as Web-based mail systems tend not to.
Note Domino does not map the Return Receipt request to one of the
MIME headers if the address specified in the
Disposition-Notification-To or Return-Receipt-To header does not
match the senders address. Domino sends return receipts only to the
sender.
configuration.
Setting the primary and secondary character set groups

In the text parts of a MIME message, character set tags, such as US-ASCII
or EUC-KR (Korean), specify how Domino interprets the text data and
renders it into recognizable characters. The value that represents a
character in one character set can represent a different character in
another character set.
When converting a MIME message into Notes rich-text, Domino uses the
information in the character set tags to determine the appropriate
characters for representing the message text. Similarly, when Domino
converts a Notes rich-text message into MIME, it must determine which
MIME character set tag to apply.
On the MIME - Basics tab of the Configuration Settings document, you
can define a primary character set group and one or more secondary
character set groups. These primary and secondary choices control,
among other things, how Domino detects character sets to correctly
identify ambiguous text data in a message when converting inbound
MIME messages to Notes rich-text and outbound Notes rich-text
message to MIME.
Note If your organization sends and receives messages that use
US-ASCII characters only, theres no need to change the default settings.
Domino can interpret text represented in 16 different character set
groups (also known as language groups) including the Unicode standard
for encoding character systems (www.unicode.org/ ). A language group
can correspond to a single language (for example, Japanese) or to a
region where multiple languages use more or less the same characters
(for example, Central Europe). A language group can also support
multiple character sets.
For a list of character set groups and the language codes associated with
them, see the topic Language codes supported in Notes and Domino
In such cases, Domino examines incoming messages to determine the

byte range used and identify unique control codes. It then attempts to
match patterns in the incoming message to a probable character set. This
process is effective in distinguishing among certain character sets only.
For example, it can correctly distinguish messages in the CJKT languages
(Simplified Chinese, Japanese, Korean, and Traditional Chinese ) from
each other and from an English message), but it cannot distinguish
between messages in English or any other Western languages, which
tend to use the identical bytes and byte ranges.
To ensure accurate character set detection for the CJKT languages,
configure a priority order among the languages by specifying a primary
and secondary character. For example, if Domino cannot distinguish
whether a MIME message uses EUC-KR (a Korean character set) or
GB2312 (a Simplified Chinese character set), it uses the priority order
assigned to the primary and secondary character set groups to determine
which character set to use in converting the message to Notes rich-text.
Domino chooses the primary character set first, then the secondary
character set (in an undefined order the order of multiple secondary
choices doesnt matter), then the operating system group (for operating
systems such as Windows NT where the locale can be queried).
When converting outbound messages to MIME format, Domino chooses
a MIME character set based on the text of the message. Outbound
messages are examined by the Router and the appropriate character set is
selected for the message. For example, messages in Japanese are
converted using the ISO-2022-JP character set; messages in Simplified
Chinese, using the GB character set; messages in Traditional Chinese,
using the Big5 character set; and messages in French, using the
ISO-8859-1 character set. When Domino cannot automatically detect
which character set to use, as with some European languages, it refers to
the primary, secondary, and operating system groups, in that order, to
determine which character set to use. For example, if all of the characters
Mail
If the MIME messages your organization receives always contained the

correct character set information, there would be no need to change the
default settings. However, some mail systems do not provide character
set information when sending mail. For example, older mail systems may
not support MIME at all, and some Web-based systems enable users to
create messages in a given language but dont correctly generate MIME
character set information when sending the message. Thus a user
sending mail from a Web-based mail system might be able to compose
and send messages written in Chinese, but in the sent message, the
character set tag US-ASCII is incorrectly applied to the message text. If
your SMTP server is configured to use the default character set group, it
would be unable to correctly convert this message.
in a message could be French or Turkish, Domino uses the information

about the primary and secondary character set groups to determine
which character set to use.
To set the primary and secondary character set groups
5. Click the Basics tab, and in the field International MIME Settings for
this document, select Enabled.
6. Click the MIME - Basics tab.
7. Complete the following fields and click Save & Close:
Field
Enter
Primary character
set group
The character set group for this domains primary

language. English is the default value. Choose the
language or region appropriate for your organization,
for example, Simplified Chinese.
Secondary
character set
groups
The character set groups for other languages typically

used in this domain. By default, no secondary
character set group is configured. Choose the language
or region(s) appropriate for your organization, for
example, Western. You can specify multiple secondary
character set groups.
configuration.
Language codes supported in Notes and Domino

The following table lists each character set group supported in Notes and
Domino Release 6 together with the character set language codes and
encoding types for that group. Where multiple language codes or
encoding types may be used for a given character set group, the default
code and encoding for the group are listed first. For each character set
Characters set group Character set language code
Header and body encoding
Arabic
Windows-1256, ISO-8859-6 Base64, Quoted Printable,

None
Baltic Rim
Windows-1257
Central Europe
ISO-8859-2, Windows-1250 Quoted Printable, Base64,

None
Cyrillic
KO18-R, ISO-8859-5,
Windows-1251
Base64, Quoted Printable,

None
English
US-ASCII
None, Base64, Quoted

Printable , None
Greek
Windows-1253, ISO-8859-7 Base64, Quoted Printable,

None
Hebrew
Windows-1255,
ISO-8859-8, ISO-8859-8-I

None
Japanese
ISO-2022-JP
Header - Base64, Quoted

Printable, None
Body - None, Base64, Quoted
Printable, None
Korean
Header - EUC-KR,
ISO-2022-KR
Body - ISO-2022-KR,
EUC-KR
Header - Base64, Quoted

Printable, None
Body - None, Base64, Quoted
Printable, None
Quoted Printable, Base64,

None
Simplified Chinese GB2312, GB18030,

HZ-GB2312

None
Thai

None
TIS-620
Traditional Chinese Big5, EUC-TW

None
Turkish
Windows-1254, ISO-8859-9 Quoted Printable, Base64,

None
Unicode
UTF-8, UTF-7

None
Vietnamese
Windows-1258, TCVN3

None
Western
ISO-8859-1, ISO-8859-15,
Windows-1252

None
Mail
group, the default character set language code and encoding are the
same for message bodies and headers unless otherwise indicated.
Specifying inbound and outbound MIME conversion options

If a server sends or receives messages in MIME format, you can set
options to control how Domino:
Converts outbound Notes rich-text messages into MIME for sending

over SMTP
Converts inbound messages received in MIME format into Notes

rich-text messages
Configuring how Domino converts outbound Notes rich-text

messages to MIME format
Outbound conversion options apply to messages exported from the
server. This includes Notes rich-text messages sent outbound over SMTP
to another Domino server or other mail host and messages retrieved by
the IMAP or POP3 service for sending to a client.
Settings in this section do not apply to messages delivered to mail files on
the server or messages transferred over Notes routing. Nor do they apply
to messages sent in MIME format from the client either messages sent
by POP3 or IMAP clients or messages from a Notes client where the
Location document specifies the use of MIME format for messages sent
to Internet addresses.
Note If the Internet mail format specified in the clients current Location
document is set to Notes rich-text (Mail tab - Format for messages
addressed to Internet addresses), the client sends all messages in Notes
rich-text, even if the Internet mail format in the User Preferences dialog
box (File - Preferences - User Preferences - Mail - Internet - Internet Mail
Format) is set to send HTML.
Providing the richest content when converting messages on
internal servers
By default, when converting messages in Notes rich-text format to MIME
format, Domino generates MIME messages in plain text format only,
resulting in a loss of formatting. This default setting, which is required to
ensure that recipients can read messages that are received by SMTP
servers that do not correctly process multipart MIME messages, is not
necessary for internal servers. To enable conversion on internal servers to
generate the richest possible MIME from messages in Notes format,
change the default Message Content setting to Convert from Notes to
Plain Text and HTML.

5. Click the MIME - Conversion Options - Outbound tab.
6. Complete the following fields and then click Save & Close:
Field
Description
Attachment
encoding
method
When a Notes client sends a rich-text message with a file

attachment that contains 8-bit data for example, program,
image, sound, video, and application files Domino
encodes the attachment data as ASCII text for SMTP
transport. Choose the encoding method best suited to the file
types sent and supported by the majority of likely message
recipients.
Choose one of the following:
Base64 (default) This is the preferred method for
encoding non-text data attachments when sending
messages to recipients who use MIME-compliant mail
programs. Domino adds a MIME tag to describe what
type of file was sent. Sending files with MIME encoding
ensures that the recipient receives binary data (non-text)
intact. Base64 encoding converts binary data in
attachments into a subset of the US-ASCII character set
and is slightly more efficient than UUencode, resulting in
a transmitted file approximately 37% larger than the
original.
Quoted Printable This method is best suited to sending
text-based files to recipients that use MIME-compliant
mail programs. Quoted-Printable (QP) encoding replaces
each special character in the attachment with an equal
sign = followed by two hexadecimal digits, which
represent the 8-bit character code. Printable ASCII
characters are left unencoded. QP provides efficient
encoding of text-based files, creating an encoded file
thats only a fraction larger than the original. However,
for non-text files, QP encoding can result in encoded files
that are two to three times the size of the original.
continued
Mail
To specify outbound MIME conversion options

Field
Description
Attachment
encoding
method
(continued)
UUencode Use UNIX-to-UNIX encoding on servers

that send message attachments primarily to recipients
who use UNIX or older PC mail programs. UUencode
increases the size of the encoded file by about 42%.
BinHex Use primarily when sending binary data to
recipients who use Macintosh mail programs
This field does not control encoding for messages sent from
the Macintosh version of the Notes client. To configure
attachment encoding for messages sent from Macintosh
clients, use the field Macintosh attachment conversion on
the MIME - Advanced - Advanced Outbound Message
Options tab.
Message
Content
Specifies how Domino structures the MIME content of

messages when converting Notes rich-text messages before
sending them over SMTP. Choose one:
Convert from Notes to plain text (default) Domino
converts the text in a Notes rich-text document to plain
text. If the message contains file attachments or images,
Domino creates a multipart/mixed MIME message with
the images and attachments following the text/plain part.
Use this option in organizations that send most of their
outbound SMTP mail to mail systems that are unable to
handle MIME messages containing multiple text parts (for
example, messages with a multipart/alternative structure
that includes text/plain and text/html parts).
Convert from Notes to HTML Domino converts the
text in a Notes rich-text document to HTML. If the
message contains file attachments, Domino creates a
multipart/mixed MIME message and includes the
attachment in that part. If the message contains images,
Domino includes the images in the message body by
creating a multipart/related part.
Convert from Notes to Plain Text and HTML Select this
option on internal server for Domino to best preserve
rich-text content when converting messages from Notes
format to MIME. Domino converts the text in a Notes
rich-text document to both plain text and HTML by
creating a multipart/alternative body part that contains
both the text/plain and text/html parts. If the message
contains file attachments, Domino creates a
multipart/mixed MIME message and includes the
attachment in that part. If the message contains images,
Domino creates a multipart/related part and includes the
image in that part along with the text parts.
continued
Mail
Field
Description
Message
Content
(continued)
Create multi-part alternative including conversion and

encapsulation Domino converts Notes rich-text
messages and creates an additional file attachment that
contains a Notes database with the original message in it.
This option results in a message nearly twice the size of
the original. Use this option only in organizations that
send most of their outbound SMTP mail to recipients
using Notes 4.x clients.
Convert tabs Choose one:

to spaces
Yes Enables the Router to change tabs to spaces when
converting outbound messages to MIME format. Use this
option only in organizations that send most of their
outbound SMTP mail to recipients using mail clients that
do not recognize tabs.
No (default) The Router does not change tabs to spaces
when converting outbound messages to MIME format.
Outbound
line length
(Default = 75) The maximum line length from left to right for
the body of outbound messages; useful when a message
contains long lines of text without spaces for example,
URLs.
If there is a table or forwarded mail headers, then the line
length default is doubled so no line break occurs until 150.
Lookup
Internet
address for
all Notes
addresses
when
Internet
address is
not defined
in document
All addresses on messages sent to Internet recipients must be

in Internet format (RFC 821/822 format). A Notes user may
send a message to both Notes addresses and Internet
addresses. To specify how Domino converts the addresses of
Notes recipients on messages sent to the Internet, choose
one:
Enabled On outbound Internet messages, if the address
of any recipient is in Notes format, Domino reads the
users Internet address from the Person document and
adds it to the message before sending.
Disabled (default) Domino forms Internet addresses by
converting spaces into underscores and encoding Domino
domains with percent signs. For example:
John_Smith%Notes@acme.com
configuration.
Configuring how Domino converts inbound MIME messages to

Notes rich-text
Inbound conversion options apply to messages received over SMTP in
MIME format, which must be converted to Notes rich-text format.
Conversion to Notes rich-text format is necessary when the storage
preference for the recipients mail file is set to Notes rich-text format, or
when the route to the destination mail file includes Domino servers
earlier than Release 5.
5. Click the MIME - Conversion Options - Inbound tab.
Field
Enter
Use character set Choose one of the following:

auto-detection if Yes Domino examines the text of inbound
message has no
messages to determine the character set if it is not
character set
specified in the message. Select this option if your site
information
routinely receives non-MIME messages that are
encoded in character sets other than ASCII. Provides
the most accurate rendering of the original character
information, but slows performance.
No (default) Character set auto-detection is
disabled.
configuration.
Setting font and message options for international languages

A single Domino SMTP server can handle inbound and outbound
messages in any language group or character set, including double-byte
character sets. For each character set group, for example, Simplified
Chinese, Domino provides default settings that control how servers
convert messages in that character set group from Notes rich-text format
Inbound settings specify font options that control how the text of a MIME
message using a given character set tag displays in Notes. Outbound
settings determine the character set tag and encoding to apply when
converting Notes rich-text messages to MIME.
5. Click the Basics tab. If it is not already selected, select the field
International MIME Settings for this document.
6. Click the MIME - Settings by Character Set Groups tab.
Field
Enter
For outbound message

options below use all
possible choices
(Advanced users)
When unchecked (default), Dominos Outbound

Message Options are set to use the standard
character set and encoding method for the
language group specified in the field MIME
settings by character set. The options in the
Character Set field are limited to the standard
character sets for the language group.
Check this box to enable use of nonstandard
character set choices in the header and body of
messages in any language group.
MIME settings by
character set group
Click the drop-down list to choose the language

group to configure. You can accept the default
settings or configure specific settings for one or
more language groups.
The language group displayed at the time you
save and close the document is not the only one
for which Domino saves settings. After you save
the Configuration Settings document, Domino
retains the settings for each language group that
you modified.
These fields allow you to override default values for character sets,
fonts, and so on, for individual character set groups.
Mail
to MIME and vice-versa. You can change the default settings to

customize conversions for specific languages.
Note If no Server Configuration document exists, Domino uses the

default typeface and point size settings. The default typeface used
for HTML text is Default Sans Serif, and the point size is determined
by the sender of the message. The default typeface for Plain Text
(US-ASCII) is Default Monospace with point size of 10.
To set character set options for inbound messages
5. In the Inbound Message Options - Font Options section, complete the
following fields, and then click Save & Close:
Field
Enter
HTML
Proportional
The typeface style to be used for proportional type in

inbound SMTP messages.
(default = Default Serif)
HTML
Mono-spaced
The typeface to be used for monospaced type in inbound

SMTP messages.
(default = Default Monospace)
HTML Size
The point size to use for HTML text in inbound SMTP

messages.
(default = 12)
Plain text
The typeface to be used for plain text in inbound SMTP

messages.
(default = Default Monospace)
Plain text size
The point size to use for plain text in inbound SMTP

messages.
(default = 10)
Note The font list displays every font available to the client system.
However, when converting messages, Domino uses the Default
fonts (Default Serif, Default Sans Serif, Default Monospace, and
Default Multilingual) only. If you select a font other than one of the
four Default fonts, Domino converts the text in all incoming
messages to Default Monospace.

To set character set options for outbound messages
You can specify the character set and encoding type for the header and
body text of outbound messages. The settings you select do not affect
attachments. For each language (or region) there is a default character
set. For example, for Western Europe the default character set is
ISO-8859-1, but other Latin character sets can also be used. You can
indicate the specific character set and encoding to be used for outbound
SMTP message headers and body content. In general, use the same
character set for both the headers and the body of outbound messages.
However, because some characters set groups, such as Korean, typically
use different character sets for the headers and body, by default, for
these languages, the character set specified for header text differs from
the character set for body text.
For a complete list of character set groups and the default characters sets
used in the headers and body of messages in those groups, see the topic
Language codes supported in Notes and Domino earlier in this
chapter.
4. Click the Basics tab and select International MIME settings for this
document.
Mail
configuration.
6. In the Outbound Message Options section, complete the following

fields, and then click Save & Close:
Field
Choose
Header - Character The character set Domino uses to display message

Set
headers. The default entry depends on the character
set language group currently selected in the field
MIME settings by character set group. In most
cases, the default entry is the best choice for
representing header text for this language group.
Body - Character
Set
The character set used to display message body. The

default entry depends on the character set language
group currently selected in the field MIME settings
by character set group. In most cases, the default
entry is the best choice for representing body text for
this language group.
Header - Encoding The encoding method for outbound headers. The

by character set group.In most cases, the default
entry is the best choice for encoding header text for
this language group.
Choose one:
Base64
Quoted Printable
None
Body - Encoding
The encoding method for outbound body text. The

by character set group. In most cases, the default
entry is best choice for encoding body text for this
language group.
Choose one:
Base64
Quoted Printable
None
configuration.
chapter, Setting Up Mail Routing.
Mail
Setting advanced inbound MIME options

Set advanced inbound MIME options to control how servers process
certain address headers and how servers decipher messages using
undefined or incorrectly defined character sets.
4. Click the MIME - Advanced - Advanced Inbound Message Options tab.
Field
Description
Resent headers
take precedence
over original
headers
Specifies whether Domino uses resentheaders on

inbound messages. When forwarding a message, some
mail programs add header lines that describe the
forwarding sender. These headers begin with the resentprefix, such as Resent-From: The received message
contains both the resentheaders and headers describing
the original sender, for example:
From: original-sender
Resent-From: forwarding-sender
When generating a reply to a forwarded message, some

older mail programs address the reply to address
specified in the resent-from header. However, most
modern mail programs consider resentheaders to be for
informational purposes only and do not normally use
them to generate replies. Instead, when forwarding a
message, a MIME-compliant mail program creates a new
message and encapsulates the original message within
this message as a MIME body part of content type
message.
Choose one:
Enabled When receiving a forwarded message over
SMTP, Domino places the value of the Resent-From
header in the From header. Select this option only if a
large number of users in your organization find that
when replying to Internet messages that use resentheaders, their replies are incorrectly addressed to the
original sender, rather than the forwarding sender.
Disabled (default) Domino ignores resentheaders
in inbound messages.
continued
Field
Description
Remove group
names from
headers
Specifies whether Domino preserves the names of

Internet distribution lists in the message headers of
inbound messages. RFC 822 specifies use of a group
construct to allow Internet address headers to include
distribution lists. Groups are designated using either of
the following formats:
Groupname:;
groupname: person1@domain.com,
person2@domain.com, person3@domain.com;
This option does not control the use of Notes/Domino

group names in recipient lists.
Choose one:
Yes Domino strips RFC 822 group names from
address headers on incoming SMTP messages.
No (default) Domino preserves RFC 822 group
names in the address headers of incoming SMTP
messages.
If each
recipients
address does
not appear in
any address
header, then
add their
address to the
BCC list
Choose one:
For non-MIME
messages or
MIME
messages with
an unknown
character set,
8-bit character
set is assumed
to be
Specifies the default character set that Domino uses to

render messages with 8-bit characters if the message does
not contain character set information, and automatic
character set detection is disabled (on the MIME Conversion Options - Inbound tab).
Character set
name aliases
Enter the substitute name for the equivalent character set

to allow MIME to be converted to native MIME. An alias
allows a character set name tag in an inbound message to
be treated as though it were a different character set.
For example, mapping ISO-8859-1 to KOI8-R would
be useful in an environment where incoming messages
are frequently labeled as ISO-8859-1 (Western) when the
data is really KOI8-R (Cyrillic).
Yes Enables Domino to resolve differences between

addresses in the SMTP RCPT TO commands and the
RFC 822 message header. If an address is referenced in
the SMTP RCPT TO command, but not in the message
header, Domino creates a new copy of the message and
places the address in the BCC: field of the new message.
No (default) Domino ignores differences between
the recipients listed in the RCPT TO command and the
message header.

Setting advanced outbound MIME options

Outbound MIME settings apply to messages sent over SMTP to another
host. They do not apply to messages delivered to local mail files on the
server or messages transferred over Notes routing.
Use the advanced outbound MIME options to specify how servers
determine the following message items:
Encoding for attachments sent from Macintosh clients
Use of phrases specifying the senders user name in the senders

Reply address
Sending of Notes mail items that do not have standard MIME

equivalents
Removal of Notes fields from message headers
Character set to use when converting multilingual messages
Character set alias to use in place of one that is typically mislabeled

in outgoing messages
To set advanced outbound MIME options

4. Click the MIME - Advanced - Advanced Outbound Message Options
tab.
Mail
configuration.
Field
Enter
Macintosh attachment The format for Macintosh attachments. Choose

one:
conversion
AppleDouble [base64 only] (default)
Provides standard MIME encoding for sending
Macintosh files to recipients using newer
Macintosh and PC mail programs. AppleDouble
splits the data fork and the resource fork of the
file and encodes the resulting data in Base 64 for
transport. PC clients receiving the attachment
discard the resource fork and use the data fork
only.
The AppleDouble header is effectively the
resource fork and includes the original Mac file
name of the file. If the Apple-Double data part
has a recognizable MIME type, Domino uses it
to label the MIME part of the converted
message; for example, the data part of a
Microsoft Word attachment is described as
application/msword. If the MIME type cannot
be determined, Domino labels the MIME part as
application/octet-stream.
BinHex4.0 Sends Macintosh attachments with
the MIME type application/mac-binhex40. Use
this method for sending Macintosh files to other
Macintosh users who do not use
MIME-compliant mail programs. Because few
Windows mail programs can decode BinHex,
this method should not be used when sending
files to recipients who use Windows.
RFC822 phrase
handling
Specifies how the server handles phrases in an

address header. Choose one:
Do not add phrase (default) Outbound mail
displays the sending users RFC 821 address.
The Router permits user-defined phrases in
recipient addresses.
Use DN as phrase (Use domain name for the
phrase) The Router constructs an RFC
822-style address using a phrase part derived
from the persons hierarchical, distinguished
name; for example, John Jones/Sales/ACME
<JJones@acme.com>. The Router permits
user-defined phrases in recipient addresses.
continued
Mail
Field
Enter
RFC822 phrase
handling (continued)
Use alt. name if available otherwise DN (Use

the alternative name or domain name) If an
Alternate name is specified in the users Person
document, constructs an RFC 822-style address
using it as the phrase part; otherwise uses the
hierarchical, distinguished name; for example,
John Jones/Sales/ACME
Remove phrase Only RFC 821-style
addresses allowed. The Router strips
Use CN as phrase Constructs an RFC 822-style
address using a phrase part derived from the
persons common name; for example, John Jones
Internet mail server

sends Notes private
items in messages
Notes private items are header items present in a

Notes rich-text message that do not map to any of
the standard header fields for SMTP messages, as
defined in RFC 2822. When adding private items to
the headers of an SMTP message, Domino adds the
prefix x-notes-item to the field name to indicate
that it is a nonstandard field.
Choose one:
Enabled When converting Notes rich-text
messages for SMTP transport or download by a
POP3 or IMAP client, Domino converts all
Notes private items in the message to custom
x-notes-item headers. The resulting
x-notes-item is a structured header with
parameters that reflect the attributes of the
original notes item, for example, data type,
value, summary flags, item name, and so on.
Because Notes private items are not generally
used in Internet mail, do not select this option
unless you have a specific reason for sending
private items.
Items specified in the field Notes items to be
removed from headers are excluded from the
headers of the converted message.
Disabled (default) When converting Notes
rich-text messages for SMTP transport, Domino
removes nonstandard Notes header items.
continued
Field
Enter
Always send the

List the Notes header items to always include as
following Notes items RFC 2822 headers in outbound SMTP messages,
in headers
mapping each specified Notes item to a valid
nonstandard RFC 2822 header item. For example,
the Notes item, header-1 would be mapped to the
RFC 2822 header, x-header-1. The header body is
the first 255 bytes of the item value, converted to
text if necessary.
Domino sends the items specified in this field even
if sending of Notes private items is disabled. Use
this field to send specific items only, while
preventing export of all unspecified Notes private
items.
If an item listed in this field is also listed in the
field Notes items to be removed from headers,
the item is not included.
Notes items to be
List the Notes header items to exclude from
removed from headers x-headers in outbound SMTP messages.
When converting a
multilingual message
to MIME
Specifies the character set Domino uses when

converting a Notes rich-text message with text
content that cannot be represented by a single
character set group for example, a message in
which part of the content is in French (Western
character set group) and part in Arabic. Choose
one:
Send it in Unicode [UTF8] (default) Domino
converts all the text to an 8-bit encoding of the
Unicode character set. To read the resulting
message, recipients mail programs must
support Unicode.
Send it in most representable character set
Domino selects the character set that best
matches the majority of characters in the
message. If the message is sent as plain text, any
character that cannot be represented by the
selected character set is replaced by a fallback
character typically a question mark. If the
message is sent as HTML, a Unicode-enabled
mail program is required to decode the message
because such a mail program can replace
unrepresentable characters with their Unicode
numeric values.
continued
Enter
Character set name

aliases
Specifies the name of a nonstandard character set

alias to be used when converting Notes rich-text
messages for outbound SMTP transfer. For
example, you can send messages sent in
ISO-8859-1 with the tag My-Character-Set. It is
not recommended that you provide aliases here
because outbound messages will be understood
only by similarly configured mail clients.
Note These settings apply to messages sent outbound over SMTP to

another host, or exported to the IMAP or POP3 service. They are not
applied to messages delivered locally or messages transferred over Notes
routing.
configuration.
For more information about using the RFC 822 address format, see the
topic Configuring outbound Internet mail to use RFC 822 address
format (phrase parts) later in this chapter.
Examples: How Domino handles Macintosh attachments in inbound

messages
For inbound messages, Domino supports AppleSingle, AppleDouble,
and BinHex attachment encoding. Macintosh attachments of any
encoding are stored as normal Notes Macintosh attachments; if the data
fork would be meaningful to a PC user, then a Notes user at a PC
workstation can launch the attachment normally.
In the following examples, unless noted otherwise, it is assumed that the
application required to open the attachment is properly installed on the
users computer. Also, it is assumed that both sender and recipient are
using MIME-compliant mail programs.
A Macintosh Netscape user sends a JPEGview file containing a JPEG

image (with no resource fork, which would be the normal case) to
two Notes recipients: one uses a Macintosh, and one uses a PC.
Both users receive the attachment intact. If the Macintosh user has
JPEGview, the attachment displays with the JPEGview file icon and
can be launched from within Notes. If the Macintosh user does not
have JPEGview, the attachment displays with a generic file icon and
cannot be launched from within Notes. For the PC user it also has a
Mail
Field
generic icon; it can be launched from within Notes only if its name
ends in JPG and the user has an application association set up for the
JPG extension. In all cases, the image can be viewed from within
Notes by using the Attachment - View function.
A Macintosh Claris Emailer user sends a Lotus 1-2-3 spreadsheet to

two Notes recipients: one uses a Macintosh, and one uses a PC.
Both recipients receive an intact Lotus 1-2-3 spreadsheet attachment.
The Macintosh recipient can launch it from within Notes or can
detach it and double-click to launch regardless of the name given
to the attachment.
The PC user can launch it from within Notes or detach it and
double-click to launch, only if the file name ends in WK1, WK3, 123,
or some other extension associated with the Lotus 1-2-3 application.
(This is a Windows restriction, not a Notes restriction.)
A Lotus Notes user sends a Lotus 1-2-3 spreadsheet from a PC to a

Macintosh recipient using Claris Emailer.
The PC user must save the spreadsheet as a 1-2-3 R1 spreadsheet
because it is the most recent version of 1-2-3 available on the
Macintosh. The spreadsheet is encoded with the MIME type
X-Lotus-123R1, a private MIME type defined by Lotus. Since this is
a private MIME type, by default, it cannot be launched directly from
Claris Emailer. To view the file, the recipient can detach it, launch
Lotus 1-2-3, and then open it using the File - Open command.
As an alternative, Macintosh users can install Internet Config (a
widely used free software utility) and configure a mapping for the
X-Lotus-123R1 MIME type. Claris Emailer can then use the file
mapping table in Internet Config to determine the application to use
to launch the attachment directly from the message.
Configuring outbound Internet mail to use RFC 822 address format

(phrase parts)
RFC 821 defines the standard convention for naming mailbox addresses
as user@domain or more broadly, Localpart@Domainpart. This
format has come to be known as RFC 821-style addressing. Subsequently,
RFC 822 specified a format for a more human-readable Internet address,
which adds a phrase part, also known as a friendly name or display
name, before the actual address. Phrase-style addresses use the form
Phrase <localpart@domainpart>; an optional display name indicates
the name of the recipient for display to the user of a mail application, for
example, John Jones <JJones@acme.com>.
You configure this address format using the RFC822 phrase handling
field in the Configuration Settings document, under the MIME Advanced - Advanced Outbound Message Options tab.
The Router adds phrases to Internet addresses both when taking the
address from a Person document in the Domino Directory and when
constructing the address from rules in the Global domain document.
This setting applies to messages sent over SMTP to another host or
exported to the IMAP or POP3 service. It does not apply to messages
delivered to mail files on the server or messages transferred over Notes
routing.
The options for this field are as follows:
Do not add phrase (Default setting) Outbound mail displays the

sending users RFC 821 address. The Router permits user-defined
phrases in recipient addresses.
Use DN as phrase Constructs an RFC 822-style address using a

phrase part derived from the persons hierarchical, distinguished
name; for example, John Jones/Sales/ACME <JJones@acme.com>.
The Router permits user-defined phrases in recipient addresses.
Use alt. name if available - otherwise DN If an Alternate name is

specified in the users Person document, constructs an RFC 822-style
address using it as the phrase part; otherwise uses the hierarchical,
distinguished name; for example, John Jones/Sales/ACME
<JJones@acme.com>. The Router permits user-defined phrases in
recipient addresses.
Remove Phrase The Router strips user-defined phrases in

recipient addresses. Only RFC 821-style addresses are allowed.
Use CN as phrase Constructs an RFC 822-style address using a

phrase part derived from the persons common name; for example,
John Jones <JJones@acme.com>. The Router permits user-defined
phrases in recipient addresses.
Mapping MIME types to file extensions

Domino uses File identification documents in the Domino Directory to
associate file types and their file name extensions with MIME types and
subtypes. For example, a File identification document for JPEG files
classifies files with the extension JPG as having the MIME type image
Mail
You can have Domino add a phrase to the senders address on outbound
SMTP mail and specify the name component to use as the address
phrase. By default, addresses do not include phrases. If you choose not to
support phrase-style addresses, you can specify that Domino remove any
user-added phrases in the recipient fields of outbound messages.
and MIME subtype jpeg. Domino servers and Notes clients use the
information in the File Identification documents to map file types to file
extensions and vice versa on inbound and outbound mail.
This ensures that the contents of attached files are correctly interpreted
by the recipients mail client. Upon opening the message in a
MIME-aware mail program, the recipient can open the attached
document from within the message, provided that the mail program
recognizes the MIME type and the associated application is installed on
the recipients computer.
You can add, modify, or delete File Identification documents from the
Domino Directory. Add new documents to support additional file types.
When adding a new File Identification document, you must know the
MIME type for the application and the file extension associated with the
application. Modify a File Identification document in the event that a
default mapping is incorrect or later standards dictate a change. You
might also edit a File Identification document to specify which of
multiple MIME types and subtypes Notes and Domino assign to files
with a given file extension when sending outbound mail.
How Domino uses File Identification documents when processing
inbound mail
When receiving an inbound MIME message that includes a file
attachment, Domino reads the MIME headers to determine the name and
type of the attached file. If, however, the MIME headers do not specify
the name of the attached file, Domino must assign a name to the file that
is both unique within the document and includes the appropriate file
extension. To determine the file extension to use in creating the file name,
Domino refers to the File Identification documents in the Domino
Directory.
For example, if Domino receives a message that has a MIME header
indicating that it contains a Microsoft Word attachment (MIME
type/subtype of application/ms-word), but neither the content-type
header or content-disposition header specify a file name, the server has
to provide a name for the attachment. To ensure that Domino creates a
name using the correct file extension for a file of this type, the server
checks the Domino Directory for a File Identification document for this
file type and subtype, and then checks the Extension field of the
matching document. Because, by default, the only document that
matches files with the MIME type application/ms-word indicates that
the file uses the extension DOC, Domino creates a file name using this
extension.
How Domino uses File Identification documents when processing

outbound mail
Domino servers and Notes clients both use File Identification documents
when sending MIME messages that include file attachments. In both
cases, information in the document is used to specify the MIME content
type of the message attachment.
Domino servers use File Identification documents when converting
messages that include file attachments from Notes rich-text format to
MIME format for sending over SMTP. When converting an outbound
message that includes a file attachment, Domino first searches for a File
Identification document that corresponds to the file extension of the
attachment. After locating the correct document, Domino uses the MIME
type and subtype information from the document to construct the MIME
Content-type header for the message part that describes the attachment.
When a Notes client attaches a file to a message it sends in MIME format
(for example, when sending to Internet recipients or to Notes mail
recipients whose mail storage preference is set to MIME), the client first
checks the operating system to determine what file associations are
defined. Clients running on Microsoft Windows check the Windows
registry, while clients running on the Macintosh check Internet Config. If
the client cannot locate MIME type information from these sources, it
then checks the Domino Directory for a File Identification document that
applies to files with the same extension as the attached file. After locating
the correct document, the client places the MIME type and subtype
information from the document in the MIME header describing the
attachment.
Mail
By default, the File Identifications view of the Domino Directory lists

multiple documents for a given MIME type/subtype alphabetically, by
file extension. For example, by default, Domino includes several File
Identification documents for the MIME type/subtype
application/vnd.lotus-1-2-3, and the default view lists these from top to
bottom, beginning with the document that specifies the extension 123
and proceeding through those that specify the extensions unknown,
WK2, WK3, WK4, and WKS. This list order determines how Domino
names files when receiving a message containing an unnamed file
attachment with one of these MIME types. When creating the file name,
the server uses the information in the first document that appears
alphabetically in the view. Thus, when a server receives an inbound
message that includes an unnamed file attachment with the MIME
type/subtype application/vnd.lotus-1-2-3, Domino names the file using
the extension 123, because the File Identification view lists the document
specifying this extension before the other documents that describe the
same MIME type/subtype.
In the case of both servers and client, if more than one File Identification
document applies to a given file extension, the setting in the Outbound
field of the documents determines which MIME type and subtype to
assign to file attachments with this extension when sending mail.
To create or modify a File Identification document
expand the Messaging view.
2. Click File Identifications.
3. To add a new File Identification document, click Add File
Identification.
To edit an existing File Identification document, select it from the
documents listed, and click Edit File Identification.
4. Complete the following fields:
Field
Description
MIME type
General MIME category used to describe files of this

content type or media; for example, application, audio,
image, or video. When sending attachments in MIME
messages, the information in this field is placed in the
MIME Content-type header.
Each MIME type/subtype combination can be mapped to
zero or more file extensions.
MIME subtype
The specific MIME category that uniquely identifies the

application that created files of this content type, for
example, X-Lotus-NSF. When sending attachments in
MIME messages, the information in this field is placed in
the MIME Content-type header.
Each MIME type/subtype combination can be mapped to
zero or more file extensions.
File extension
The Windows or UNIX file name extension associated

with files of this type; for example, JPG, BMP, or NSF.
The Domino Directory can contain multiple File
identification documents for a given file extension.
If the MIME headers of an inbound message do not
specify the name of an attached file, Domino creates a file
name for the attachment using this extension.
Description
Use this field to specify the type of file or the name of the
application used to create and open the file.
continued
Mail
Field
Description
Outbound
If the Domino Directory contains multiple File

Identification documents for files with this file extension,
this setting determines which MIME type and subtype
Notes and Domino use to send file attachments with this
extension.
Notes clients also use settings in the Windows registry or
the Macintosh Internet Config object to determine the
MIME type and subtype to associate with a given file
extension.
Choose one:
Send When sending outbound messages in MIME
format, Domino assigns this MIME type and subtype
specified in this document to attachments that have
this file extension. If there are multiple File
Identification documents for a given file extension,
select this option for one document only. If the value
in this field is set to Send in multiple File Identification
documents for a given file extension, Domino uses the
first document listed in the File Identifications view to
set the MIME information for attachments with the
extension.
Do not send When sending outbound messages to
MIME format, Domino does not assign the MIME type
and subtype specified in this document to attachments
that have this file extension. If there are multiple
documents for a given file extension, specify this
option in the Outbound field in all but one of the
documents.
Mail
Chapter 29
Setting Up Shared Mail
This chapter describes setting up and managing shared mail databases.
Shared mail overview

By default, the Domino mail system employs a message-based model for
mail storage, delivering a separate and complete copy of every document
to each recipients mail file. When a message is small or is addressed to
only a few recipients, creating multiple copies of a message does not
consume much additional disk space. But when a large message is
broadcast to thousands of users on a single server, creating a separate
copy of the message for each recipient can consume several gigabytes of
disk space.
To use disk space more efficiently, you can set up shared mail on each
mail server after you set up the Domino mail system. Shared mail,
sometimes referred to as the Single Copy Object Store (SCOS), offers an
alternative to message-based mail, allowing servers to store a single copy
of messages received by multiple recipients in a special central database,
or object store. Every server using shared mail contains one or more of
these object stores, or shared mail databases, to hold all shared messages.
After you enable shared mail on a server, all mail databases on the server
automatically use the shared mail database to store the content of new
messages, unless you explicitly exclude a database from using shared
mail. You do not need to configure each users mail file individually for
shared mail use.
When shared mail is enabled and an incoming message is addressed to
multiple local recipients, the Router divides the message into a message
header and message body. The header includes the messages To, cc, bcc,
Subject, and From fields. The body includes the text and other content, as
well as any file attachments. The Router then writes the message body to
a shared mail database and the message header to each recipients mail
file. The message body stored in the shared mail database contains an
object store link, which identifies all of the mail files linked to that
message. Similarly, the corresponding message headers stored in each
recipients mail file each contain a pointer to the object store that contains
the message body.
29-1
To keep shared mail databases small, Domino automatically purges the

shared portion of a message from the shared mail database after all
recipients delete the message from their mail files. Domino purges the
shared portion of these obsolete messages immediately; you do not have
to wait for a task to run before a message can be removed.
To improve efficiency and support encryption, Domino excludes certain
messages from the object store. Users always receive messages smaller
than one kilobyte (1 KB) as complete messages. This guarantees that
message pointers in a mail file never exceed the size of the message body
in the shared mail database. In addition, users always receive complete
messages if instructions in their Person documents specify to encrypt
incoming mail.
Using a shared mail database is completely transparent to users. When a
recipient opens a message, the link between the mail file and the shared
mail database causes the message to appear in its entirety. Users can
delete, reply to, change the view or folder, edit, save, resend, and
perform all the same tasks on a mail message stored in a shared mail
database as they would with the same message stored in their own mail
files. If a users edit and save, or encrypt and save a message, the
complete message is then stored in their personal mail file, with no effect
on how the original message appears to other users.
Shared mail works for all messages, regardless of the mail client used to
compose the message. That means that users who use a POP3, IMAP, or
Notes mail client and who have a mail file on the Domino mail server can
all use shared mail. However, shared mail is not used if the various
recipients have different format preferences for incoming mail. For
example, if a message is sent to four users, half of whom have Notes rich
text format specified as their format preference, and half whose format
preference is set to MIME, all of the users receive the complete message.
Using multiple active shared mail databases

To improve scalability and reduce database contention, Domino servers
support the use of multiple active shared mail databases in multiple
shared mail directories. The directories can exist on any disk that the
server has access to. An active shared mail database is one that is open
for delivery of new messages. When multiple active shared mail
databases are available, the Router evenly distributes incoming mail to
each of them, choosing the destination database at the time of delivery.
Each new message that a user receives may be stored in any one of the
currently active shared mail databases. After a message is stored in a
shared mail database, it remains there until all users delete the message
from their mail files.
If a server has less than 1000 active databases configured, it can continue
to reference a number of inactive shared mail databases up to the
maximum of 1000. Inactive databases no longer receive new mail, but
store previously received messages. A server can support as many as 40
inactive shared mail directories, As with active shared mail directories,
each of these inactive directories can contain a maximum of 100 shared
mail databases. A single shared mail directory can contain both active
and inactive databases.
A shared mail database is automatically set to inactive if the parent
directory exceeds the maximum size you specify for it in the Server
document.
When a server has multiple active shared mail databases, user mail files
on the server may contain links to any or all of them, as well as to
inactive shared mail databases. If you create additional shared mail
databases, Domino distributes a portion of all new incoming messages to
each of them. Previously received messages continue to reside in the
shared mail databases where Domino originally stored them.
Using multiple shared mail databases reduces the amount of shared mail
that could be lost or become temporarily inaccessible as a result of
database corruption. You can enable transaction logging for shared mail
databases, so that databases corrupted as the result of a server crash or
power outage can be automatically recovered at server startup. Enabling
transaction logging frees you from the need to restore shared mail
databases manually.
If transaction logging for shared mail is not enabled, to protect shared
mail databases against data loss, install a backup utility that can back up
and verify open NSF files and back up all shared mail databases at least
once a day. Because security settings on shared mail databases prevent
replication, you cannot replicate shared mail databases to provide
backup.
For more information on restoring shared mail databases, see the topic
Restoring a shared mail database later in this chapter.
Setting Up Shared Mail 29-3
Mail
You can configure the server to use as many as ten active shared mail
directories at one time. Each configured shared mail directory can
contain as many as 100 shared mail databases, to a maximum of 1000
total shared mail databases per server.
How using shared mail affects a users mail file quota

When calculating the size of a mail file to determine whether it conforms
to configured mail quota or warning threshold limits, Domino treats
shared messages as though each user owned the entirety of the shared
message. Thus, the full size of every message delivered to a mail file that
uses shared mail counts against the mail file quota. Likewise, when a
user deletes a message that is linked to a shared mail database, the full
size of the message is removed from the mail file quota.
The actual file size of the mail database that uses shared mail therefore
does not necessarily reflect its logical size. For example, a users mail file
might exceed its quota limit of 60MB even though the physical size of the
file is only 35MB.
How Domino maintains the security of a shared mail database

Because a shared mail database contains confidential messages for all
users on a server, it must be secured against unauthorized browsing.
These security features ensure that only users who should have access to
a given message actually have access to that message:
Shared Mail databases are encrypted locally with a random key,

which is in turn encrypted using the public key of the servers ID.
The access control list (ACL) of a shared mail database is set so that
only the servers ID can access the database. The servers ID has
Manager access, and the user type is Server. Even if an unauthorized
user obtains the server ID, the user cannot use the server ID to access
a shared mail database from a Notes workstation and cannot create a
replica of the database on another server.
The shared mail database does not appear in the Open Database
dialog box.
A shared mail database contains no views, and none can be added

to it.
The shared mail database includes links to message headers. When a

user reads a message, Domino verifies that the message header
matches the content stored in the shared mail database.
Messages received by users for whom the Encrypt incoming mail

option in the Person document is set to Yes cannot be stored in a
shared mail database. Messages delivered to recipients who encrypt
incoming mail are placed in the recipients mail file in their entirety.
For more information on mail encryption, see the chapter Encryption

and Electronic Signatures.
Mail
How shared mail works

1. The Router on a server receives a mail message addressed to two or
more recipients whose mail files are on that server.
2. The Router splits the incoming message into two parts: the header
and the content. The header consists of the messages To, cc, bcc,
Subject, and From fields. The content contains the body of the
message, along with any file attachments.
Note If the combined size of a message and its attachments is 1KB
or less, Domino delivers the complete message to the recipients mail
file and does not use the object store.
3. The Router stores a copy of the header in each recipients mail file
and stores a single copy of the content in the shared mail database.
4. When a recipient opens the message, the header activates a link to
the message content, which is stored in the shared mail database. The
message appears as though the entire message is stored in the
recipients mail file.
5. If the recipient deletes a shared message, Domino deletes only the
header in the recipients mail file. The content is not affected because
it is stored in the shared mail database.
6. After all of the recipients delete the message header from their mail
files, Domino automatically purges the obsolete message, including
the content in the shared mail database.
For more information on how Domino removes obsolete message
from a shared mail database, see the topic Purging obsolete shared
mail messages later in this chapter.
If a user edits and saves a received message, Domino stores the
revised message in the users mail file in its entirety and deletes
links between the users mail file and the message body in the
shared mail database.
Setting up shared mail databases

Before setting up shared mail, decide where to locate your shared mail
databases. On each server that uses shared mail, you specify the
directory where you want shared mail databases to reside. When
creating multiple shared mail databases, you can place all of the
databases in one directory, or create multiple directories and have
multiple databases in each directory. Servers can have up to 10 active
shared mail directories, each supporting a maximum of 100 shared mail
databases. In addition, Domino recognizes as many as 40 inactive shared
mail directories, from which users can continue to access messages.

Inactive directories are directories that no longer appear in the server
document, but remain in the last location specified. Each server can
support a combined total of 1000 active and inactive shared mail
databases.
Shared mail directories must reside within the logical directory structure
that is controlled by the server or be referenced by a directory link within
that directory structure. To improve performance, you can place shared
mail databases on another file system. When creating shared mail
databases in a directory that is not a subdirectory of the Domino data
directory, Domino creates a link to point to the shared mail directory. If
no link exists, Domino cannot locate the shared mail databases.
To create and enable a shared mail database

2. Select the Server document to be edited and then click Edit Server.
3. Click the Shared Mail tab.
4. Enable or disable the use of shared mail by completing the following
field:
Field name
Enter
Shared Mail
Choose one:
None The server does not use shared mail.
Delivery The server uses shared mail for messages
delivered to multiple local recipients. Selecting this
option sets the value of the variable Shared_Mail in
the NOTES.INI file to 1.
Transfer and delivery The server always uses
shared mail. Selecting this options sets the value of the
variable Shared_Mail in the NOTES.INI file to 2.
Field name
Enter
Directory
The full path to the shared mail directory. For example:

C:\LOTUS\DOMINO\DATA\SHAREDMAIL
If the directory you specify does not exist, Domino creates
it for you.
You can configure up to 10 active shared mail directories.
In addition, Domino recognizes as many as 40 inactive
shared mail directories, from which users can continue to
access messages. Inactive directories are directories that no
longer appear in the server document, but remain in the
last location specified.
Number of
files
The number of shared mail databases to create in the

specified directory. Enter a number between 1 and 100.
Maximum
directory size
The maximum total size, in megabytes (MB), of all shared

mail databases in the directory. Enter a number between 1
and 8192. If the directory size exceeds this value, Domino
stops adding new mail to the shared mail databases in the
directory.
Delivery status Specifies whether the Router can deliver messages to

shared mail databases in the directory. Choose one:
Open (default) The Router can access active shared
mail databases in this directory for delivery. Although
the delivery status for the directory is set to Open,
individual databases in the directory may be closed to
delivery.
Closed The Router does not deliver new messages to
shared mail databases in this directory. Domino closes a
directory automatically if it exceeds its size or as the
result of certain error conditions. Select this option if
you have a temporary need to shut off access to the
database to prevent directory growth for example, if
another service that stores data on the disk needs
immediate space but you dont want to change the
configured directory size.
continued
Mail
5. For each shared mail directory you want to create, complete the
following fields and then click Save & Close:
Field name
Enter
Availability
Specifies whether the mail system can access shared mail

databases in the directory. Choose one:
Online (default) Domino designates shared mail
databases in the directory as available for use. The
server periodically checks the directory to ensure that it
contains the number of configured shared mail
databases. If the number of databases in the directory
falls below the value specified in the Number of Files
field, the server attempts to recreate the missing
databases.
Offline Domino designates shared mail databases in
the directory as not available. The server does not check
the directory to ensure that it contains the correct
number of shared mail databases. Select this option to
prevent access to shared mail databases in preparation
for moving a directory or database. Setting the
availability status of a directory to Offline automatically
sets the delivery status to Closed.
6. To put the new configuration into effect, restart the server or enter
the following command at the server console:
Show SCOS
For more information about using the SHOW SCOS command, see
the appendix Server Commands.
Using shared mail for delivery only or for transfer and delivery
There are two ways of setting up shared mail. One is for delivery only,
and the other is for transfer and delivery. When shared mail is enabled
for delivery only, the Router places the body of an incoming message in
the shared mail database only if there are multiple local recipients.
Messages for a single local user are delivered as complete messages. The
server uses its normal transfer mechanism for messages being routed
through the server to another destination; that is, messages in MAIL.BOX
that are awaiting transfer to another server always remain intact.
In contrast, when shared mail is enabled for transfer and delivery, the
server splits every message it receives (that is, the content goes to the
shared mail database and the header goes to MAIL.BOX), regardless of
the number of recipients. Then, during delivery, the Router merges the
header and content together, examines the recipient list, and either
transfers the message to the next server, or delivers it to the local
recipients (with the content staying in the shared mail database and the
header going to the users mail files).
In the end, both settings provide similar disk space savings, but because
the transfer and delivery setting always places the message body
directly in the object store, rather than in MAIL.BOX, it provides faster
delivery for local users by eliminating the transfer time required to move
mail from MAIL.BOX to the object store.
Specifying the location and size of a shared mail directory

Shared mail databases may become quite large, so be sure to locate
shared mail directories on a disk that has enough free space to
accommodate future growth. To manage growth, you can specify a size
limit for the database set contained in each shared mail directory. The
size limit applies to the cumulative size of all shared mail databases in
the directory. The size of individual databases may fluctuate as messages
are added and removed, but barring any configuration change, the
number of databases remains constant, and the size of the entire database
set never significantly exceeds the specified maximum. Domino supports
a maximum size limit of 8GB (8192MB) for each shared mail directory.
Always set a maximum directory size that is less than the actual amount
of available disk space. A shared mail directory may exceed the specified
size limit if the Router adds a large message to the directory when it is
already near the limit.
If a shared mail directory reaches the configured maximum size, Domino
automatically deactivates it, changing the delivery status of the directory
to Closed, so that it can no longer receive new mail. Existing links
between users mail files and the inactive shared mail database continue
to work, so users can read and otherwise work with these messages. If
another shared mail directory is available, the Router places future
messages into the active shared mail databases in that directory. If no
shared mail directories are available, the Router delivers new messages
as complete messages to user mail files.
Mail
The shared mail setting that you decide to use depends on your situation.
In general, use shared mail for transfer and delivery on servers that have
mostly deliveries and few transfers to other servers. Because most
incoming messages are likely to be for local delivery, its efficient to have
the server automatically place all incoming messages in the object store.
On the other hand, on servers such as hub servers, which perform mostly
transfers and have few local mail file deliveries, use shared mail for
delivery only. Because incoming messages on these servers are likely to
be transferred to another server, its counterproductive to have the server
absorb the cost of preparing mail for the object store.
Managing object store growth

As the object store becomes host to a greater number of users and
messages, you may need to change the size limits on existing shared mail
directories or add new directories to accommodate the increased usage.
Whether you extend the size of current directories or add new ones
depends on the amount of physical space and the number of concurrent
users accessing your current directories.
If theres still adequate space on the current disk, after the existing
shared mail directories reach their size limit, you can increase the
maximum size of the existing directories. If the amount of additional
space on the current disk is limited, create another shared mail directory
on a separate disk that has more space.
If database contention (too many users accessing the database at the
same time) is affecting performance, and space allows, increase the
number of databases (not the size) within the existing shared mail
directories or create new shared mail directories on the same disk or a
separate disk.
Creating shared mail directories outside of the Domino Data
directory
If you create a shared mail directory that is not a subdirectory of the
Domino data directory, Domino automatically creates a link file, or
directory link, within the Data directory, called SCOS_N.DIR, where N
indicates the sequence order in which the link file was created relative to
other shared mail database links. For example, the directory link Domino
creates for the first shared mail directory outside of the Domino Data
directory is named SCOS_1.DIR; the second one is named SCOS_2.DIR;
and so forth. Domino does not create link files for shared mail directories
residing within the Domino Data directory. The link file is a text file
containing the path to the shared mail directory so that the server can
locate shared mail databases.
If the server has a drive mapped to another computer, you can place the
directory on that drive by entering its full path. For example:
J:\Shared\SHAREDMAIL
You cannot specify a path in the form of a Universal Naming Convention

(UNC) name (that is, using the format: //hostname/sharepoint).
Caution If Domino loses access to the remote directory for any reason,
users will be unable to access messages stored in that directory.
Mail
Managing a shared mail database

Use these procedures to manage a shared mail database and the user
mail files that are linked to it:
Reconfigure shared mail
Generate and view shared mail information
Link, unlink, or relink a users mail file
Include or exclude a users mail file
Enable shared mail for replicas of mail files
Purge obsolete shared mail messages
Restore a shared mail database
Move mail files between servers that use shared mail
Delete a shared mail database
Disable shared mail
Reconfiguring shared mail settings

As the object store becomes host to a greater number of users and
messages, you may need to change the existing settings to accommodate
continued growth. You can:
Increase the number of files in a directory
Increase the size limits on existing shared mail directories
Change the delivery status of a directory
Add new shared mail directories
Whether you extend the size of current directories or add new ones
depends on whether physical space or concurrent usage is the limiting
factor.
If your existing shared mail directories reach their size limit, and theres
still adequate space on the current disk, increase the maximum size of the
existing directories. If the amount of additional space on the current disk
is limited, create another shared mail directory on a separate disk that
has more space.
If database contention (too many users accessing the database at the
same time) is affecting performance, and space allows, increase the
number of databases (not the size) within the existing shared mail
directories or create new shared mail directories on the same disk or a
separate disk.
Use the Shared Mail tab on the Server document to change the directory
settings. In addition, you can also use the SET SCOS command to change
the status of individual shared mail databases within a directory. For
more information about using the SET SCOS command, see the appendix
Server Commands.
To change directory settings for shared mail
2. Select the Server document to be edited it and then click Edit Server.
4. To create an additional shared mail directory, complete the following
fields:
Field name
Enter
Directory
The full path to the shared mail directory, For example:

C:\LOTUS\DOMINO\DATA\SHAREDMAIL
If the server can has a drive mapped to another

computer, you can place the directory on that drive by
entering its full path. For example:
J:\Shared\SHAREDMAIL
If the server is unable to connect to the remote drive,

access to directories on the drive will be interrupted.
If the directory you specify does not yet exist, Domino
creates it for you.
You cannot specify a path in the form of a Universal
Naming Convention (UNC) name (that is,
//hostname/sharepoint)
Number of files The number of shared mail databases to create in the
specified directory. Enter a number between 1 and 100.
Maximum
directory size
The maximum total size, in megabytes (MB), of all

shared mail databases in the directory. Enter a number
between 1 and 8192. If the directory size exceeds this
value, Domino stops adding new mail to the shared mail
databases in the directory.
Delivery status
Choose one:
Open The server can access any active shared mail
databases in this directory for delivery. Individual
databases may be closed to delivery.
Closed The server cannot access any shared mail
databases in this directory.
continued
Mail
Field name
Enter
Availability
Specifies whether the mail system can access shared mail

databases in the directory. Choose one:
Online (default) Domino designates shared mail
databases in the directory as available for use. The
server periodically checks the directory to ensure that
it contains the number of configured shared mail
databases. If the number of databases in the directory
falls below the value specified in the Number of Files
field, the server attempts to recreate the missing
databases.
Offline Domino designates shared mail databases
in the directory as not available. The server does not
check the directory to ensure that it contains the
correct number of shared mail databases. Select this
option to prevent access to shared mail databases in
preparation for moving a directory or database.
Setting the availability status of a directory to Offline
automatically sets the delivery status to Closed.
5. To add more shared mail databases to an existing shared mail

directory, increase the value in the Number of Files field for that
directory.
6. To increase the size of an existing shared mail directory, enter a new
value in the Maximum directory size field for that directory. A
directory can have a maximum size of 8192MB. If the directory size
exceeds this value, Domino stops adding new mail to the shared mail
databases in the directory.
7. At the server console, enter the following command to put the new
configuration into effect:
Show SCOS
For more information about using the Show SCOS command, see the
Generating and viewing shared mail statistics

The Object Collect task automatically generates shared mail statistics,
such as how many messages in a shared mail database are shared by a
certain number of users. You can view these statistics from the Shared
Mail view on the Messaging-Mail tab of the Domino Administrator, or
from the Object Store view of the server log file (LOG.NSF). The view is
populated automatically when the Object Info -Full command runs by
default at 3 AM. You can specify when to run the Object task by editing
the ServerTasks parameter in the NOTES.INI file.
These statistics provide information you need before administering

shared mail by showing how shared mail is currently used on a server.
You can see the object store filename, the mail databases that use the
object store, the number of documents referenced in the object store for
each mail database, and the total size of documents in the object store for
each mail database. This information can help you determine how much
disk space you would need if you were to unlink the users mail file from
the shared mail database. Likewise, you can see the total size of all
documents in the shared mail database, so youd know how much space
you would need if you unlinked the entire shared mail database.
To run the Object Collect task to generate shared mail statistics
Enter the following at the server console:
Load Object Info -Full SHARED.NSF
where SHARED.NSF is the full pathname of a shared mail directory or a

specific shared mail database.
Note The Domino Administrator maintains shared mail statistics
cumulatively. As a result, if you have previously populated statistics,
duplicate entries appear. To ensure accurate results, clear existing
information before generating new statistics.
To view shared mail statistics
1. Run the Object Collect task, as described above. To view statistics for
all configured shared mail directories, run the task against each
directory.
2. From the Domino Administrator, click the Messaging - Mail tab.
3. Open the Shared Mail view. The view displays each configured
shared mail directory and the shared mail databases within them.
The following information appears for the shared mail databases or
directories for which you generate statistics in Step 1:
For each
Display
Shared mail Database name and names of the parent directory and
shared mail server
database
File name and database title of each mail file that
references the shared mail database
Number of messages each mail file references in the
shared mail database
Size (in bytes) of all message bodies a given mail file
references in the shared mail database
Total size (in bytes) of all messages bodies in the shared
mail database
continued
Mail
For each
Display
Shared mail Total size (in bytes) of the message bodies contained in the
directory
included shared mail databases. This value may be less than
the true total, if you generated statistics for a subset of the
databases in a directory.
Shared mail Total size (in bytes) of the message bodies contained in the
server
included shared mail directories and databases. This value
may be less than the true total, if you generated statistics for a
subset of the databases in a directory.
Linking unshared messages in a mail file to the object store

After you set up shared mail on a server, Domino automatically stores all
new shared mail messages in the shared mail database. However,
messages that users received before shared mail was enabled, or that
were delivered while shared mail was temporarily disabled, remain in
their mail files as complete messages.
To eliminate redundant copies of messages received by multiple users to
save additional space, you may want to transfer these existing messages
to the object store. To store these messages in a shared mail database, you
use the Object Link command to link the users mail file to a shared mail
directory.
During the linking operation, the Object Store Manager moves the
content of each shared message from the users mail file to the shared
mail databases in the specified directory. Message headers remain in the
mail file with a link to the shared mail database containing the shared
portion. If more than five messages are moved to the shared mail
database, the Object Store Manager automatically compacts the users
mail file to reclaim the disk space that was previously occupied by the
message content. Linking does not determine whether the mail file stores
future messages it receives as complete messages or uses the object store.
If you disable shared mail on the server, or exclude the mail file from
using shared mail, the messages placed in the object store during the
linking process remain there, even if the mail files receive complete
messages in the future.
You can also use the Object Link command to unlink a mail file from all
shared mail databases so that existing messages in the mail file will be
stored as compete messages; and unlink a shared mail database from all
mail files.
To link a mail file

The linking operation splits complete messages in a mail file into headers
and content and distributes the content to the shared mail databases on
the server. Typically, you would use linking to process the complete
messages in a mail file that is newly replicated to another shared mail
server, or that existed on a server before you enabled shared mail.
Load Object Link USERMAIL -ALL
where USERMAIL is the name of the directory containing user mail files.
Running this command links messages in the specified user mail files to
the configured shared mail databases in a distributed fashion. You
cannot link a mail file to a specific shared mail database.
To link a mail file without compacting it
By default, if linking a mail file results in more than five messages being
moved to the shared mail database, the Object Store Manager compacts
the users mail file. To link a mail file without compacting it, use the
-Nocompact option.
Load Object Link -Nocompact USERMAIL -ALL
where USERMAIL is the name of a single user mail file or a directory

containing user mail files.
For example:
Load Object Link -Nocompact Mail\DMalone.NSF
E:\Lotus\Domino\Shared\SCOS1
Unlinking messages in a user's mail file from the object store

You can restore complete messages to a users mail file by unlinking the
mail file from the shared mail databases.
After you unlink existing messages from the shared mail databases, new
messages delivered to the mail file continue to use shared mail as long as
shared mail is enabled on the server, unless you explicitly exclude the
mail file from using shared mail.
For information about excluding a mail file from using shared mail, see
the topic Excluding a mail file from using shared mail later in this
chapter.
Note Unlinking a mail file can result in a significant size increase.
Mail
To unlink a mail file

Load Object Unlink USERMAIL.NSF
where USERMAIL.NSF is the complete path to a user mail file or a

directory containing mail files.
To unlink an object store
Load Object Unlink OBJECTSTORE
where OBJECTSTORE is the name of a shared mail directory or an

individual shared mail database.
Caution Unlinking an object store can significantly increase the size of
all mail files that previously linked to the object store. Before unlinking
an object store, confirm that the disk where user mail files reside includes
enough available space to accommodate the resulting increase.
Excluding a mail file from using shared mail

By default, after you enable shared mail on a server, all mail files on the
server use shared mail for new mail. You can disconnect specific mail
files from shared mail if you want their owners to use standard,
message-based mail, and you can reconnect previously disconnected
mail files to shared mail.
To determine which mail files use shared mail
If a server contains a mix of some mail files that use shared mail and
some that do not, you can display a list of all mail files that use shared
mail. Enter this command at the console:
Load Object Info USERMAIL.NSF
where USERMAIL.NSF is the complete path to the users mail file or a

directory that contains mail files.
For example, to determine the shared mail use of all mail files in a
directory, enter:
Load Object Info C:\LOTUS\DOMINO\DATA\MAIL
For each mail database in the directory, the results indicate whether the
mail file is set to use shared mail and currently has links to messages
shared in any shared mail databases:
12/06/2001 03:45:03 PM Object Store Manager:
mail\gthiers.nsf is not an object store

mail\gthiers.nsf contains notes which use an object store
mail\gthiers.nsf is set always to use object store
(multiple)
mail\ewilson.nsf is not an object store
mail\ewilson.nsf contains no notes which use an object store
mail\ewilson.nsf is set always to use object store
(multiple)
To exclude a mail file from using shared mail

Load Object Set -Never USERMAIL.NSF
where USERMAIL.NSF is the full path for a mail file or a directory that
contains mail files.
For example:
Load Object Set -Never C:\LOTUS\DOMINO\DATA\MAIL\RBOWKER.NSF
sets the mail file RBOWKER.NSF to never use shared mail on the server.
The process has no effect on existing messages.
To include a previously excluded mail file
If you previously excluded a mail file from shared mail and then want it
to use shared mail again, you can re-enable the mail file to use shared
mail for new messages. The process has no effect on existing messages.
Load Object Reset -Never USERMAIL.NSF
where USERMAIL.NSF is the full path for a mail file or a directory that
contains mail files.
For example:
Load Object Reset -Never C:\LOTUS\DOMINO\DATA\MAIL\
resets all mail files in the MAIL directory that were previously excluded
from using shared mail so they use the object store for new mail.
Mail
Replicating mail files that use shared mail

By default, when you replicate a primary mail file that uses shared mail
to another server, messages in the new replica are added to the mail file
as complete documents, even if shared mail is also enabled on the
destination server. Similarly, all future messages replicated from the
primary mail file to the replica mail file are also added as complete
documents. This is necessary, because not only does shared mail prohibit
a mail file on one server from accessing messages in an object store on
another server, but the security settings prevent shared mail databases
from replicating between servers.
Enabling shared mail for replica mail files
By default, after you replicate a mail file to a shared mail server, the new
replica does not use shared mail for either existing messages or messages
added during future replications. Enabling shared mail for replicas of
mail files increases the available space on servers that contain mail files
that are populated using replication. If a users primary mail server is
unavailable, the user can retrieve message content by accessing the
replica mail file from the shared mail database on the secondary server.
To have the replica use shared mail, you can:
Enable the new replica to use the object store on the new server for
messages received from the primary mail file during future
replications
Enable the new replica to use the object store on the new server for
existing messages
Enabling messages added during replication to be placed in the

object store
When shared mail is enabled on a server, mail files hosted on the server
automatically use shared mail for new messages received through the
Domino routing process. However, when the replication process, rather
than the Router, adds new mail to a replica mail file, by default, the mail
file stores the mail as complete documents.
To enable messages added during replication to be placed in the

object store
To enable messages added during replication to be placed in the object
store, you must set a mail file to always use shared mail. Enter this
command at the console of the server that stores the replica mail files and
that uses shared mail:
Load Object Set -Always USERMAIL.NSF
where USERMAIL.NSF is the name of a replica mail file or a directory

that contains replica mail files. For example,
Load Object Set -Always Dmalone.nsf
causes Domino to store the content of messages replicated to

DMALONE.NSF in one of the configured shared mail databases on the
server during future replications.
To split messages that were previously replicated and place the message
bodies in a shared mail database, use the Load Object Link command.
For more information on the Load Object Link command, see the topic
Linking unshared messages in a mail file to the object store earlier in
this chapter.
To enable existing messages in a replica to be placed in the object
store
To have a mail file use shared mail for messages that already existed at
the initial replication, link the mail file to the object store on the second
server. For more information on linking a mail file to an object store, see
the topic Linking unshared messages in a mail file to the object store
To disable shared mail for replica mail files
Enter this command at the console of the server that stores the replica
mail files:
Load Object Reset -Always USERMAIL.NSF
where USERMAIL.NSF is the name of a replica mail file or a directory

that contains replica mail files.
Using shared mail with Domino clusters
For a Domino cluster in which some servers have shared mail enabled,
you can create replicas of user mail files, and use cluster replication to
increase mail reliability. Although you cannot use cluster replication to
keep shared mail databases synchronized, you can use cluster replication
to replicate information to another mail file replica and then configure
Use these steps on each cluster member server that hosts replica mail
files. Once activated, Domino clustering (not the Domino Router task)
automatically splits any replicated messages into their header and
content portions, saving the headers in the individual mail databases and
the content portions in the shared mail database on the target server.
You can also use this same procedure for mail file replicas located on
servers not in a cluster that is, servers kept synchronized by standard
Domino replication.
Moving users or mail files between servers that use shared mail
You may need to move mail files when you need more space on a server
or when users change jobs. When moving a mail file from a server that
uses shared mail, the Administration Process (AdminP) automatically
unlinks the existing mail file from any shared mail databases to which it
may be linked, creates the new mail file, replicates mail to the new mail
file, and deletes the old mail file. When using the Move Users tool to
move a mail file, you can specify whether to use shared mail on the new
server.
For more information on moving mail files, see the chapter Setting up
Purging obsolete shared mail messages

Each message in a shared mail database contains object links to the mail
files of all recipients of the message. The number of mail files that a
message links to represents the reference or share count for that message.
When a user deletes a message from a personal mail file, Domino
immediately removes the object link to that mail file from the shared mail
database.
When all recipients have deleted a message from their mail files, the
reference count for the message reaches zero, and the message becomes
obsolete. Domino automatically purges the shared portion of obsolete
messages from the shared mail databases immediately after all users
have deleted it from their mail files.
In earlier releases of Domino, links to user mail files and obsolete
messages were not immediately deleted after users deleted messages
from their mail file. Deletions occurred only after the Object Collect task
was run, an expensive process that examines each link in the referencing
databases to determine whether the referring note still exists.
Mail
that replica to use shared mail on the local server. Each server in the
cluster must have shared mail enabled.
In Domino Release 6, the Object Collect task is used to resynchronize

mail files with a shared mail database and to generate shared mail
statistics. Synchronization between a shared mail database and the mail
files that use it can become disrupted if a shared mail database is
restored from a backup that doesnt include the most recently received
messages. As a result, these messages are incomplete and cannot be read:
the message headers appear in users mail files, but no message body
exists in the object store. Running the Object Collect task resynchronizes
a mail file with the object store by purging incomplete messages. The
task checks each mail file that uses the object store and removes those
messages that have no message body in the object store.
If a mail file has replicas on other servers, messages removed during
resynchronization can be restored to the shared mail database when
replicated to the mail file on the shared mail server.
Running the Object Collect task to purge messages, automatically
generates shared mail statistics. For information about using the Object
Collect task to generate shared mail statistics without purging messages,
see the topic Generating and viewing shared mail statistics earlier in
this chapter.
To preview which messages will be purged
Before purging obsolete messages, enter this command at the console to
determine which documents will be deleted and how much space will
become available:
Load Object Collect -Nodelete
To purge messages from the shared mail database

Enter one of these commands at the console:
Load Object Collect SHARED.NSF
Load Object Collect -Force SHARED.NSF
where SHARED.NSF is the name of the shared mail directory or a

specific shared mail database. Use the -Force option after you delete a
users mail file to reclaim the disk space used by shared messages that
reference the deleted mail file only.
Caution If you do not indicate a specific database, the Object Collect
task purges obsolete messages from all shared mail databases. Also,
before you use the -Force option, ensure that all of the mail files that store
messages in the shared mail database are available. If Domino cannot
write to mail file referenced by the shared mail database for example,
if the mail file has been moved or cannot currently accept new mail
the Object Collect task behaves as though the mail file had been deleted.
As a result, the task deletes messages that should be retained.
Mail
To purge messages from a user's mail file

Load Object Collect USERMAIL.NSF
where USERMAIL.NSF is the name of the users mail file.
Restoring a shared mail database

Data loss is an unusual occurrence, but it can occur. To prevent data loss
in a shared mail database, enable transaction logging, and use a backup
utility that supports transaction logs. When you restore from the backup
media, Domino automatically applies any notes that have been added
since the backup was taken. In general, you should perform a complete
backup at least once a week, and incremental backups of the transaction
logs every day. Refer to the documentation that came with your backup
utility for specific recommendations.
If you do not use transaction logging, back up the shared mail database
at least once a day and use multiple shared mail databases on the server.
Using multiple shared mail databases on different physical disks can
reduce the amount of shared mail data lost in the event of database
corruption or disk failure.
If data loss occurs on a server that does not use transaction logging or
was not backed up using a utility that supports transaction logging, you
may be unable to restore some messages to the shared mail database.
Therefore, users mail files might still contain message headers that
reference message content that was not restored in the shared mail
database. These users cannot read these messages because the shared
mail database doesnt contain the corresponding message content.
To restore a shared mail database when transaction logging is not
enabled
1. Download the most recent backup copy of the shared mail database
to a directory that is not part of the Domino servers directory
structure. The Domino servers directory structure includes the data
directory, directories that are referenced by directory links, and
subdirectories of all of these directories. The directory can be on a
network drive if there is not enough room on the servers local disks
to store the backup copy of the shared mail database.
2. At the console, enter the Push command to push changes from the
backup shared mail database to the current shared mail database.
For example, after downloading the backup copy of the shared mail
database into the directory h:\backup, enter this command at the
console:
Push Manufacturing h:\backup\SHARE1.NSF
where Manufacturing is the name of the server and SHARE1.NSF is

the name of the shared mail database.
3. Delete the backup copy of the shared mail database.
4. In the users mail file, purge messages that no longer have
corresponding message content in the shared mail file.
Deleting a shared mail database

If your organization decides to stop using shared mail, or a server has
several inactive shared mail databases that only a few mail files still link
to, you may need to delete shared mail databases.
Before deleting a shared mail database, unlink all mail files from it.
Unlinking mail files from a shared mail database places a complete copy
of each message in the shared mail database in all of the mail files listed
in the messages object store link. If you delete a shared mail database
that is still linked to users mail files, those users lose access to message
bodies contained in the database.
Note Before you unlink a shared mail database, verify the number and
size of the messages shared in it to determine if you have enough disk
space available to store complete copies of the shared messages in each
recipients mail files.
To delete a shared mail database
1. Enter this command at the console to generate shared mail statistics
that indicate which mail files have links to the object store:
Load Object Info -Full OBJECTSTORE
where OBJECTSTORE is the complete path to a shared mail directory

or a single shared mail database.
For more information on generating shared mail statistics, see the
topic Generating and viewing shared mail statistics earlier in this
chapter.
2. View the usage statistics in the Domino Administrator. Use this
information to determine if you have enough disk space available for
storing complete copies of the shared messages in the recipients mail
files.
Mail
3. Enter this command at the console:

Load Object Unlink SHARED.NSF
where SHARED.NSF is the name of the shared mail database. This

unlinks the shared mail database from all mail files, so that the
messages it contained are restored as complete messages to user mail
files.
4. Delete the shared mail database file.
Disabling shared mail

If you decide to return to the use of message-based mail storage, you can
disable shared mail on the server. After you disable shared mail on a
server, user mail files that were linked to shared mail remain linked to
the now inactive shared mail databases. Because the shared mail
databases still contain the body portion of previously delivered
messages, use caution before moving or removing databases.
To take advantage of the space savings already achieved, you may
choose to preserve inactive shared mail databases in their current state. If
you do decide to retain these inactive databases, they must remain in
their current location to allow users to access messages.
To disable shared mail

2. Select the Server document to be edited and then click Edit Server.
4. In the Shared Mail field, choose None.
5. To refresh the shared mail configuration enter the following
command at the server console:
SHOW SCOS
For more information about using the Show SCOS command, see the
After you disable shared mail, the Router stops adding new
messages to shared mail databases. However, users whose mail files
remain linked to the shared mail database can still access previously
received messages.
Mail
Chapter 30
Setting Up the POP3 Service
This chapter describes how to set up the POP3 service on a Domino
server and how to set up POP3 users.
The POP3 service

POP3 (Post Office Protocol Version 3) is an Internet mail protocol that
allows a user running a POP3 client for example, the Lotus Notes
POP3 client, Netscape Navigator, Eudora Pro, or Microsoft Outlook
Express to retrieve mail from a server that runs the POP3 service. You
can set up a Domino server to run the POP3 service. The Domino server
receives and stores mail for POP3 users, who can then connect to the
server to retrieve their mail.
The Domino POP3 service acts as an intermediary for communications
between POP3 mail clients and the Domino mail server. By default, the
Domino POP3 service monitors TCP port 110, where POP3 clients
connect to submit requests to the service to retrieve mail. After receiving
a request, the POP3 service sends mail to the client. POP3 clients let users
specify whether to leave a copy of a message on the server after
retrieving it. By default, messages downloaded by the client are deleted
from the server.
The POP3 service complies with RFC 1939 - Post Office Protocol Version 3.
Supporting outbound mail service for POP3 clients
POP3 is a mail access protocol only and does not stipulate any method
for sending mail. To ensure that POP3 clients can send outbound mail,
you must provide them with access to an SMTP server. The SMTP server
can be the Domino server running the POP3 service, another Domino
server, or a non-Domino SMTP server.
For information about specifying the SMTP server that a POP3 client uses
for outbound mail, see the topic Configuring POP3 client software later
in this chapter.
30-1
Authenticating with the server

The Domino server does not check Notes User ID files to verify the
identity of users who connect from a POP3 client. Because the POP3
service does not use ID files to identify users and control access to
servers, a POP3 user does not have to be a registered Notes user. To
access mail through the POP3 service, users need a mail file on the server
and a Person document (including an Internet password) in the Domino
Directory. Only users who receive encrypted Notes mail or access
Domino applications must be registered Notes users.
To authenticate POP3 users, Domino relies on authentication methods
built into the Internet protocols. The methods available depend on the
server ports you configure the POP3 service to use. The POP3 service can
use a TCP/IP port, a Secure Sockets Layer (SSL) port, or both the TCP/IP
and SSL ports.
If POP3 uses the TCP/IP port only (the default), the server uses basic
name-and-password authentication to identify users. The login names
that the server accepts as valid depend on the setting in the Internet
authentication field on the Security tab of the Server document.
For more information on configuring how Domino authenticates Internet
clients, see the chapter Setting Up Name-and-Password and
Anonymous Access to Domino Servers.
If the SSL port is enabled, you can specify whether a client certificate is
required to authenticate (SSL authentication), and whether clients must
also supply a name and password.
For information on setting up an SSL server, see the chapter Setting Up
SSL on a Domino Server. For information on setting up clients for SSL,
see the chapter Setting Up Clients for S/MIME and SSL.
Accessing a mail file from the Notes client and a POP3 client
POP3 clients use the standard Domino mail file database. This allows
registered Notes users to access their mail files from both a POP3 client
and the Notes mail client.
Setting up the POP3 service

The Domino POP3 service can be run on any Domino server on which a
TCP/IP port is configured. The POP3 protocol provides a mechanism for
retrieving mail only; POP3 clients send mail using the SMTP protocol.
Optionally, you can configure the POP3 TCP/IP port to run from an
alternate port number, and to accept SSL connections.
For more information on enabling and configuring POP3 ports, see
the topic Enabling and configuring the POP3 service port later in
this chapter.
2. Start the POP3 task on the Domino server.
Starting and stopping the POP3 service

You can load the POP3 service manually or start it automatically when
you start the Domino server.
To do this
Perform this task
Start the POP3 service manually
Enter the following command at the

console:
load POP3
Start the POP3 service

automatically when you start the
Domino server
Edit the ServerTasks setting in the

NOTES.INI file to include the command
POP3. Domino adds the POP3 task by
default to the NOTES.INI file if you select
the POP3 service during installation.
Stop the POP3 service

console:
tell POP3 quit
Enabling and configuring the POP3 service port

For POP3 clients to access mail files on the server, you must enable a
POP3 port on the server. You can enable the TCP/IP port, the SSL port,
or both. By default, the Domino POP3 service uses TCP/IP port 110. A
procedure later in this topic explains how to enable and disable the POP3
port, how to set the POP3 service to use a nonstandard port, and how to
change security options for the port.
Configuring POP3 authentication options on servers that use
On servers that use Internet Site documents, the POP3 service obtains
port authentication settings from the Security tab of the POP3 Site
document, rather than from the Server document. As a result, when
available in the Server document. Settings in the Server document still
Setting Up the POP3 Service 30-3
Mail
To set up the Domino POP3 service

1. Edit the Server Document to enable the TCP/IP port for POP3.
provide the port numbers and status for the POP3 TCP/IP and SSL ports,
and enable the POP3 ports to honor server access restrictions.
Site documents to configure all of its Internet protocols (POP3, IMAP,
SMTP, and so forth).
If the server uses Internet Site documents, then you must use Site
documents to configure all Internet protocols on the server. If a POP3 Site
document is not present in the Domino Directory, or the authentication
options in a configured POP3 Site document are set to No, users cannot
connect to the POP3 service. In each case, POP3 clients receive the
following error when attempting to connect to the POP3 service:
To enable the POP3 TCP/IP port
then open the Server document for the server that runs the POP3
service.
3. To enable the default TCP/IP port, in the Mail (POP) column, change
the value of the TCP/IP port status field to Enabled.
4. Click Save and Close or edit additional settings, as directed in the
following procedure.
Note On servers with multiple TCP/IP ports, by default, the POP3
path. If you want the service to use a port other than the default one, you
can configure it to use a specific port.
For information on configuring an Internet service to bind to a specific
TCP/IP port, see the chapter Setting Up the Domino Network.
To configure the POP3 TCP/IP port
service.
Field
Enter
TCP/IP port
number

for POP3 connections over TCP/IP. You can specify a
TCP/IP port
status
Choose one:
Enabled (default) Allows POP3 clients to connect
to the Domino server without using SSL. Users must
provide their name and Internet password to
connect.
Disabled Prevents POP3 clients from connecting
to the Domino server, unless they can connect using
SSL.
Enforce server
access settings
Choose one:
Yes Access to the POP3 service is controlled by
the server access settings on the Security tab of the
Server document. Users who are not allowed to
access the server cannot access mail through the
POP3 service.
No (default) The POP3 service ignores the server
access settings in the Server document.
4. Restart the POP3 task to put the new settings into effect.
To enable and configure the POP3 SSL port
1. Familiarize yourself with the Domino security model and set up SSL
on the Domino server.
service.
Mail
3. In the Mail (POP) column, complete these fields, and then click Save
and Close:
4. In the Mail (POP) column, complete these fields, and then click Save
and Close:
Field
Enter
SSL port number

for POP3 connections over SSL. You can specify a
SSL port status
Choose one:
Enabled Allows POP3 clients to connect to the
POP3 service over SSL.
Disabled (default) Prevents client connections
over SSL.
Authentication
options: Client
certificate
If SSL port status is set to Enabled, choose one:

Yes The POP3 SSL port authenticates POP3 clients
that use client certificates. If a connecting client does
not have a certificate, the server reverts to using
name-and-password authentication.
No (default) The POP3 SSL port does not support
Authentication
options: Name &
password
If the SSL port status field is set to Enabled, choose

one:
Yes POP3 clients use name-and-password
authentication when connecting to the POP3 service
over SSL.
No (default) The POP3 SSL port does not support
name-and-password authentication.
5. Restart the POP3 task to put the new settings into effect.
Performing additional POP3 configuration
In addition to configuring the POP3 service port, you can customize the
operation of the POP3 service by setting variables in the servers
NOTES.INI file. Variables used to configure the POP3 service begin with
the prefix POP3.
For more information on setting variables in the NOTES.INI file, see the
Mail
Setting up POP3 users

To set up POP3 users, perform these procedures:
1. Set up the Person document.
2. Create a mail file for the POP3 user.
3. Configure POP3 client software.
Setting up the Person document for a POP3 user

To access mail files on the Domino server, a POP3 user must have a
Person document in the Domino Directory. For users who already have a
Person document, edit settings in the existing document as necessary to
provide POP3 support. If a user does not have an existing Person
document, you must create a new one. You can create a Person document
manually, or use the Domino registration process to create the Person
document automatically. If you use the Domino registration process,
select POP3 in the Mail system field of the Register Person dialog box.
Note By default, the Domino registration process generates a Notes ID
file (and corresponding Notes Public Encryption Key in the Domino
Directory) for each user in addition to creating the Person documents
and mail files required by a POP3 user. Because users who will access
Domino from POP3 clients only do not require a Notes ID, during
registration you can deselect the option to Create a Notes ID for this
person. However, if a new POP3 user also requires access to Domino
from a Notes client, Domino Administrator client, or Domino Designer
client, be sure to enable creation of an ID file.
For more information on using the Domino registration process, see the
chapter Setting Up and Managing Notes Users.
The following procedure specifies the Person document settings required
for POP3 users and explains how to create a Person document manually.
To set up a Person document for a POP3 user
2. Select Domino Directories - Address Book - People.
3. If no Person document exists for this user, click Add Person to create
a new Person document.
To display an existing Person document, select the name of the user,
and click Edit User.
4. Click the Basics tab, complete these fields, and then click Save &
Close:
Field
Description
First name
Last name
User name
The name the client uses to authenticate with the POP3

server must be unique in the Domino Directory.
Depending on the level of Internet access security
established for the server (Server document - Security
tab), the login name or user name configured on the
POP3 client must match an entry in one of these fields.
Entries in the User name field are always accepted as
the login name. If Internet authentication is set to allow
More name variations with lower security entries in
the First name and Last name fields may also be
accepted as login names.
Internet
password
The password that the user enters to access the Domino

server from the POP3 client. POP3 users must have an
Internet password that complies with your
organizations password quality requirements.
Mail system
Choose POP or IMAP if the user does not require Notes

client access.
Domain
The name of the Notes domain to which the server

belongs.
Mail server
The name of the POP3 users Domino mail server.
Mail file
The path for the users mail file, relative to the Domino
data directory for example: MAIL\AJONES.
Forwarding
address
Leave this blank for users who access mail files on the
Domino server from a POP3 client.
Internet address
The Internet address at which the user can receive mail

within your organization. This address must match the
Internet address specified in the POP3 client.
continued
Description
Format
preference for
incoming mail
Choose one:
Mail
Field
Keep in senders format - (default) The mail file may

contain messages in either Notes rich text or MIME
format. When delivering messages to the mail file,
the local Router preserves the current message
format. Thus messages received at the server in
MIME format are stored in the mail file in MIME
format, and messages received at the server in Notes
rich text format are in Notes rich text format. When a
POP3 client requests a message that is stored in
Notes rich text format, the POP3 service must
convert the message to MIME before sending it to the
client. Because the stored message remains in Notes
rich text format, each time a POP3 client requests the
message, the POP3 service must perform the
conversion.
Prefers MIME - The mail file stores messages in
MIME format only. Choose this option for users who
access mail exclusively from a POP3 client. Since
POP3 clients require messages in MIME format,
storing mail in MIME format ensures the best
performance for POP3 users, eliminating the need
for the POP3 service to convert messages before
passing them to the client.
Prefers Notes Rich Text - The mail file stores
messages in Notes format only. The Router converts
messages received as MIME into Notes rich text
before delivery. In addition, the POP3 task must
convert messages to MIME format when sending
them to a POP3 client. To ensure the best performance,
do not choose this option for users who access their
Domino mail file primarily from a POP3 client.
When receiving
unencrypted
mail, encrypt
before storing in
your mail file
Choose No (default). POP3 clients cannot read

encrypted Notes mail.
To ensure that users who read mail exclusively from
POP3 clients do not receive Notes-encrypted mail,
remove the POP3 users Notes public encryption keys
from their Person documents.
Never remove the Notes public key from the Person
document of users who access Notes databases from a
Notes client.
For more information about password quality requirements, refer to

the chapter Protecting and Managing Notes IDs.
5. Complete the procedure Creating a mail file for a POP3 user.
Creating a mail file for a POP3 user

Each POP3 user must have a mail file on the Domino server. You can
create the mail file automatically during user registration, or you can
manually create a mail file. If the user is already a registered Notes user
who has an existing Notes mail file and if you set up the Person
document to use POP3 as the mail system, the user can use a POP3 client
to access the mail file.
If a user does not have an existing mail file on a Domino server, create a
new mail one as described in the following procedure.
To manually create a mail file
1. Make sure that you have set up a Person document for the POP3
user.
3. In the New Database dialog box, enter the following:
Field
Enter
Server
The Domino mail server that stores the users mail file.
Title
The name of the clients mail file for example, Alan Jones
Mail.
File name
The full path to the mail file, relative to the Domino data
directory for example, MAIL\AJONES.NSF.
4. From the list of template names, select Mail (R6) with the filename
MAIL6.NTF, and click OK.
5. After Domino creates and opens the mail file, determine what level
of access is appropriate for both the user and you, as the
administrator. Then, edit the Access Control List (ACL) as follows:
a. Choose File - Database - Access Control.
b. From the Access Control List dialog box, create an ACL entry for
the user by clicking Add and then selecting the users name from
c. Set the user type to Person and select the level of access. Users
require at least Editor with Delete document access.
d. (Optional) Select your name from the ACL and click Remove. As
the administrator, you can choose to retain Manager access,
particularly for users who do not have Notes client access.
e. Click OK to save the entry and close the ACL.
6. Complete the procedure Configuring POP3 client software.
Mail
Configuring POP3 client software

After you set up a Domino server to run the POP3 service, users can
access their mail files on the Domino server from any POP3 mail client.
The POP3 service supports all POP3-compliant clients for example,
the Lotus Notes POP3 client, Microsoft Outlook and Outlook Express,
Netscape Messenger, and Qualcomm Eudora.
The requirements for configuring POP3 client software differ for each
product. This table presents general requirements.
Field
Description
Incoming mail (POP3)

server
Fully qualified host name of Domino POP3 server.
Outgoing mail (SMTP)

server
The fully qualified host name of a server running

SMTP to which the user can send mail addressed to
intranet or Internet recipients. The SMTP server may
be the Domino server running the POP3 service, a
different Domino server, or a non-Domino SMTP
server.
Authentication required Specifies whether the configured SMTP server

to send outbound mail requires users to provide a name and password
before they can send outgoing messages.
Account/Login name
The name by which the user authenticates with the

Domino server. Valid user name values depend on
the setting in the Internet authentication field of the
Server document:
If the server is set to use More name variations
with lower security, users can enter a login name
that matches any entry in the First name, Last
name, User name or Short name/UserID field of
the Person document, as long as it is unique within
the Domino Directory, for example, JCorrer.
If the server uses Fewer name variations with
higher security, a users login name must match
an entry in the User name field of the Person
document, for example, Jada Correr/ACME
Password
The Internet password from the users Person

document.
Automatically delete
mail documents from
the POP3 server after
the client copies them
locally.
By default, when downloading messages from the

server, most POP3 clients delete the server copy to
conserve disk space. For users who read mail from
both the Notes client and a POP3 client, make sure
the POP3 client is set to leave messages on the server.
continued
Field
Description
POP3 client should

check for mail no more
than every five (5)
minutes.
Determines how often the POP3 client checks for

mail. If the client checks for mail more frequently, it
may affect server performance.
E-mail address
The Internet address specified in the users Person

document.
For more information on the relationship between security settings and

valid login names, see the chapter Setting Up Name-and-Password and
Mail
Chapter 31
Setting Up the IMAP Service
This chapter describes how to set up a Domino server to use the IMAP
service and how to set up IMAP users.
The IMAP service

The Domino server supports the Internet Mail Access Protocol
(IMAP4rev1), defined in RFC 2060, for reading mail. The Domino IMAP
service lets users with IMAP mail clients access mail files on a Domino
server. The IMAP service differs from the POP3 service in that users are
not required to download messages to a local computer to read and
manipulate them. Users can work with messages over the network, while
the messages remain on the server.
The Domino IMAP service acts as an intermediary for communications
between IMAP mail clients and the Domino mail server. By default, the
IMAP service monitors TCP port 143 for IMAP client requests. After
connecting to the IMAP service, IMAP mail clients can:
Access messages on the Domino mail server
Retrieve messages from the Domino mail server and store them
locally
Copy messages for offline use and then later synchronize with mail
on the server
View folders in another users mail file or public folders in a shared

database (requires a client that supports the IMAP NAMESPACE
extension)
Supporting outbound mail service for IMAP clients

IMAP is a mail access protocol only and does not stipulate any method
for sending mail. To ensure that IMAP users can send outbound mail,
you must provide them with access to an SMTP server. The SMTP server
can be the Domino server running the IMAP service, another Domino
For information about specifying the SMTP server that an IMAP client
uses for outbound mail, see the topic Configuring IMAP client
software later in this chapter.
31-1
Authenticating with the server

When a user connects to the IMAP service, rather than verifying the
users identity by checking a Notes ID file, the IMAP service uses
name-and-password authentication, SSL, or both. Because Notes ID files
are not used, an IMAP user does not have to be a registered Notes user.
To access mail through the IMAP service, users need a mail file on the
server and a Person document (including an Internet password) in the
Domino Directory. Only users who receive encrypted Notes mail or
access Domino applications must be registered Notes users. The IMAP
service can authenticate users from entries in the primary Domino
Directory or any secondary directory used by the server.
To authenticate IMAP users, Domino relies on authentication methods
built into the Internet protocols. The methods available depend on the
server ports you configure the IMAP service to use. The IMAP service
can use a TCP/IP port, or a Secure Sockets Layer (SSL) port, or both the
TCP/IP and SSL ports.
If IMAP uses the TCP/IP port only (the default), the server uses basic
name-and-password authentication to identify users. The name under
which a user can log in to the IMAP service must match one of several
fields in the users Person document. The set of names that the server
accepts as valid depends on the setting in the Internet authentication
field on the Security tab of the Server document.
For more information on configuring how Domino authenticates Internet
clients, see the chapter Setting Up Name-and-Password and
If the IMAP SSL port is enabled, you can specify whether a client
certificate is required to authenticate (SSL authentication), and whether
clients must also supply a name and password.
For information on setting up an SSL server, see the chapter Setting Up
SSL on a Domino Server. For information on setting up clients for SSL,
see the chapter Setting Up Clients for S/MIME and SSL.
How Domino modifies mail files to support IMAP

IMAP clients use a standard Domino mail file that must be specially
enabled for IMAP. If you enable IMAP access for the mail file of a
registered Notes user, the user can access the file from either the Notes
client or from an IMAP client.
A standard Domino mail file stores information about the messages it
contains within database items of the message. Notes clients can read and
interpret the information stored in these items, but IMAP clients cannot.
IMAP stores message information within its own set of attributes. For a
Domino mail file to be used with IMAP, Notes/Domino items in the mail
file have to be translated into IMAP attributes. In addition, the mail file
must be set up so that all future messages delivered to it store attribute
information in IMAP format.
To enable IMAP clients to access Domino mail files, run the mail
conversion utility. The conversion process places information about each
message, such as its message ID and folder location, into the messages
IMAP attributes, and sets a flag in the mail file that notifies the Router to
add these IMAP attributes when delivering future messages.
You can run the conversion utility manually to convert mail files before
users log in to the IMAP service, or set up the IMAP service so that it
converts mail files automatically the first time a user logs in.
Note To avoid possible conversion delays, run the conversion utility
before users log in.
Before running the conversion utility, you may first need to prepare the
mail file. For more information, see the topic Preparing a mail file for
IMAP access later in this chapter.
Additional IMAP attributes for improving client download of
message headers
When an IMAP client opens an IMAP-enabled mail file, it issues a
FETCH command to the server, requesting information that enables it to
display message headers. To improve performance for IMAP clients
downloading message headers, the Router adds these IMAP attributes to
messages delivered to an IMAP-enabled mail file:
$Content_Type
IMAP_BodyStruct
IMAP_RFC822Size
Note The Router adds these attributes only if the recipients Person
document specifies MIME as the preferred mail storage format. The
attributes are not added to messages delivered in MIME format to a user
whose storage preference is set to Keep in senders format.
These attributes contain summary information about the MIME content
type, structure, and size of a message. Exactly how the attributes are
used depends on the client. Almost all clients request size information. In
addition, some request type and body structure information. If these
summary attributes are present, when the IMAP service returns message
headers in response to a client FETCH request, it uses the attribute
Setting Up the IMAP Service 31-3
Mail
To support IMAP clients and store IMAP-specific information, the

Domino mail file requires the addition of special IMAP database items.
information to fulfill the request, rather than opening each message to

obtain the information. As a result, the client displays message headers
much more quickly than it can in the absence of the summary attributes.
The improved response time is especially significant for large mail files
with a a high percentage of messages in Notes rich text format.
Note The Domino Release 6 IMAP service does not use the settings on
the Basics tab of the Configuration Settings document for specifying
whether to return the exact size of messages. This field appears in the
Configuration Settings document to provide backward compatibility
with earlier versions of Domino.
After you run the conversion utility to enable a mail file for IMAP use,
you have to run the conversion utility a second time, using the -h option,
to add these attributes to messages. The initial mail file conversion
performed to enable a mail file for IMAP use does not add IMAP-specific
attributes to pre-existing messages in the mail file, regardless of whether
you run CONVERT manually or let the IMAP service automatically
enable mail files. Thus messages added to a mail file before it is enabled
for IMAP never contain these summary attributes.
After you enable a mail file for IMAP use, the Router automatically adds
these IMAP attributes to messages, if the mail storage preference is set to
Prefers MIME in the users Person document. However it does not add
them to messages stored in Notes rich text format.
For more information about running the mail conversion utility using the
-h option, see the topic Using the conversion utility to add IMAP
summary attributes to messages later in this chapter
Setting up the IMAP service

The Domino IMAP service can be run on any Domino server on which a
TCP/IP port is configured. For information about configuring TCP/IP,
refer to the chapter Setting Up the Domino Network.
IMAP provides a mechanism for retrieving mail only; IMAP clients send
mail using SMTP. For information about enabling SMTP, refer to the
To set up the Domino IMAP service
1. Edit the Server Document to enable the TCP/IP port for IMAP
Optionally, you can configure the IMAP TCP/IP port to run from an
alternate port number, and to accept SSL connections.
2. Start the IMAP task on the Domino server.
Starting and stopping the IMAP task

You can load the IMAP task manually or start it automatically when you
start the Domino server.
To do this
Perform this task
Start the IMAP service manually

console:
load imap
Start the IMAP service

automatically when you start the
Domino server

imap. Domino adds the IMAP task by
default to the NOTES.INI file if you select
the IMAP service during installation.
Stop the IMAP service

console:
tell imap quit
Customizing the IMAP service

You customize the IMAP service by editing the Server document and
Configuration Settings document. You can change the following settings:
IMAP port configuration
IMAP session limits
Enable IMAP during login
Access to other users and public folders
Thread use
Default service greetings
Enabling and configuring the IMAP service port

From the Domino Administrator you can modify the current IMAP port
configuration to:
Enable or disable the IMAP TCP/IP or SSL port
Change the TCP/IP or SSL port number
Enable or disable TCP/IP or SSL authentication options

Mail
For more information on enabling and configuring IMAP ports, refer

to the topic Enabling and configuring the IMAP service port later
in this chapter.
By default, IMAP clients connect to TCP/IP port 143 on the Domino

server. You might need to specify a different port number if there are
multiple instances of the IMAP service on the host machine as, for
example, on a partitioned server. You might also change the default port
to a nonstandard port number to hide it from clients attempting to
connect to the default port, or if another application uses the default port
on the server. Disable the port or change the security options to prevent
IMAP clients from accessing the Domino server.
Configuring IMAP authentication options on servers that use
On servers that use Internet Site documents, the IMAP service obtains
port authentication settings from the Security tab of the IMAP Site
document, rather than from the Server document. As a result, when
available in the Server document. Settings in the Server document still
provide the port numbers and status for the IMAP TCP/IP and SSL
ports, and enable the IMAP ports to honor server access restrictions.
Site documents to configure all of its Internet protocols (IMAP, POP3,
SMTP, and so forth).
If the server uses Internet Site documents, and an IMAP Site document is
not present in the Domino Directory, or the authentication options in a
configured IMAP Site document are set to No, users cannot connect to
the IMAP service. In each case, IMAP clients receive the following error
when attempting to connect to the IMAP service:
To enable the IMAP TCP/IP port
then open the Server document for the server that runs the IMAP
service.
3. To enable the default TCP/IP port, in the Mail (IMAP) column,
change the value of the TCP/IP port status field to Enabled.
Note On servers with multiple TCP/IP ports, by default, the IMAP

path. If you want the service to use a port other than the default one, you
can configure it to use a specific port.
For information on configuring an Internet service to bind to a specific
TCP/IP port, see the chapter Setting Up the Domino Network.
To configure the IMAP TCP/IP port
service.
3. In the Mail (IMAP) column, complete these fields, and then click
Save & Close:
Field
Enter
TCP/IP
port
number
Choose 143 (default) to use the industry standard port for IMAP
connections over TCP/IP. You can specify a different port, but
143 works in most situations. When specifying a nonstandard
port, make sure the port is not reserved for another service. Port
numbers can be any number from 1 to 65535.
TCP/IP
port status
Choose one:
Enabled (default) - Allows IMAP clients to connect to the
Domino server without using SSL. Users must provide
their name and Internet password to connect.
Disabled - Prevents IMAP clients from connecting to the
Domino server, unless they can connect using SSL.
Redirect to SSL - Denies access to clients connecting to the
IMAP TCP/IP port, but returns a message indicating that
they must connect over SSL. You can specify the contents of
the message.
To support IMAP clients, either the IMAP TCP/IP port or the
IMAP SSL port must be enabled, and the IMAP task must be
running on the server.
Enforce
server
access
settings
Choose one:
Yes - Access to the IMAP service is controlled by the server
access settings on the Security tab of the Server document.
Users who are not allowed to access the server cannot
access mail through the IMAP service.
No - (default) The IMAP service ignores the server access
settings in the Server document.
Mail
4. Click Save and Close or edit additional settings, as directed in the

following procedure.
For information on customizing IMAP service greetings, see the topic

Specifying the default IMAP service greetings later in this chapter.
For instructions on setting up the IMAP SSL port, refer to the next
topic, To enable and configure the IMAP SSL port.
4. Restart the IMAP task to put the new settings into effect.
To enable and configure the IMAP SSL port
1. Familiarize yourself with the Domino security model and set up SSL
on the Domino server.
service.
4. In the Mail (IMAP) column, complete these fields, and then click
Save & Close:
Field
Enter
SSL port number Choose 993 (default) to use the industry standard port
for IMAP connections over SSL. You can specify a
specifying a nonstandard port, make sure the port is not
reserved for another service. Port numbers can be any
number from 1 to 65535.
SSL port status
Choose one:
Enabled - Allows IMAP clients to connect to the
IMAP service over SSL.
Disabled - (default) Prevents client connections over
SSL.
Authentication
options: Client
certificate
If SSL port status is set to Enabled, choose one of the

following:
Yes - Allows IMAP clients to connect using client
certificate authentication.
No - (default) Prevents the IMAP service from using
Authentication If the SSL port status field is set to Enabled, choose

options: Name & one of the following:
password
Yes - Allows IMAP clients to use name-and-password
authentication when connecting to the IMAP service
over SSL.
No - (default) Prevents IMAP clients from using
name-and-password authentication over SSL.
5. Restart the IMAP task to put the new settings into effect.
Mail
Setting IMAP session limits

You can configure the following IMAP session limits:
Maximum number of IMAP sessions
Default timeout value
Specifying the maximum number of IMAP sessions

To maintain a session with a client, Domino allocates a main session
thread, which uses a certain portion of the servers memory. Each IMAP
client connecting to the server consumes an additional session thread,
and thus a certain amount of memory. If the number of IMAP sessions
exceeds the amount of available memory, the server can become
unstable.
To ensure that servers can properly support the number of connecting
IMAP clients, you can set a limit on the number of concurrent IMAP
sessions allowed. By default, servers do not place limits on the number of
concurrent IMAP sessions.
After the number of sessions reaches the specified limit, the IMAP
service rejects additional connection attempts.
Note You cannot use the NOTES.INI variable, IMAPMaxSessions,
available in Domino 5.0.3, to limit the number of IMAP sessions on a
Domino Release 6 server.
Specifying a default IMAP session timeout value
After a user opens a session with the IMAP service, the service waits for
commands from the mail client. If no commands are received, the session
is considered to be idle. Sessions that are idle for a long period may be
the result of a user forgetting to log out after completing their mail
processing. Because servers must allocate memory for each IMAP session
and send periodic keep-alive messages to a client to maintain the
connection, idle sessions represent a waste of server resources.
You can limit how long the server continues to maintain client sessions
that do not show any activity. Specify the number of minutes that the
IMAP service waits before disconnecting idle IMAP client sessions. Many
IMAP clients poll for new mail every 10 minutes, so its best to set the
value to greater than 10 minutes, because the overhead of supporting an
idle session is less than the overhead required to support clients logging
in and opening mailboxes.
By default, servers drop idle sessions after 30 minutes.
Note You cannot use the NOTES.INI variable, IMAP_Session_Timeout,
available in earlier versions of Domino, to configure the IMAP session
timeout on a Domino Release 6 server.
To set IMAP session limits

5. Click the IMAP - Basics tab.
Field
Enter
Maximum
number of IMAP
sessions
The maximum number of concurrent IMAP client

sessions the server allows. By default, no limit is
imposed.
IMAP session
timeout
The time, in minutes, that the IMAP service continues

to maintain an idle session. If there is no client activity
by the end of the specified time, Domino closes the
session. By default, servers drop idle sessions after 30
minutes.
Note These settings apply to Domino Release 6 and later. To specify

IMAP session limits on a Domino Release 5 or earlier server, use the
IMAPMaxSessions and IMAP_Session_Timeout settings in the
NOTES.INI file.
For more information on these settings, see the appendix
NOTES.INI File.
Setting the IMAP service to automatically enable mail files at login

User mail files must be specially enabled for IMAP use. After a mail file
is enabled, Domino converts information about each message in the mail
file, such as its message ID and folder location, into a set of IMAP
attributes. IMAP clients use these attributes to organize messages for
display. An additional attribute informs the Router to add IMAP
attributes to new messages delivered to the mail file.
Note When the mail conversion utility enables a mail file for IMAP use,
it does not automatically add IMAP summary attributes, which enable
clients to download message headers more efficiently, to messages that
were already in the file before conversion occurred. To add IMAP
summary attributes to preexisting messages, rerun the conversion utility
manually, using the -h option.
By default, the IMAP service is set to automatically enable mail files

during login. When the default setting is used, whenever a user logs in,
the IMAP service checks the users mail file to see if it is enabled. If a
mail file is not currently enabled, the IMAP service provides a dedicated
conversion thread to enable it. This conversion thread continues to work
on this one mail file until it completes the task. If additional users require
conversion services at the same time, the IMAP service provides an
additional conversion thread for each instance.
Each conversion can require several minutes to complete, with
conversion times for users with slow connections typically needing more
time. Because the conversion threads are drawn from the same thread
pool responsible for servicing other IMAP requests, a high number of
conversions can place a high demand on the available IMAP resources.
This can result in increased response times and service delays not only
for the those whose mail files require conversion, but for other users
connecting to the service as well. The likelihood of delay naturally
increases if there are a large number of users accessing the server for the
first time.
To prevent service delays on busy servers where many mail files require
conversion, consider disabling automatic conversion during peak hours,
particularly if users typically log in over a phone line or other slow
connection. If you disable automatic conversion, users whose mail files
are not enabled for the Domino Release 6 IMAP service cannot access
their mail files from an IMAP client and receive the following error
message after each login attempt:
The database has not been enabled for IMAP.
When automatic conversion is not available, you must convert users

mail files manually before they can access mail from IMAP clients. For
information on manually converting mail files for IMAP access, see the
topic Running the mail conversion utility to enable a mail file for IMAP
To specify whether the IMAP service automatically enables mail
files
Mail
For information on adding IMAP summary attributes to messages in a

users mail file, see the topic Using the conversion utility to add IMAP
summary attributes to messages later in this chapter.

5. Click the IMAP - Basics tab.
6. Complete the following field and then click Save & Close:
Field
Enter
Choose one:
Enable
IMAP
Enabled - (default) The IMAP service automatically
during login
converts mail files to Lotus Domino Release 6 IMAP
format the first time a user logs in from an IMAP client.
Disabled - Administrators must manually convert mail
files for IMAP use before users can access mail from an
IMAP client.
Configuring the IMAP service to allow shared access to mail files

In addition to providing access to a users personal mail folders, the
IMAP service supports the NAMESPACE extension, which permits
controlled access to shared mail files. By default, when the IMAP service
is installed, NAMESPACE support is enabled so that clients accessing the
service can view and open their personal mail files, as well as any other
mail file on the server that they have permission to use for example
other users personal mail files to which they have been delegated access,
and any public mail files that you set up as IMAP public folders.
As with personal mail files, an IMAP client can access Public and other
users mail files only if they reside on the same server as the IMAP
service. In addition, the IMAP service must be able to authenticate the
user from an entry in a configured directory on the server.
To configure namespace support on the server, enable NAMESPACE
support so that IMAP users can view other users and public mail files to
which theyve been granted access, and then do one or both of the
following:
Configure IMAP public folders
Configure IMAP other users folders
For information about enabling IMAP namespace support, see the topic
Enabling the IMAP service to automatically display all accessible mail
folders later in this chapter.
For information about delegating access to a mail file, see Lotus Notes 6
Help, which is available from the Documentation Library at the Lotus
Developer Domain at http://www.lotus.com/ldd/doc.
Note To provide IMAP users with access to other users mail files, you
must use a Notes client or iNotes client to delegate mail file access. You
About IMAP namespaces

Typically, most users have a personal mail file to which they alone have
access. The IMAP service considers messages in a personal mail file to
exist in a hierarchy known as the personal namespace.
In addition to the personal namespace, messages can also exist in other
hierarchies. For example, if a user is granted access to another users mail
file, such as when a secretary has been delegated access to a managers
mail file, messages in that mail file become available under an additional
hierarchy, the other users namespace.
Other mail files for example, mail-in databases that are intended to be
shared amongst users, do not exist within a single users namespace at
all, but are intended for public access. Messages in these mail files exist
only in the shared or public namespace.
Enabling the IMAP service to automatically display all accessible

mail folders
The Domino IMAP service complies with RFC 2342, which defines a
method by which the IMAP service automatically presents a client with a
list of all mail files to which the current user has access, including:
The users personal mail file
Other users personal mail files to which the user has been delegated
access
Public mail files, such as mail-in databases, to which the user has
access, and which are set up as IMAP public folders.
For information about delegating access to a mail file, see Lotus Notes 6
Help.
Note To provide IMAP users with access to other users mail files, you
must use a Notes client or iNotes client to delegate mail file access. It is
not sufficient to add the names of users to the ACL of the mail file.
Enabling clients that do not support the NAMESPACE extension to
access shared folders
By default, only IMAP clients that support the NAMESPACE extension
can display mail files other than the users personal mail file. However,
you can configure the IMAP service so that it presents public and others
users folders even if the users IMAP client does not have built-in
Mail
can not delegate access by adding names to the ACL of the mail file. To
enable IMAP access to other users mail files, the Domino Administration
Process (AdminP) must process an IMAP delegation request, which is
only generated in response to a user setting delegation preferences from
a Notes or IMAP mail client.
NAMESPACE support. Configured in this way, the IMAP service always

returns to the client the complete range of mail folders to which the
current user has access.
To enable IMAP NAMESPACE support on the server
5. Click the IMAP - Public and Other Users Folders tab.
6. In the Basics section, complete the following field and then click Save
& Close:
Field
Enter
Public and other

users folders
support
Choose one:
Enabled - (default) In addition to presenting an IMAP
client with the current users mail folder, the IMAP
service also presents any public folders and other
users mail files that the current user has access to.
Disabled - The IMAP service does not present IMAP
clients with public and other users mail folders. The
IMAP client can access the current users personal
mail file only.
Include all public Choose one:

and other users Enabled - The IMAP service always displays all
folders when a
available folders to the connecting client.
folder list is
Disabled - (default) The IMAP service displays available
requested
folders in the Other users and Public namespaces only
to clients that request them using the NAMESPACE
command. If a client does not support the
NAMESPACE command, the IMAP service presents to
it the current users personal mail folder only.
This field is not available if Public and other users
folders support is set to Disabled.
Note These settings apply to Domino Release 6 and later only.

Changes take effect after the next IMAP update interval. Sessions
that begin after the updated settings take effect use the updated
settings. However, existing sessions continue to use the settings that
were in effect when the session started.
For information on how to restart the IMAP service, see the topic
Starting and stopping the IMAP service earlier in this chapter.
For information on setting the NOTES.INI variable
IMAP_Config_Update_Interval to control the IMAP update interval,
refer to the appendix NOTES.INI.File.
Configuring IMAP Public folders

To provide IMAP clients with access to a public mail database, you must
do the following:
Use the mail conversion utility to enable the database for IMAP use
Specify the appropriate level of access for users in the database ACL,
including the Maximum Internet name and password access.
Designate the database as an IMAP public folder
The IMAP service does not automatically enable databases other than the
users personal mail file for IMAP use. To enable a mail-in database for
IMAP use, run the mail conversion utility.
Users access to a shared database is defined by their entries in the
database ACL. Before users can access a public folder, an administrator
must explicitly grant them access to the database by editing the ACL. If
the database ACL does not grant a user access to an IMAP public folder,
when the user logs in from an IMAP client, the client displays the folder,
but does not display the folder Inbox.
To designate a Notes database as an IMAP public folder, copy its
database link and paste it into the Configuration Settings document.
Note To be configured as a public folder, a database must be created
from a Notes mail template. The IMAP service does not support the use
of NNTP or discussion databases as IMAP public folders.
To configure Notes databases for use as IMAP public folders
2. From the Notes client or Domino Administrator client, select a
database that has been enabled for IMAP access to be designated as
an IMAP public folder and copy it as a database link.
For example, from the Files tab of the Domino Administrator client,
double-click the database icon to open it, and then click Edit - Copy
As Link - Database Link to copy the database as a link.
Mail
7. To force an immediate update, restart the IMAP service.
7. Complete the following field and then click Save & Close:
Field
Description
Public folder The name of the virtual root folder Domino uses to organize
the hierarchy of Notes mail databases configured as IMAP
prefix
public folders. When an IMAP client connects to the server it
displays the public folders available to the user as subfolders
of this folder.
Unless you have a specific reason to change the folder prefix,
accept the default name to ensure IMAP clients can access
public folders on the server.
Public folder Database links for IMAP-enabled Notes mail databases you
want to designate as IMAP public folders. Paste the database
database
link copied in Step 2 into this field.
links
For example, insert the cursor in the field and click Edit Paste. The Notes database represented by the link is now
designated as an IMAP public folder. Users with the
appropriate access privileges can open the database from an
IMAP client.
Configuring IMAP Other Users folders

If NAMESPACE support is enabled on the server, in addition to
displaying the current users primary personal mail folders, an IMAP
client displays the personal namespaces of other users who have
explicitly granted access to their personal mail files to the currently
authenticated user.
The default configuration for the Other Users namespace on the server
will support most installations. If necessary you can customize the Other
Users namespace on the server, by doing the following:
Changing the default folder prefix
Changing the default domain delimiter the IMAP service uses to

display user mail file names
Specifying IMAP users who can change other users unread marks
Specifying IMAP users who can change other users unread marks
By default, the only user allowed to change unread marks in a mail file is
the Notes user with primary access to the file. If a secondary user
accesses the mail file, any documents opened are marked as read for the
secondary user, but not for the primary user. This is similar to what
happens in a discussion database, where multiple users can read
documents and each maintain their own set of unread marks.
Some organizations employ third-party messaging services that run in
conjunction with the Domino IMAP service to provide users with
alternate means for accessing their mail files. For example, a unified
messaging service might connect to the IMAP service to access the
Domino mail server, acting, in effect, as an IMAP client. Users connecting
to the third-party service can open, read, send, and forward mail. To
ensure that the unread marks in users mail files are properly
maintained, the third-party service must have the ability to change
unread marks on the users behalf, as if it were the mail file owner.
To provide a third-party application with access to a mail file, at
minimum, the mail file ACL must grant the application Designer access.
To configure IMAP support for access to Other Users folders
Mail
Changing the default folder prefix

To enable IMAP users to view other personal mail files to which they
have access, the IMAP service maintains a virtual list, or collection, of
those mail files on the server whose owners have granted access
privileges to one or more secondary users. This collection of other users
mail files represents the hierarchy, in addition to a users own mail
folders hierarchy and the hierarchy of publicly-accessible mail files, in
which a message may exist.
6. In the Other Users Folders section, complete the following field and
Field
Enter
Other users
folder prefix
The name of the virtual root folder which contains Notes

mail databases whose owners delegated access to other
users. When an IMAP client connects to the server it
displays the other users folders to whom the user has
access as subfolders of this folder.
Unless you have a specific reason to change the folder
prefix, accept the default name to ensure IMAP clients can
access other users folders on the server.
Other users
domain
delimiter
The character that Domino uses to separate the common

name, organizational unit(s), and organization name in a
users Notes hierarchical names when displaying the
users mail file to an IMAP client as part of the Other
users folder list. Default is forward slash ( / ). For IMAP
clients, such as the Netscape client, that cannot display
hierarchical names that contain the default separator
character, specify a different character, for instance a dot
.) or pipe character (|).
For example, if you enter the pipe character, Domino
sends the mail folder of a user named Jada
Mendez/Sales/Acme to IMAP clients as Jada
Mendez|Sales|Acme.
IMAP users
who can
change other
users unread
marks
The fully-qualified Notes names of users who are

permitted to change the unread status of messages in
other users mail files. You can also enter the name of a
Notes group.
The change takes effect after the next IMAP service update. You can
restart the IMAP service to force an immediate update to the IMAP
service configuration.
7. To provide other another user with access to a personal mail file,
instruct the mail file owner to delegate access from a Notes client.
For information about delegating access to a mail file from a Notes
client, see the topic Delegating mail access if you have installed
Lotus Notes 6 Help. Or, visit the Documentation Library in the Lotus
Developer Domain at http://www.lotus.com/ldd/doc to download
or view Lotus Notes 6 Help.
Note To provide IMAP users with access to other users mail files,
you must use a Notes client or iNotes client to delegate mail file
access. It is not sufficient to add the names of users to the ACL of the
mail file.
Mail
Configuring IMAP internal thread use

The IMAP service acts as an intermediary between IMAP clients
attempting to retrieve messages and the Domino mail server. IMAP
clients do not have direct access to mail files on the Domino server;
instead, the IMAP service acts as a proxy, relaying each clients request to
retrieve messages to the mail server. To return message data to the client,
Domino opens the mail database and passes on the requested
information to the IMAP service. The IMAP service then sends the
requested message information to the client.
An IMAP session begins when a user at an IMAP client logs in to the
Domino IMAP service. Domino allocates each IMAP session its own
session thread from the servers main thread pool. This session thread
becomes the sole channel for all communications between the client and
the IMAP service. When the session ends, Domino returns the thread to
the pool for use by another client.
The session thread communicates directly with the servers IMAP port to
receive client input, validate the syntax of received requests, queue
requests to the IMAP service, and send responses from the service back
to the client. If the IMAP service is slow to respond, the main thread also
sends periodic keep-alive messages to the client so that it does not close
the connection.
A Domino server can interact with multiple clients simultaneously
because it allocates a new thread to service each client session. Clients
connect to a port and exchange all input and output through that port.
Threads require memory and CPU time. The thread pool contains a
limited number of physical threads, but thread use is virtualized so that a
single thread works on different tasks. Thus in a fraction of a second, a
single thread that is idled by one task as it waits for information, can
switch to another task. This allows Domino to maximize processor use
and minimize memory.
By avoiding the need to create a new physical thread for each requested
connection, Domino makes the best use of available memory. However, a
high number of IMAP sessions can place a strain on the server. If clients
experience slow response during times of peak usage, consider limiting
the number of IMAP sessions.
The internal IMAP thread pool
The Domino IMAP service provides an internal IMAP thread pool that is
independent of the thread pool that Domino uses to create client
sessions. The default number of available threads is based on the amount
of physical memory the server has. The service has a minimum of 50
threads available and a maximum of 400 threads. To ensure that the
IMAP service continues to function properly, its best to use the default
thread pool settings and modify these settings only at the direction of a
qualified IBM support representative.
The IMAP thread pool consists of three types of worker threads as shown
in the following table:
Thread type
Description
Default maximum value
FETCH thread
Accepts validated FETCH

commands from the client
and transmits them to the
Domino mail service
80% of pool total
FETCH response
thread
Transmits message data from 80% of pool total

the Domino mail service to
fulfill client FETCH requests
LOGIN conversion Converts mail files to IMAP

thread
format
None
Available threads become active when the main session thread queues a
request.
To specify IMAP thread use
5. Click the IMAP - Advanced tab.
6. In the Worker thread pool section, complete the following:
Field
Description
Maximum number The total number of threads available in the IMAP

services thread pool, including Login conversion
of IMAP worker
threads for upgrading mail files to Domino Release 6
threads
IMAP format; FETCH threads for transmitting
validated client requests to the Domino mail server;
and FETCH response threads for transmitting
message data from the mail server in response to
client FETCH requests.
continued
Mail
Field
Description
Maximum number The number of threads available to transmit message

of response threads data to fulfill a given FETCH request (default is 4).
per FETCH
Maximum number The Number of concurrent threads the IMAP service
of FETCH threads can use to transmit client requests to FETCH message
data to the Domino mail server
allowed
Maximum number The number of threads the IMAP service can use to
of FETCH response return message data from the Domino mail server in
threads allowed
response to FETCH requests received from all active
IMAP sessions.
Specifying the default IMAP service greetings

On the Server document, you can configure the ports that IMAP clients
can use to connect to the IMAP service. IMAP clients can connect over a
TCP/IP port or an SSL port. If you have SSL set up on the server, you can
configure the TCP/IP port so that it redirects connections to the SSL port.
When a client connects, the IMAP service responds by sending the client
the greeting that is associated with the port the client uses to connect. On
the Configuration Settings document, you can customize the greetings
that the IMAP service returns to clients connecting over each port.
The IMAP service checks for new settings at the specified update
configuration interval. If you change the greeting text, sessions that begin
after the new configuration takes effect will receive the updated greeting.
To modify the default IMAP service greetings
5. Click the IMAP - Advanced tab.
6. In the Greeting section, enter the text for the IMAP service to display
to connecting clients and the click Save & Close:
Field
Enter
Default
IMAP
server
greeting
The greeting
the IMAP
service sends
to clients
connecting
over TCP/IP.
By default, the service sends a greeting that

includes the server name, Domino release
number, and the current date and time.
For example:
IMAP SSL The greeting

greeting the IMAP
service sends
to clients
connecting
over SSL.
IMAP SSL The greeting
the IMAP
redirect
greeting service sends
to clients when
the TCP/IP
port is
configured to
redirect
connections to
SSL.
*OK Domino IMAP4 Server Release 6 ready

Wed, 17 April 2002 17:57:13 -0400
By default the service sends a greeting that

includes the server name, Notes release
number, and the current date and time.
For example:
*OK Domino IMAP4 Server Release 6 ready
Wed, 17 April 2002 17:57:13 -0400
By default, the service sends the following

greeting:
*IMAP Server configured for SSL
Connections only. Please reconnect
using the SSL Port portnumber
Where portnumber is the number of the

configured SSL port.
Note To specify IMAP greetings for Domino Release 6 servers, you

must use the Configuration Settings document. However, you cannot use
the Configuration Settings document to specify service greetings for
Domino Release 5 and earlier. To configure IMAP service greetings on
earlier Domino release, use the settings IMAPGreeting,
IMAPRedirectSSLGreeting, and IMAPSSLGreeting in the NOTES.INI
file.
For more information on these settings, see the appendix NOTES.INI File.
Setting up IMAP users

To set up IMAP users, perform these procedures:
1. Set up the users Person documents.
2. Create a mail file for the IMAP user.
3. Enable the mail file for IMAP access.
4. Configure IMAP client software.
For more information on creating a full-text index, see the chapter

Setting Up and Managing Full-text Indexes.
Note If you use the Domino registration process to create a new IMAP
user, Domino automatically creates the Person document and mail file
and lets you specify registration options to create a full-text index for the
mail file and enable the mail file for IMAP use.
Setting up the Person document for an IMAP user

To access mail files on the Domino server, an IMAP user must have a
Person document in the Domino Directory. For users who already have
Person document, edit settings in the existing document as necessary to
provide IMAP support. If a user does not have an existing Person
document, you must create a new one. You can create a Person document
manually, or use the Domino registration process to create the Person
document automatically. If you use the Domino registration process,
select IMAP in the Mail system field of the Register Person dialog box.
Note By default, the Domino registration process generates a Notes ID
file (and corresponding Notes public encryption key in the Domino
Directory) for each user in addition to creating the Person documents
and mail files required by an IMAP user. Because users who will access
Domino from IMAP clients only do not require a Notes ID, when
registering these users, deselect the option to Create a Notes ID for this
person. However, if a new IMAP user also requires access to Domino
from a Notes client, Domino Administrator client, or Domino Designer
client, be sure to enable creation of an ID file.
For more information on using the Domino registration process, see the
chapter Setting Up and Managing Notes Users.
The following procedure specifies the Person document settings required
for IMAP users and explains how to create a Person document manually.
To set up a Person document for an IMAP user
2. Select Domino Directories - Address Book - People.
3. If no Person document exists for this user, click Add Person to create
a new Person document.
To display an existing Person document, select the name of the user,
and click Edit User.
Mail
5. (Optional) Create a full-text index of the mail file so the IMAP user
can search for information in the file. When you create the index,
choose the Index attachments option to allow the user to search for
information in attachments that are in MIME format.
4. Click the Basics tab, complete these fields, and then click Save &
Close:
Field
Enter
First name
Last name
User name
The login name a client uses to authenticate with the

IMAP server must be unique in the Domino Directory.
Depending on the level of Internet access security
established for the server (Server document - Security
tab), the login name or user name configured on the
IMAP client must match an entry in one of these fields.
Entries in the User name field are always accepted as
the login name. If Internet authentication is set to allow
More name variations with lower security entries in
the First name and Last name fields may also be
accepted as login names.
Internet
password
The password that the user enters to access the Domino

server from the IMAP client. IMAP users must have an
Internet password that complies with your
organizations password quality requirements.
Mail system
Choose IMAP if the user does not require Notes client

access.
Domain
The name of the Notes domain to which the server

belongs.
Mail server
The name of the IMAP users Domino mail server.
Mail file
The path for the users mail file, relative to the Domino
data directory for example, MAIL\AJONES.
Forwarding
address
Leave this blank for users who access mail files on the
Domino server from an IMAP client.
Internet address
The Internet address at which the user can receive mail

within your organization. This address must match the
Internet address specified in the IMAP client.
continued
Enter
Format
preference for
incoming mail
Choose one:
Mail
Field
Keep in senders format - (default) The mail file may

contain messages in either Notes rich text or MIME
format. When delivering messages to the mail file, the
local Router preserves the current message format.
Thus messages received at the server in MIME format
are stored in the mail file in MIME format, and
messages received at the server in Notes rich text
format are in Notes rich text format. When an IMAP
client requests a message that is stored in Notes rich
text format, the IMAP service must convert the message
to MIME before sending it to the client. Because the
stored message remains in Notes rich text format, each
time an IMAP client requests the message, the IMAP
service must perform the conversion.
Prefers MIME - The mail file stores messages in MIME
format only. Choose this option for users who access
mail exclusively from an IMAP client. Since IMAP
clients require messages in MIME format, storing mail
in MIME format ensures the best performance for
IMAP users, eliminating the need for the IMAP service
to convert messages before passing them to the client.
In addition, using MIME storage allows the Router to
add special IMAP attributes to the messages it delivers.
Prefers Notes Rich Text - The mail file stores messages
in Notes format only. The Router converts messages
received as MIME into Notes rich text before delivery.
In addition, the IMAP task must convert messages to
MIME format when sending them to an IMAP client.
To ensure the best performance, do not choose this
option for users who access their Domino mail file
primarily from an IMAP client.
When receiving
unencrypted
mail, encrypt
before storing in
your mail file
Choose No (default); IMAP clients cannot read

encrypted Notes mail.
To ensure that users who read mail exclusively from
IMAP clients do not receive Notes-encrypted mail,
remove the IMAP users Notes public encryption keys
from their Person documents.
Never remove the Notes public key from the Person
document of users who access Notes databases from a
Notes client.
For more information about password quality requirements, refer to

the chapter Protecting and Managing IDs.
5. Complete the procedure Creating a mail file for an IMAP user.
Creating a mail file for an IMAP user

Each IMAP user must have a mail file on the Domino server. You can
create the mail file automatically during user registration, or you can
manually create a mail file. If the user is already a registered Notes user
who has an existing Domino mail file and if you set up the users Person
document for IMAP access, the user can access the mail file from an
IMAP client.
If a user does not have an existing mail file on a Domino server, create a
new mail one as described in the following procedure.
To manually create a mail file
1. Make sure that you have set up the Person document for the IMAP
user.
3. In the New Database dialog box, enter the following:
Field
Enter
Server
The Domino mail server that stores the users mail file.
Title
The name of the clients mail file for example, Alan Jones
Mail.
File name
The full path to the mail file, relative to the Domino data
directory for example, MAIL\AJONES.NSF.
4. From the list of template names, select Mail (R6) with the filename
MAIL6.NTF, and click OK.
5. After Domino creates and opens the mail file, determine what level
of access is appropriate for both the user and you, as the
administrator. Then, edit the Access Control List (ACL) as follows:
a. Choose File - Database - Access Control.
b. From the Access Control List dialog box, create an ACL entry for
the user by clicking Add and then selecting the users name from
c. Set the user type to Person and select the level of access. Users
require at least Editor with Delete document access.
d. (Optional) Select your name from the ACL and click Remove. As
the administrator, you can choose to retain Manager access,
particularly for users who do not have Notes client access.
e. Click OK to save the entry and close the ACL.
6. Complete the procedure Preparing a mail file for IMAP access.
Mail
Preparing a mail file for IMAP access

To support access from IMAP clients, mail files must be specially
modified to store IMAP folder and message attributes as database items.
If you used the Domino registration process to create a user, and set the
users mail system type to IMAP, Domino automatically performs the
steps required to prepare the mail file for IMAP use. Otherwise, you
must complete several tasks to prepare a mail file to support IMAP
access.
To prepare a mail file for IMAP access
1. Verify that you have:
Set up the Person document for the IMAP user.
Created a mail file for the IMAP user.
2. If you are upgrading a mail file, run Compact on the mail file to
ensure that it uses the Notes ODS (on-disk structure) version 41 or
greater.
You do not have to run Compact on newly created mail files that are
based on a Lotus Domino Release 5 or later mail template. For new
mail files, skip to Step 4.
3. Run the Fixup task on the mail file.
4. Run the mail conversion utility on the mail file to enable it for IMAP
access.
5. If this is not a new mail file, run the mail conversion utility with the
-h option to increase the speed of header downloads when clients log
in.
The IMAP service does not rely on template views to store IMAP folder
and message data; you can enable mail files created from any mail
template.
For users with multiple mail file replicas for example, users with mail
files on clustered servers you must independently enable each replica
for IMAP access. Because Domino does not replicate IMAP database
items between databases, by default, when you create a new replica of an
IMAP-enabled mail file, it is not enabled for IMAP use.
Differences when viewing mail files from IMAP clients and Notes
client
Some aspects of a mail file are structured in template items that are
visible only to a Notes client, and as such are not available to IMAP
clients. As a result, IMAP clients display certain folders and views in a
mail file differently from Notes clients. For instance, from an IMAP
client, the Inbox and Trash folders, and any public folders, appear as
IMAP mailboxes. Also, hidden and private folders are not visible to
IMAP clients. And finally, IMAP clients do not display views that are
part of the Notes mail file template, such as the Draft and Sent view.
The Domino IMAP service does not support renaming of the Inbox folder
in a Notes mail file from an IMAP client.
For users who access their mail files from both an IMAP client and a
Notes client, Domino synchronizes unread message marks between the
two. Thus, a message marked as read in Notes is also marked as read for
an IMAP client, and vice versa.
IMAP clients cannot read messages that use Notes encryption. IMAP
clients do not have access to the Notes private key needed to decrypt
messages encrypted with a users Notes public key certificate. As a
result, when a user opens an encrypted Notes message from an IMAP
client, only the unencrypted header information is available. The server
replaces the blank message body with the following text:
[Portions of this MIME document are encrypted with a Notes
certificate and cannot be read.]
Running Compact to update the ODS version of a mail file

To be enabled for IMAP, a mail file must use the Domino Release 5 or
later file format, Notes ODS (on-disk structure) version 41 or greater. If a
mail file is at a previous ODS version, you must run Compact on it to
update the ODS version. It is not necessary to run Compact to enable
newly mail files that are based on either the MAIL6.NTF or MAIL50.NTF
mail templates.
The ODS version of a mail file database is listed on the Info tab of the
Database properties dialog box. For information on how to determine the
file format of a database, see the chapter Improving Database
Performance.
To run Compact using a console command
Compacting converts Release 4 databases to the Lotus Domino 6 file
format or ODS 43.
1. From the Domino Administrator, on the Server pane on the left,
select the server on which to run Compact. To expand the pane, click
the servers icon.
3. Click Console.
Load compact databasepath
Enter the database path relative to the Domino data directory. To

compact a specific mail file in the MAIL directory, enter the name of
the MAIL directory followed by the name of the mail file, for
example:
Load compact MAIL\USER.NSF
To compact all mail files in the MAIL directory, enter the name of the
MAIL directory as the database path, for example:
Load compact MAIL
Note You can also enter Step 4 directly at the console on a server.
After you run compact on the mail file, continue preparing the file for
IMAP users by running Fixup.
Running Fixup to prepare a mail file for IMAP use

You do not need to run Fixup on newly created mail files that are based
on a Lotus Domino Release 5 or later mail template.
After you run Compact on a users mail file to ensure that it uses the
correct file format, run the Fixup task on the mail file.
Because the Fixup task requires exclusive access to the mail file database,
you must shut down the server before running Fixup.
To run Fixup
1. Shut down the server.
2. From the Windows NT command prompt, change to the Domino
program directory. For example, if you installed Domino in the
default location, enter:
cd c:\lotus\domino
3. To run Fixup on a specific mail file, enter:

nFixup path\mailfile
where path is the database path relative to the Domino data directory
and mailfile is the name of the mail file database. For example, to run
Fixup on the mail file database USER.NSF in the DATA\MAIL
folder, enter:
nFixup mail\user.nsf
Mail
4. Enter the following command in the command line at the bottom of

the console, and then press ENTER:
Note If transaction logging is enabled on the server, run Fixup with

the -j switch, for example:
nFixup -j mail\user.nsf
Running the mail conversion utility to enable a mail file for IMAP
Note If you used the Domino Release 6 registration process to add a
user account, and set the users mail system type to IMAP, Domino
automatically enables the mail file for IMAP use.
After you run Fixup on the mail file, run the mail conversion utility (the
Convert task) to enable IMAP-specific features in the mail file. The
conversion utility sets an option bit in the database indicating that this
database is IMAP enabled. After you enable a mail file for which the
format preference is set to MIME, the Router automatically adds special
IMAP attributes to new messages delivered to the database. These
attributes provide IMAP clients with summary information which
enables them to download message headers more efficiently. To ensure
the best performance, after the initial conversion completes run the
conversion utility a second time, using the -h option to add these
attributes to messages that were already in the mail file at the time of the
initial conversion.
For users with multiple mail file replicas for example, users with mail
files on clustered servers you must independently enable each replica
for IMAP access. Because Domino does not replicate IMAP database
items between databases, by default, when you create a new replica of an
IMAP-enabled mail file, it is not enabled for IMAP use.
After the conversion utility enables a mail file for IMAP, the following
information is added to the bottom of the Information tab of the mail
files Database Properties dialog box:
Database is IMAP enabled
Deciding whether to convert mail files manually or automatically

By default, when a user connects to the IMAP service, the service checks
whether the users mail file is currently enabled for IMAP. If the mail file
is not already enabled, the IMAP service automatically launches the
conversion utility to format it for use with IMAP. To prevent conversions
from occurring during login, change the default configuration by
disabling automatic conversion.
For information on enabling and disabling automatic conversion, see the
topic Setting the IMAP service to automatically enable mail files at
login earlier in this chapter.
You might also choose to run the conversion utility manually if many of
your first-time IMAP users access the server over slow modem
connections, particularly if a large proportion of them would be logging
in at the same time. The reason for this is related to the way the IMAP
service allocates threads to perform automatic conversions. The IMAP
service dedicates a single conversion thread for each conversion and it
draws this conversion thread from the same thread pool that provides
the threads responsible for servicing other IMAP client requests, such as
logging in users or retrieving messages. Because mail file conversions can
require a significant amount of time, with conversion times increasing as
connection speeds decrease, a conversion thread typically remains busy
longer than other thread types. As a result, an IMAP service flooded with
conversion requests can experience a thread shortage. This shortage
affects not only the users awaiting conversion, but current IMAP users,
too, who encounter unexpected delays attempting to log in and retrieve
messages. When the conversion utility is run manually on the mail
server, the operation completes in a very short time, even if the mail file
is relatively large.
Finally, you must run conversions manually to enable mail files in the
other users and public folders namespaces. Automatic mail file
conversion can occur only for the personal mail file of the currently
authenticated user.
To manually convert mail files for use with IMAP
You can run the mail conversion utility on a single mail file or on all mail
files in a directory.
1. At the server console of the Domino server on which you want to
enable mail files, shut down the Router by entering:
tell router quit
This prevents Domino from routing mail to the mail files while they
are being converted. Mail is stored in MAIL.BOX while you upgrade
Mail
Although the IMAP service can automatically convert mail files, consider
manually converting them before users first log in to the IMAP server to
ensure that mail files are properly converted. By performing conversions
ahead of time, you can ensure that users are not confronted with
conversion errors that they are unable to recover from. For example,
because the conversion utility requires that a mail file be at least at ODS
version 41, for mail files that use an earlier ODS version you must run
Compact before converting the mail file; using automatic conversion
would fail. Similarly, in databases where some type of internal
corruption has occurred (for example, an invalid note, or corrupt meta
data), you must run Fixup against the mail file before running the
conversion utility.
the mail files. After you have converted the mail files and loaded the
Router task again, the Router processes and delivers the mail in
MAIL.BOX.
2. Load the mail conversion utility by entering the following command:
load convert -e maildirectory\mailfilename
where maildirectory names the path to the mail subdirectory that

contains the users mail file and mailfilename is the filename of the
users mail file. The maildirectory path describes the path relative to
the servers Domino data directory. For example, to convert the mail
database USER.NSF in the \MAIL subdirectory of the Domino data
directory enter:
load convert -e mail\user.nsf
Note On UNIX systems, use a forward slash (/) as the hierarchy

separator, rather than a backslash (\). For example, enter:
load convert -e mail/user.nsf
To specify all files in a directory, make sure the directory contains

only mail files and that they are the mail files you want to convert.
For example, to enable IMAP for all mail files in the \MAIL
subdirectory, enter:
load convert -e mail\*.nsf
3. After you finish enabling mail files for IMAP on this server, load the
Router by entering:
load router
4. Configure IMAP client software.

For information on configuring IMAP client software, see the topic
Configuring IMAP client software later in this chapter.
For information about disabling IMAP access to a mail file, see the topic
Disabling an IMAP mail file later in this chapter.
Mail
Convert utility options

Option
Use
-e
Enables mail files for IMAP use.
-h
To enable clients to download message headers more efficiently, the

Convert task processes all messages in the mail file in the order in
which they are listed in the mail files All Documents view and
adds the special IMAP attributes ($Content_Type, IMAP_BodyStruct,
and IMAP_RFC822Size) to messages that dont have them.
Because the Convert task is single-threaded, and this option requires
the Convert task to process every message in the mail file, it is
resource-intensive and can take a long time, especially for mail files
where messages must also be converted from Notes rich text to MIME
format.
You cannot use this option in combination with the -e switch.
-o
Removes from messages the IMAP items used to provide more

efficient header retrieval. You may use this option in combination
with the -h option, but not with the -e option.
-e-
Disables IMAP access to mail files.
How the conversion utility handles unread marks

In previous versions of Notes and Domino, mail files maintained
separate sets of unread marks for IMAP clients and Notes clients, with
IMAP-enabled mail files relying on special template views to indicate
that a message was read. With the introduction of native IMAP in
Domino Release 6, a mail file enabled for IMAP displays a consistent set
of unread marks to the IMAP and Notes clients opening the file.
If you used IMAP in an earlier release of Domino, and are upgrading
a mail file to Domino Release 6 IMAP format, the conversion utility
will mark a message as read in the converted mail file if either the IMAP
or Notes items in the unconverted mail file indicate that the message
was read.
Preserving folder references during upgrade of IMAP mail files
In earlier releases of Domino, the IMAP service used hidden folder
reference views in the mail template to retrieve IMAP folder and
message data. By contrast, the Domino Release 6 IMAP service doesnt
use folder references. Instead, it enables native storage of IMAP folder
and message attributes in the mail file, thus eliminating the need for
hidden views in the mail template.
By default, when you convert mail files to Lotus Domino 6 IMAP format,
the conversion utility disables folder references in the mail file. In most
environments, use the default and disable folder references to ensure the
best performance.
If your environment uses Domino applications that rely on folder

references in user mail files to gather information, you may need to
preserve folder references. To preserve folder references during
conversion, you can set the variable IMAP_CONVERT_NODISABLE_
FOLDER_REFS in a servers NOTES.INI file. When this variable is set,
folder references are preserved during all mail file conversions, whether
performed manually from the server console, or automatically as the
result of an IMAP user logging in to the IMAP service for the first time.
Immediately following conversion, the folder and message information
stored in the folder references matches the information stored in the mail
files IMAP attributes. However, because Domino does not continue to
update folder references after the initial conversion, over time, as a user
receives, moves, and sends messages, folder reference information will
no longer be synchronized with the information stored in the mail file
attributes.
Using the conversion utility to add IMAP summary attributes to
messages
The IMAP service uses special IMAP summary attributes
($Content_Type, IMAP_BodyStruct, and IMAP_RFC822Size) in messages
to facilitate the process of sending message headers in response to client
requests. After you convert a mail file for IMAP use, for users who
receive messages in MIME format, the Router automatically adds these
items to new messages it delivers.
However, these items might not be added to all messages in a mail file.
Messages delivered in Notes rich text format do not contain the items.
And Domino does not automatically add these items to messages
delivered before conversion occurred.
Although an IMAP client can read messages that do not contain IMAP
summary attributes, the client must first download each message in its
entirety before it can display headers. To enable faster header fetching,
run the mail conversion utility with the -h switch to add IMAP summary
attributes to messages that dont have them.
Updating IMAP attributes following mail file changes
Changing a message that contains the IMAP_RFC822Size attribute, might
affect a users ability to access the message. When the size value of the
IMAP attribute no longer matches the actual message size, IMAP clients
might have difficulty downloading the message. If the actual message
size is larger than the size indicated by the attribute, the IMAP client
might not download the entire message. If the actual size is smaller than
the size indicated by the attribute, the IMAP client can hang as it
attempts to download the remaining expected message data.
To prevent changes to the server configuration from contributing to

download errors, update IMAP attributes to reflect the new settings. To
update IMAP message attributes and refresh the mail files MIME
directory, you must remove the existing attributes and then add them
again. Because IMAP clients cache header information, users must also
recreate their IMAP accounts to download messages successfully.
Note A similar problem occurs for IMAP users whose Person
documents specify Notes rich text as the mail storage preference. In this
case, the Router does not add IMAP attributes to messages delivered to
mail files, but the IMAP client still caches size information. When you
modify the servers configuration, for example, by setting the server to
export message content as HTML rather than plain text when converting
messages to MIME, this changes message size. Because the client expects
the size of existing messages to match their cached size, user can no
longer retrieve these existing messages from an IMAP client. To remove
the header information cached by the IMAP client, the user must recreate
the IMAP account.
To run the mail conversion utility to add or update IMAP attributes.
1. Shut down the Router on the server containing the mail files to
convert, by entering the following command at the console:
tell router quit
This prevents Domino from routing mail to the mail files while they
are being converted. Mail is stored in MAIL.BOX while you upgrade
the mail files. After you have converted the mail files and loaded the
Router task again, the Router processes and delivers the mail in
MAIL.BOX.
2. Load the mail conversion utility by entering the following command:
load convert [-h /-o] maildirectory\mailfilename
where maildirectory names the path to the mail subdirectory that

contains the users mail file and mailfilename is the filename of the
Mail
Message size might change inadvertently as a consequence of an agent

running after a message is delivered or of changes to certain server
configuration options, such as the settings governing outbound MIME
conversion options. Although the outbound MIME conversion options
apply primarily to messages sent outbound over SMTP, they also affect
any message exported from the server, including messages retrieved by
the IMAP service for sending to a client. For example, if you change the
setting for adding RFC 822 phrases to users Internet return addresses,
this changes message size, because the Internet return address in each
message an IMAP client retrieves is altered to comply with the new
setting.
users mail file. The maildirectory path describes the path relative to
the servers Domino data directory. For example, to add IMAP
attributes to the mail database USER.NSF in the \MAIL subdirectory
of the Domino data directory, enter:
load convert -h mail\user.nsf

load convert -h mail/user.nsf
To specify all files in a directory, make sure the directory only

contains mail files and that they are the mail files you want to
convert. For example, to add IMAP attributes to all mail files in the
\MAIL subdirectory, enter:
load convert -h mail\*.nsf
Caution When the conversion utility is run with the -h option, the
conversion operation can take a long time to complete. The exact
time depends on server processing speed and memory, as well as on
the size and composition of the mail file. To ensure that you can
complete conversions in the available time, run a test with a single
mail file before using a wildcard to run multiple conversions.
3. After you finish enabling mail files for IMAP on this server, load the
Router by entering:
load router
Re-enabling a corrupted IMAP mail file

If an IMAP-enabled mail file becomes corrupted, you can repair it by
performing the following tasks:
1. Run Fixup.
2. Disable the mail file for IMAP use.
3. Re-enable mail file for IMAP use.
If you are unable to repair the mail file, contact Lotus Support Services
for assistance.
To run Fixup
1. From a command prompt, change to the Domino program directory.
For example, if you installed Domino in the default location, enter:
cd c:\lotus\domino
2. To run Fixup on a specific mail file in the MAIL directory, enter:

nFixup path\mail file
where path is the database path relative to the Domino Data

directory. For example, to run Fixup on the database USER.NSF in
the DATA\MAIL folder, enter:
nFixup mail\user.nsf
Note If transaction logging is on, run Fixup with the -j switch, for
example:
nFixup -j mail\user.nsf
Disabling an IMAP mail file

If you need to disable IMAP-specific features in a mail file, run the mail
conversion utility with the -e- option file. The example below removes
the IMAP capability of the mail database USER.NSF in the \MAIL
subdirectory of the Notes data directory:
load convert -e- mail\user.nsf

load convert -e- mail/user.nsf
Re-enabling a mail file for IMAP

After disabling the mail file as described in the preceding section, you
can re-enable it. For more information on enabling a mail file, see the
topic Running the mail conversion utility to enable a mail file for IMAP
Mail
Running Fixup to repair a corrupted IMAP mail file

To repair a corrupted IMAP mail file, the Fixup task requires exclusive
access to the mail file database. Before running Fixup, you must shut
down the server. After the server is shut down, run Fixup as described
below:
Configuring IMAP client software

After you set up a Domino server to run the IMAP service, users can
access their mail files on the Domino server from any IMAP mail client.
The IMAP service supports all IMAP-compliant clients for example,
Microsoft Outlook and Outlook Express, Netscape Messenger,
Qualcomm Eudora, Cyrusoft Mulberry, and PC-Pine.
IMAP clients display Notes folders as IMAP mailboxes. When users
receive or delete documents in an IMAP mailbox, the changes also occur
in the Notes folder, and vice versa.
Users can access their mail files from both an IMAP client and the Notes
mail client. Domino IMAP clients can send mail to other Notes users and to
IMAP and POP3 clients on the Domino mail system or other mail systems.
For a complete list of IMAP clients and for more information on IMAP,
visit the Web site http://www.imap.org.
The specifics of configuring IMAP client software differ for each product.
This table presents some general requirements.
Field
Description
Incoming mail
(IMAP) server
The fully qualified host name of the Domino server

running the IMAP service.
Outgoing mail
(SMTP) server
The fully qualified host name of a server running SMTP to

which the user can send mail addressed to intranet or
Internet recipients. The SMTP server may be the Domino
server running the IMAP service, a different Domino
Authentication
required to send
outbound mail
Specifies whether the configured SMTP server requires

users to provide a name and password before they can
send outgoing messages.
Account/Login
name
The name by which the user authenticates with the Domino

server. Valid user name values depend on the setting in the
Internet authentication field of the Server document.
Password
The Internet password from the users Person document.
E-mail address
The Internet address specified in the users Person

document.
Determines how often the client checks for mail. If the

Check for
messages every (x) client checks for mail more frequently, it may affect server
performance.
minutes.
Folder namespace
prefixes
The root folder path required by some IMAP clients. Most

IMAP clients do not need to specify folder prefixes when
using the Domino IMAP service to connect to mail files.
Example of configuring PC-Pine folder prefixes

You must configure INBOX and Folder collections for the PC-Pine client
to work properly with the Domino IMAP service. Enter this syntax in the
PC-Pine Setup Configuration dialog box:
Syntax
Example
INBOX-PATH {fully qualified domain

name of IMAP server}INBOX
INBOX-PATH {East.Acme.com}INBOX
Folder collections {fully qualified domain Folder collections {East.Acme.com}

name of IMAP server}
Example of configuring other IMAP client software folder prefixes

For IMAP clients other than PC-Pine, set any folder prefix configurations
to blank or empty. This table shows the configuration settings for some
common IMAP clients:
IMAP client
Folder configuration
Netscape Messenger (Netscape

Communicator 4.7)
IMAP Mail Directory
Outlook Express Mail (Microsoft Internet

Explorer 5.0)
Root Folder Path
IMAP settings in the server NOTES.INI file

Variable name
Description
Default value Applicable

Domino
releases
IMAP_Config_Update_Interval Specifies in minutes

how often the IMAP
service checks for
configuration
changes made to the
Domino Directory.
None.
4.6x, 5.x,
Without this 6.x
setting,
Domino
checks for
updates
every 2
minutes.
continued
Mail
For more information on determining the login names that a server will
accept, see the chapter Setting Up Name-and-Password and
Variable name
Description

Domino
releases
IMAP_Convert_Nodisable_
Folder_Refs
Specifies whether
the mail conversion
utility (CONVERT)
preserves folder
references when
updating mail files
for use with the
Domino Release 6
IMAP service.
None.
6.x
Without this
setting,
Domino
removes
folder
references
during
conversion.
IMAP_Session_Timeout
Specifies how long

the server continues
to maintain inactive
sessions with IMAP
clients.
None.
4.6x, 5.x
Without this
setting,
Domino
drops idle
sessions after
30 minutes.
IMAPDisableFTIImmedUpdate Specifies whether

the IMAP service
updates a mail files
full-text index (FTI).
Set this variable to 2
to disable updates to
FTIs; or 1 to
suppress the update
request to occur at
15 minute intervals.
When this
6.x
variable is
not present,
or is set to 0,
updates
occur
immediately
after a new
message is
received.
This allows
users to
search new
messages.
IMAPDisableMsgCache
When this
6.x
variable is
not present,
or is set to 0,
the IMAP
service
caches the
most
recently
retrieved
message.
Specifies whether
the IMAP service
caches the last
message retrieved
from a users mail
file.
continued
Description

Domino
releases
IMAPGreeting
Specifies a custom
greeting to send to
IMAP clients
connecting over
TCP/IP.
None
IMAPMaxSessions
Specifies the
None
maximum number
of concurrent IMAP
sessions the server
allows.
5.0.3 and
later 5.0.x
releases
IMAPRedirectSSLGreeting
Specifies a custom
None
greeting to send to
IMAP clients
attempting to
connect a TCP/IP
port configured to
redirect connections
to the SSL port.
4.6x, 5.x
IMAPShowIdleStatus
Enables the SHOW

TASKS command to
display the number
of idle IMAP
threads.
IMAPSSLGreeting
Specifies a custom
None
greeting to send to
IMAP clients
connecting over SSL.
4.6x, 5.x
When this
6.x
variable is
not present,
or is set to 0,
the SHOW
TASKS
command
does not
return the
number of
IMAP idle
threads.
5.6x, 5.x
Mail
Variable name
Mail
Chapter 32
Setting Up iNotes Web Access
This chapter describes how to set up iNotes Web Access so that Notes
client users can use a Web browser to access their Lotus Notes mail and
calendar. It provides configuration document settings and NOTES.INI
settings to control and customize iNotes Web Access for users. In
addition, this chapter describes how iNotes Web Access works with
Sametime and Domino Off-Line Services to provide users with instant
messaging and the ability to work offline.
iNotes Web Access

iNotes Web Access provides Notes users with browser-based access to
Notes mail and to Notes calendar and scheduling features. iNotes Web
Access users can send and receive mail, view their calendars, invite
people to meetings, create to do lists, keep a notebook, and work offline.
After being set up for iNotes Web Access, a user can use both the
standard Notes client and a Web browser to access their mail files.
Because both the Notes client and iNotes Web Access operate on the
same underlying user mail file, read and unread marks remain
up-to-date, regardless of which client the user uses to read the mail.
Users can also synchronize contact information in their Personal Address
Book with information in their Contact List in iNotes Web Access.
While users simply need a name and Internet password to log on and use
iNotes Web Access, a Notes ID is required if a user wants to work offline.
Be sure to create a Notes ID for each user when registering new users
with the iNotes Web Access template.
For more information, see the topic Registering iNotes Web Access
users later in this chapter.
Security
iNotes Web Access requires user log-on and logout security. When a user
logs onto iNotes Web Access, they must enter their name and Internet
password, as specified in their Person document. The login names that
the server accepts as valid depend on the setting in Internet
authentication field on the Security tab of the Server document.
32-1
For more information, see the chapter Setting Up Name-and-Password

and Anonymous Access to Domino Servers.
When the user logs out of iNotes Web Access, iNotes closes the browser
and removes the users log-on credentials and private data from the
browsers cache. By deleting this data, iNotes prevents an unauthorized
user from using cached information to access the users mail file.
Note The removal of private data from the browsers cache and more
secure data clearing capabilities are available only if the user accepts the
iNotes ActiveX control.
iNotes Web Access will not remove some personal data unless the user
explicitly selects Logout for Shared PCs or Kiosk Users. With this
selection, users can choose one of two secure logouts:
Secure - This option deletes all traces of the users personal use of
iNotes Web Access and any Web pages that they may have browsed,
but keeps iNotes Web Access program elements (this boosts
performance when the next person logs on).
More secure - This option deletes all traces of iNotes Web Access and
all other Web pages in the temporary Internet files folder.
You can also redirect users to a specific Web page after they logout.
For more information, see the topic Redirecting users to a Web page
after logout later in this chapter.
Integration with DOLS and Sametime

To provide users with the ability to work offline and use instant
messaging, you can integrate iNotes Web Access with Domino Off-Line
Services (DOLS) and Sametime. DOLS enables users to work offline,
disconnected from the network, and provides many replication features
that Notes users expect when working in the Notes client. Sametime
provides integrated, real-time chat features for iNotes Web Access users.
Neither DOLS nor Sametime are required for iNotes Web Access use.
For more information about setting up Sametime and iNotes Web Access,
see the chapter Installing and Setting Up Domino Servers.
Registering iNotes Web Access users

When registering users, choose iNotes as the mail system. This choice
uses the iNotes60.ntf template. The name of the template is iNotes Web
Access (R6.0). The template contains mail template support for the
iNotes Web Access client and the Notes client.
The mail system, iNotes, does not automatically create a Notes ID

for the person. You must select Create a Notes ID for this person.
Under Password Options, enable Synch internet password with

Notes ID password. Making the passwords the same makes it easier
to manage passwords and allows Notes users to work offline with
iNotes Web Access.
Providing a log-on URL for iNotes Web Access users

After you register new iNotes Web Access users, they will need three
things to access their mail files:
User name
Internet password
Default log-on URL (http://servername.com/mail/username.nsf)
The default URL displays the Welcome Page. However, you can give
users a URL that will initially display other views. Appending the
following text to the URL with a specific keyword (see following table)
will cause iNotes Web Access to initially display a different view:
.../username.nsf/inotes/keyword/?OpenDocument&ui=inotes
To display
Use URL keyword
Mail Inbox
mail
Calendar
calendar
To Do List
todo
Contact List
contacts
Notebook
notebook
Creating Portal URLs

A portal is a Web site that aggregates information from a variety of
sources onto one page. You can provide a Web portal showing only one
view of iNotes Web Access, or one showing several views. iNotes Web
Access supports special URLs that allow a particular iNotes Web Access
functional area to be displayed within an IFRAME (or a full browser
window). This view takes up very little screen real estate and limits
access to other functional areas.
Setting Up iNotes Web Access 32-3
Mail
For information on registering new users, see the chapter Setting Up

and Managing Notes Users and keep the following information in
mind:
An individual iNotes Web Access portal view is limited to one of the

following:
Inbox
Calendar
To Do List
Notebook
Contact List
URL syntax for an iNotes Web Access portal showing just the mail Inbox:
.../username.nsf/inotes/mail/?OpenDocument&ui=portal
Note that you can place all of iNotes Web Access within a portal page by
using the normal iNotes URL and not using the &ui=portal parameter.
Customizing iNotes Web Access for users

This section describes how to customize iNotes Web Access settings for
users.
Editing the Configuration Settings document for iNotes Web Access
Making document links work
Allowing users to take the Domino directory offline
Adding a disclaimer to outgoing messages
Configuring alternate name support in iNotes Web Access
Redirecting users to a Web page after logout
Disabling the Active Content Filter
Editing the Configuration Settings document for iNotes Web Access

3. Select the Configuration Settings document for the iNotes Web
Access mail server(s) and click Edit Configuration.
4. Select the iNotes Web Access tab.
6. Save the document and restart the Domino server.

Setting
Action
Welcome Page Setup

Default Welcome Page Click View/Modify to set Welcome Page settings.
Default Page: Lets users customize the Welcome
Page.
Selected Web Page: Forces users to use a specific
Web page as the Welcome page. Enter the URL
and title.
Custom Layout: Choose from six custom layouts
to specify new mail, calendar schedule, Web links,
and other options to appear in a layout.
Allow user to edit the
Welcome page
Enable (default) to allow users to create custom

Welcome pages and override any settings on the
server.
Disable to prevent users from changing the
administrator-prescribed Welcome page.
Alarm and Mail Polling

Alarms
Enable (default) to allow users to set alarms for

appointments, meetings, events, and task
deadlines.
Disable to prevent users from setting alarms that
may slow server performance.
Minimum alarm
polling time
Enter a number to specify how often, in minutes,

the iNotes Web Access client checks the server for
alarms. Default is 5 minutes. Increase this number
to improve server performance.
Mail
Minimum mail polling Enter a number to specify how often, in minutes,
time
the iNotes Web Access client checks the server for
new mail. Default is 5 minutes. Increase this
number to improve server performance.
When sending mail, set Choose Plain text, or Let user decide. This setting
allows you to restrict outgoing mail to plain text
format to:
only. Plain text messages can be read by most
legacy mail applications. Allowing the user to
decide lets the user pick the format for every
outgoing mail message.
continued
Mail
5. Change any of the configuration settings and then save the document
and restart the Domino server.
Setting
Action
Name resolution and

validation
Enable to allow alternate name lookups, similar to

type-ahead in Notes. Lets user resolve
ambiguous names and use alternate names by
checking names against a contact list or Domino
Directory.
Offline
Encrypt offline mail
files
When enabled, allows users to encrypt their

offline mail files for security.
Offline encryption level Sets the default offline encryption level to be

simple, medium, or strong.
Simple encryption provides protection against
casual snooping.
Medium encryption provides the right balance
among security, strength, and fast database
access. Probably the right choice for most users.
Choose strong encryption when security
requirements are paramount, and the resulting
database access performance is acceptable.
Allow user to choose
an encryption level
This setting, when enabled, overrides the

administrator-specified encryption level and
allows users to choose their own encryption level.
Allow user to go offline When selected, this option enables the Go

Offline feature in the iNotes Web Access client.
Disable this option to prevent users from using
iNotes Web Access offline, disconnected from the
network.
International
Alternate name display Enable (default) to allow iNotes Web Access users
to display alternate names in a native language.
Disable to prevent iNotes Web Access from
displaying alternate user names in a native
language. When disabled, users see alternate
names in English only.
Alternate name
language
This setting overrides the preferred language for

an alternate name in user Preferences.
Pick from a list to select the default alternate
name language. Default is English.
continued
Mail
Setting
Action
Lets users choose the preferred language for an

Allow user to choose
alternate name display alternate name.
Disable (default) to prevent users from controlling
alternate name support.
Other Settings
Full-text indexing
Enable (default) to allow users to create a full-text

index of their mail, calendar, and task entries on
the server.
Disable to prevent creation of full-text indexes to
save disk space on the server and improve
performance.
Archiving on server
Enable (default) to allow users to create archives

of their mail files on the server.
Disable to prevent creation of mail archives to
save disk space on the server.
Modification of
Internet password
Disable to prevent users from changing their

Internet password.
Calendar printing
Enable (default) to allow users to print various

calendar formats, including DayRunner, Franklin
Planner, and Trifold. Calendar printing uses the
PDF format from Adobe Acrobat.
Disable to prevent users from printing Calendar
formats using PDF.
Custom ActiveX file

attachment utility
Enable (default) to allow users to use the custom

file upload utility to drag-and-drop file
attachments, select files easily, and have multiple
file views.
Disable to allow users to use the standard browser
file upload utility.
Making document links work

iNotes Web Access supports document links to any server, including
servers other than the users home mail server. Document links work as
long as the user has access to the database to which the link connects. The
database must also be on a Domino server in the local area network.
To configure the server for document links:
2. Select the Server view and open the Current Server Document.
4. Choose the Internet Protocols tab, then Domino Web Engine tab.
5. Set the field, Redirect to resolve external links to By Server.

Allowing users to take the Domino directory offline

You can use a NOTES.INI variable, $DOLSDirectoryCatalog, to set the
name of a Domino directory that the user may take offline. This setting
makes a part of the interface visible in the users preferences, giving
users the option of taking the servers directory catalog or Domino
directory offline.
For example, if NOTES.INI contains $DolsDirectoryCatalog=dc.nsf, the
user sees a new preference setting, Include servers Name and Address
Book. If the user enables this setting, the servers directory catalog will
be included among the files when the user goes offline.
Taking the directory catalog rather than the Domino directory offline
improves performance and saves space on the users disk drive.
Disabling the Active Content Filter

Use the NOTES.INI variable, iNotes_WA_DisableActCntSecurity, to
disable the Active Content Filter. A setting of 1 disables the filter. Setting
this variable to 0 (or omitting it from the servers NOTES.INI file) enables
the filter.
The Active Content Filter is intended to remove potentially harmful
active content (JavaScript, Java, ActiveX) from HTML in mail messages
prior to display in a browser. Active content filtering can reduce server
performance because it requires a full parse of HTML content and a
rewrite of the content.
Redirecting users to a Web page after logout

Use the NOTES.INI variable, iNotes_WA_LogoutRedirect, to specify a
URL to redirect users to after logging out from server. The setting
provides normal cache clearing with the iNotes control, and clearing of
browser credentials. This variable allows sites which have additional
actions that need to happen on a logout (such as logging out of a reverse
proxy server) to specify a URL to do this additional activity. Or you can
use this variable to return people to an initial login page.
For instance:
iNotes_WA_LogoutRedirect=http://www.ibm.com
Use the NOTES.INI setting, iNotes_WA_NameLookupMaxNumMatch,

to specify the maximum number of names to return on name lookups.
The default is 200. You can reduce this number to improve server
performance.
Adding a disclaimer to outgoing messages

You can add a disclaimer to the bottom of outgoing mail messages in
iNotes Web Access. A disclaimer is a denial or a disavowal of legal
responsibility for the contents of the message. In some countries, not
having a proper disclaimer on messages may result in fines leveled by
regulatory agencies.
Use the subform s_Disclaimer in Forms5.nsf to create a disclaimer. This
subform works with the s_SessionInfo form. By default, the disclaimer is
not enabled.
1. Make a backup copy of ...\data\iNotes\Forms5.nsf.
2. Using Domino Designer, open Forms5.nsf.
3. Click Shared Code - Subforms.
4. Double click the subform s_Disclaimer to open it.
5. In the JavaScript, change false to true.
6. Change the text string to state your disclaimer (HTML allowed).
7. Click File - Save.
8. Restart the HTTP server using the Domino Administrator console
(>tell http restart).
Default Disabled Disclaimer JavaScript:
function getDisclaimerHTML(){var strDisclaimer=""; if
(false){strDisclaimer="<br>Place your disclaimer text
here in HTML format. Externally referenced files will
not be sent";}return strDisclaimer;}
Sample Enabled Disclaimer JavaScript:

function getDisclaimerHTML(){var strDisclaimer=""; if
(true){strDisclaimer="<br>The information in this
e-mail, and any attachments therein, is confidential and
for use by the addressee only. If you are not the
intended recipient, please return the e-mail to the
sender and delete it from your computer. Although we
attempt to sweep e-mail and attachments for viruses, we
Mail
Specifying the number of names to return
do not guarantee that either are virus-free and accept

no liability for any damage sustained as a result of
viruses.";}return strDisclaimer;}
Note HTML is automatically converted to plain text for plain text

messages.
Configuring alternate name support in iNotes Web Access

An alternate name is helpful when a user wants to use his or her native
language and character set to type, display, and look up names. For
example, users can type a name in a native language and character set
when sending mail. A users primary name is recognizable to an
international audience; an alternate name is recognizable to the users
native language.
By default, iNotes Web Access allows users to view alternate names but
not in any language other than English. You can change iNotes Web
Access to allow users to send and view alternate names in their own
native language.
Note Before a user can use an alternate name for a primary name, you
must register and certify the alternate name.
For more information on alternate names, see the chapter Setting Up
To allow users to display alternate names in the language of their
choice
3. Select the Configuration Settings document for the iNotes Web
Access mail server(s) and click Edit Configuration.
4. Select the iNotes Web Access tab.
5. Enable Alternate name support.
6. Enable Name resolution and validation.
7. Enable Allow user to choose the alternate name display.
This will change the user interface of Preferences - Other tab. Users will
now be able to display alternate names in the language of their choice.
To allow users to view alternate names in the languages set by the server
1. Perform steps 1 through 6 in the preceding procedure.
2. Disable Allow user to choose alternate name display.

This change will change the user interface in the users Preferences Other dialog. Users will be able to display alternate names in the
languages set by you on the server.
iNotes Access for Microsoft Outlook

Lotus iNotes Access for Microsoft Outlook is similar to iNotes Web
Access, but uses a Microsoft Outlook client to access mail file databases
instead of a Web browser. Lotus iNotes Access for Microsoft Outlook
requires a Domino Off-Line Services (DOLS) - enabled server, which
allows users to open their mail files online or offline.
For more information about DOLS enablement, see the chapter
Lotus iNotes Access for Microsoft Outlook supports Outlook 98, 2000, or
XP. The Microsoft Outlook client must be a Corporate or Workgroup
client. To check your Outlook client, start Microsoft Outlook, then choose
Help - About.
Note Lotus iNotes Access for Microsoft Outlook does not support
Internet Mail Only clients.
Setting up mail files on the server

To set up your iNotes Access for Microsoft Outlook users, follow these
steps.
1. Register users with the Extended Mail template (MAIL6EX.NTF).
For existing users, replace the design of their mail files with the
Extended Mail template. For new users, create mail files with the
Extended Mail template.
Enable the Set Internet password field in each users Person
The download page of an iNotes Access for Microsoft Outlook
mail database gives the user an option to download a directory
catalog (address book) along with the subscription. To download
the catalog, add the following setting to the NOTES.INI file:
$DOLSDirectoryCatalog=file name of the directory catalog
For example, to have users download the catalog DircatOne.nsf
with their mail file, add the following to the NOTES.INI file:
$DOLSDirectoryCatalog=DircatOne.nsf
Mail
3. In the field Alternate name languages, choose languages from the list.
2. Create a DOLS Offline Security Policy document.

For more information, see the chapter Using Policies.
3. Give each user a Notes user name, Internet password, and URL.
Provide users with a URL that points to their mail file. Append
/inotes to the end of the URL. For example:
http://server1/mail/jsmith.nsf/inotes
Downloading iNotes Access for Microsoft Outlook

To use their iNotes Access for Microsoft Outlook mail file, users must do
the following:
1. Open a Web browser and enter the URL of the mail file.
2. When prompted, enter their Notes user name and Internet password
to access the download page.
From the download page, users can choose the language of the Lotus
iNotes Sync Manager (client software for managing and synchronizing
the mail file); choose to encrypt the mail file; choose whether or not to
download a directory catalog along with the mail file; and choose
whether or not to install an offline version of their mail file. Users can
find detailed help on these options on the download page.
3. Click Start Download to download the mail file. During the
download, the mail file and Lotus iNotes Sync Manager software are
installed. When the iNotes Sync Manager appears, it must remain
open while the subscription is synchronizing for the first time. Users
can close the iNotes Sync Manager after the status column no longer
says Active.
4. Start Outlook. When prompted, choose one of the following mail
profiles:
Mail on servername - the version of the mail file on the Lotus
Domino 6 server.
Local Mail - the version of the mail file on the local computer
5. Use Lotus iNotes Sync Manager to synchronize between the offline
and online mail files, or to schedule automatic synchronizations. The
iNotes Sync Manager Help is available by choosing Start - Programs
- Lotus iNotes - Lotus iNotes Help.
Mail
Chapter 33
Monitoring Mail
This chapter describes how to track messages to determine if they
reached the recipients and how to generate mail usage reports.
Tools for mail monitoring

Domino provides three tools that you can use to monitor mail. Message
tracking allows you to track specific mail messages to determine if the
intended recipients received them. Mail usage reports provide the
information you need to resolve mail problems and improve the
efficiency of your mail network. Mail probes test and gather statistics on
mail routes.
Tracking mail messages

Both users and Domino administrators can track mail. Users can track
only messages that they themselves sent. Administrators can track mail
sent by any user.
When you configure mail tracking, you can specify which types of
information Domino records. For example, you can specify that Domino
not record message-tracking information for certain users, or you can
choose not to record the subject line of messages sent by specific users.
The Mail Tracker Collector task (MTC) reads special mail tracker log files
(MTC files) produced by the Router and copies certain messaging
information from them to the MailTracker Store database
(MTSTORE.NSF). The MailTracker Store database is created
automatically when you enable mail tracking on the server. When an
administrator or user searches for a particular message, either a message
tracking request or a mail report, Domino searches the MailTracker Store
database to find the information.
Note The Mail Tracker Collector differs from the Statistics Collector
(Collect task), which is responsible for gathering statistical information
about servers.
33-1
How mail tracking works

1. From a Notes client or Domino Administrator client, a user creates a
query to determine whether a specific message arrived at its
intended destination or to determine how far it got if delivery failed.
2. The mail tracking program begins to trace the routing path from the
server where the message originated. If the message is not found on
the originating server, tracking automatically continues at the next
server on the route.
3. Step 2 is repeated on each next server until the route ends.
Detailed information is provided about the processing of the
message on each server.
4. After the tracking query completes, the user can select messages
from the results and check their delivery status. The following table
displays the possible values for the delivery status:
Delivery Status
Meaning
Delivered
The message was delivered to a mailbox on the server.

The mail file status indicates whether the message was
read, unread, or deleted. If the mail file status is not read,
unread, or deleted, it appears as unknown.
Delivery failed
The server attempted to deliver the message to a mail file

but was unsuccessful. The recipient may not exist, or the
servers disk may be full.
In queue
The Router is processing the message.
Transferred
The Router successfully sent the message to the server

identified in the next hop field.
Transfer failed
The Router attempted to transfer the message to another

server and failed.
Group expanded The message was addressed to a group, and the group
was expanded on this server.
Unknown
The status of the message on the server cannot be

determined.
Generating mail usage reports

Over time, the Domino MailTracker Store database (MTSTORE.NSF)
accumulates valuable data about message routing patterns on the server.
It may be useful to generate mail usage reports from this data. For
example, you can generate reports of recent messaging activity, message
volume, individual usage levels, and heavily traveled message routes.
You can use the Reports database (REPORTS.NSF) to generate and store
mail usage reports. Typically, the Reports database is created
automatically when you set up the server.
Agents stored in the Reports database let administrators schedule reports

on a one-time, daily, weekly, and monthly basis. By default, Domino
generates scheduled reports at midnight at the interval you specify
daily, weekly, or monthly. When a report query is run, the active report
agent examines the data collected in the Domino MailTracker Store
database to generate the resulting report. You can configure a report to
save results in the Reports database or mail results to one or more
administrators. Saved reports are organized in the Reports database
under several different views. Reports that are mailed, but not saved, are
not added to the Reports database.
You can use the Reports database to analyze server mail usage. Views in
the database display previously saved reports according to date,
schedule, report type, and user. In addition, a view displays all
scheduled reports by interval.
Mail routing event generators

To monitor a mail network, you can configure mail routing event
generators to test and gather statistics on mail routes.
For more information on mail routing event generators, see the chapter
Monitoring the Domino Server.
Setting up mail monitoring

To set up mail monitoring, you must complete these procedures:
1. Start mail tracking (the MTC task) on the server.
2. Configure the server for message tracking.
3. Set up the Reports database (REPORTS.NSF).
Monitoring Mail 33-3
Mail
Mail usage reports provide important information that you can use to
resolve problems and improve the efficiency of the mail network. In
addition, this information is valuable when you plan changes or
expansions to the mail network. For example, you can generate reports
that show the 25 users who received the most mail over a given period of
time (a day, a week, a month, and so forth), or the volume of mail sent by
a specified user over some interval. With this information, you can
identify users who might be misusing the mail system. Other reports
show the most frequently used next and previous hops, enabling you to
assess compliance with mail use policies.
Setting up the Reports database

After you set up the Domino MailTracker Store database, you can use the
Reports database (REPORTS.NSF) to generate and store mail usage
reports. Although the Reports database is created automatically when
you set up the server, before you can generate mail usage reports, you
must set up security for the database.
To create the Reports database
1. From the Domino Administrator, Notes client, or Domino Designer
client, choose File - Database - New.
2. At the bottom of the New Database dialog box, click Show advanced
templates.
3. Complete these fields and click OK:
Field
Enter
Server
The name of the server that stores the Mail Tracking

Store database (MTSTORE.NSF)
Title
Reports
File name
REPORTS.NSF
Template server
The name of the server entered in the Server field
Template
REPORTS.NTF
To set up security for the Reports database

Note Step 4 of this procedure requires use of the Domino Designer
client.
1. Open the Reports database and choose File - Database - Access
control to open the database ACL.
2. Verify that the server and the server administrator have Manager
access, then click OK.
3. With the Reports database active in your client, choose View Agents.
4. Verify that the scheduled agents (Daily, Monthly, and Weekly Report
Agents, and the Housecleaning agents) are enabled. Enable agents as
necessary by selecting the agent and clicking Enable; then close the
Domino Designer.
5. From the Domino Administrator, click the Configuration tab, open
the Server document for the server where you created the Reports
database and click the Security tab.
6. In the Programmability Restrictions - Run unrestricted methods and
operations field, enter the names of administrators who need access
to the Reports database, and then click Save & Close.
Mail
Controlling the Mail Tracking Collector

After you enable message tracking on the server, the Mail Tracking
Collector (MT Collector or MTC task) automatically creates the Domino
MailTracker Store database (MTSTORE.NSF) in the MTDATA
subdirectory of the Domino data directory. The MTC task periodically
collects messaging information from raw data accumulated in special
mail tracker log files (MTC files) produced by the Router. After collecting
this message summary information information about the originators,
recipients, arrival times, and delivery status of the messages processed
by the server it adds it to the Domino MailTracker Store database.
Mail users and administrators use the information stored in the Domino
MailTracker Store to complete mail tracking requests and to generate
mail usage reports.
Caution Do not edit the Mail Tracking Store database directly.
In addition to collecting message data, the MTC task performs several
maintenance operations on the Domino MailTracker Store database. You
can enter commands at the server console to instruct the MTC task to
perform these operations. The following table lists the commands for
performing various MTC operations:
MTC operation
Description and Command
Start mail tracking
When mail tracking is enabled in the Configuration

Settings document, tracking automatically starts
when the Router starts. If you stop the MTC task, you
can restart it by entering the following command at
the server console:
load mtc
Stop mail tracking
By default, the MTC task automatically stops when

the Router stops. To stop the task without stopping
the Router, enter the following command at the
server console:
tell mtc quit
continued
MTC operation
Collect new data from

mail tracking logs
If mail tracking is enabled on the Router/SMTP Mail Tracking tab of the Configuration Settings
document, the MTC task collects data from mail
tracking log files at the interval specified in the
Message tracking collection interval field. If there
is new data to report, it creates an entry in the
MailTracker Store database. To instruct the MTC task
to collect data immediately, enter the following
command at the server console:
tell mtc process
Performing a manual collection resets the automatic

collection interval to its full value. For example, if the
collection interval is set to 15 minutes (900 seconds),
after you run the collection manually, the next
automatic collection occurs in 15 minutes.
To check the collection interval that is currently in
effect, as well as the time remaining to the next
collection, enter the Show Tasks command at the
console.
Establish a different
collection interval
If mail tracking is enabled on the Router/SMTP Mail Tracking tab of the Configuration Settings
document, the MTC task collects data from mail
tracking log files at the interval specified in the
Message tracking collection interval field. If there
is new data to report, it creates an entry in the
MailTracker Store database. To specify a different
interval, enter the following command at the server
console:
tell mtc interval value
where value is the desired interval, in seconds.

The specified value remains in effect until the next
Router restart. At that time the value specified in the
Configuration Settings document again goes into
effect.
To check the collection interval that is currently in
effect, as well as the time remaining to the next
collection, enter the Show Tasks command at the
console.
continued
Mail
MTC operation
Compact the
MailTracker Store
database
By default, the MTC task compacts the Domino

MailTracker Store nightly at 2 am. To compact the
database immediately, enter the following command
at the server console:
tell mtc compact
You can also change the default time for compacting

the database, by setting the variable
MTCDailyTasksHour in the servers NOTES.INI file.
Reindex the MailTracker To assist message tracking tools and mail usage
Store database
reports in searching for information, the Domino
MailTracker Store database is full-text indexed. New
documents added to the database are available to
full-text searches only after the index has been
updated to account for them. Data contained in an
unindexed document is omitted from search results.
To determine if the index needs to be updated,
display the total of unindexed documents in a
database by clicking the Count unindexed
documents button on the Full Text tab of the
Database Properties box.
To ensure that the full-text index of the Domino
MailTracker Store database remains current, use the
Full Text Index tool available from the Domino
Administrator client to schedule automatic updates
to occur on an hourly or daily basis. You can also
update the database manually from a Notes client or
Domino Administrator client, using the update tool
on the Full Text tab of the Database Properties box, or
by entering the following command at the server
console:
tell mtc reindex
Purge old entries from

the MailTracker Store
database
By default, the MTC task purges documents from the

MailTracker Store database after 30 days. To purge
documents less than 30 days old from the database,
enter the following command at the server console:
tell mtc purge value
where value is the maximum number of days to retain

documents in the Mail Tracker Store database. The
MTC task removes all documents older than value
from the database.
For more information about the MTCDailyTasksHour setting, see the

Configuring the server for message tracking

This process allows you to customize the type of information you want to
collect and store in the Mail Tracking Store database (MTSTORE.NSF).
For example, you can exclude certain users mail from being collected, or
you can restrict messages from being tracked by message subject.
5. In the Configuration Settings document, click the Router/SMTP Message Tracking tab.
Field
Enter
Message tracking
Choose one:
Enabled to log message-handling activity
information in the Mail Tracking Store database.
Disabled (default) to not log any
message-handling information.
Dont track messages The names of users and/or groups whose messages
will not be logged and, therefore, cannot be tracked.
for
This field applies only to messages sent by the
specified person or group.
For example, to prevent administrators from
tracking messages sent by the Manager of Human
Resources, enter the managers name in this field.
If you leave this field blank (default), authorized
administrators can track messages for all users and
groups on all servers that are enabled for mail
tracking.
On servers running the ISpy task to test mail
connectivity, this task sends trace messages at
5-minute intervals. To prevent the Domino
MailTracker Store database from filling up with
entries for these trace messages, enter the name of
the ISpy mail-in database on the server in this field,
for example, ISpy on MailHub1.
continued
Mail
Field
Enter
Log message subjects Choose one:

Yes The server records the subject of each
message in the MailTracker Store database.
No (default) The server does not log message
subjects.
Dont log subjects for The names of users and/or groups whose message
subjects will not be logged and, therefore, cannot be
tracked. This field applies only to messages sent by
the specified person or group. The default is none.
Message tracking
collection interval
A number that represents how often, in minutes,

you want to log message tracking activity in the
Mail Tracking Store database.
This number may affect server performance. Enter a
number appropriate to the size and speed of your
system. The default 15 minutes is recommended.
Allowed to track
messages
The names of servers and/or users allowed to track

messages on this server.
If you leave this field blank (default), only members
of the LocalDomainServers group are authorized to
track messages on this server. If you add any entries
to this field, you must list all servers and/or users
that are allowed to track messages on this server.
Allowed to track
subjects
The names of servers and/or users allowed to track

messages by subject on this server.
If you leave this field blank (default), only members
of the LocalDomainServers group are authorized to
track messages by subject on this server. If you add
any entries to this field, you must list all servers
and/or users allowed to track subjects on this
server.
If you list servers and/or users in this field, you do
not have to list them in the Allowed to track
messages field.
If disk storage space is a concern, use database replication settings to

control how many days worth of information the Mail Tracking Store
database retains. The number of days restricts how far back in time
messages can be tracked, so choose a value that balances tracking needs
and available disk storage.
For information on replication settings, see the chapter Creating
Replicas and Scheduling Replication.
Tracking a mail message

If you track a mail message and the search finds no messages, adjust the
search criteria and then perform the search again.
1. Make sure that you set up mail monitoring.
2. From the Domino Administrator, click the Messaging - Tracking
Center tab.
3. In the Maximum results field, specify the maximum number of
search results to display for the tracking request.
4. Complete any of these fields to describe the message that you want
to track, and then click OK:
Field
Enter
From
The user name of the sender.

You can also select the name from the Domino Directory.
To
The user name of the recipient.

You can also select the name from the Domino Directory.
Sent
Choose one:
Today
Yesterday
Last week
Last 2 weeks
Last month
All times
To increase the likelihood of finding messages, choose a long
time period.
Start
Choose one:
Senders home server (default) Select this option if you
know the sender of the message.
Current server Select this option if you dont know the
sender of the message and you leave the From field blank.
If you manage multiple servers, you can select a different server
by clicking its name from the Servers bookmark to the left of the
Subject
The subject of the message that you want to track.
Message The message ID of the message you want to track.

ID
For more information on enabling tracking by message subject, see

the topic Configuring the server for message tracking earlier in this
chapter.
5. From the Messages Found pane, select a message and then click
Track Selected Message.
6. Expand the Message tracking results folder, and select a server to
view more information about what happened to the message on that
server. Domino displays the following information:
Field
Description
Delivery status
Indicates whether the Router deposited the message in

the recipients mail file or transferred it to another
server.
Mailbox status
Indicates whether the message is unread, read, deleted,

or unknown.
This server
The name of the current server.
Previous server
The name of the server that delivered the message to the

current server in the message path being examined. For
messages originating outside the Domino network and
transferred over SMTP, this is the server from which
Domino received the message.
Next server
If the current server is not the final destination, the next

server on the routing path.
Msg priority
Indicates whether the message priority is high, normal,

low, or unknown.
Unique message A value that uniquely identifies the message on the

ID
current server.
Inbound
message ID
The message ID of the message when it arrived on the

server.
Outbound
message ID
The message ID of the message when it left the server.

In some cases, the SMTP Router changes the ID of the
message before transferring it.
Inbound
originator
The senders e-mail address as it appeared in the

message headers when the message arrived at the
current server.
Outbound
originator
The senders e-mail address as it appeared in the

message headers after transfer from the current server to
the next hop server.
Inbound
recipient
The recipients e-mail address as it appeared in the

message headers when the message arrived at the
current server.
continued
Mail
Domino displays summary results that include the senders name,

recipient, delivery time and message subject, if subject tracking is
allowed.
Field
Description
Outbound
recipient
The recipients e-mail address as it appeared in the

message headers after transfer from the current server to
the next hop server.
Subject
The content of the messages subject header.
Disposition time Indicates the time when the Router changed the status of
the message to the value in the Delivery status field.
There can be a delay between the arrival of a message
and when the Router processes it.
Message arrival The time when the current server received the message.
time
Message size
(bytes)
The size of the message, including any attachments.
Generating a mail usage report

If mail tracking is enabled on a server, the Mail Tracking Store database
(MTSTORE.NSF) contains data about mail usage. You can generate a
usage report of the data.
1. Make sure that you set up mail monitoring.
3. Expand the Reports for Servername view and open the Report Results
or Scheduled Reports folder.
4. Select a report view; for example, select By Type in the Report
Results folder or Daily in the Scheduled Reports folder.
5. Click New Report.
Mail
6. Complete these fields, and then click OK:

Field
Description
Description
Required text to identify the report.
Report Type
Specifies the type of report to create. Choose one:
Time Range
Top 25 Users by Count

Top 25 Users by Size
Top 25 Senders by Count
Top 25 Senders by Size
Top 25 Receivers by Count
Top 25 Receivers by Size
Top 25 Most Popular Next Hops
Top 25 Most Popular Previous Hops
Top 25 Largest Messages
Message Volume Summary
Message Status Summary
Choose one:
Today
Yesterday
Over the last week (default)
Over the last two weeks
Over the last month
All available information
Each choice refers to the specified time period up to the
current day. For example, if you choose Yesterday, the
report includes information from yesterday and today.
Run this report
Specifies the execution interval for the report. Choose

one:
Once Generates a report immediately (default)
Daily Generates a report at midnight every day
Weekly Generates a report at midnight on
Saturdays
Monthly Generates a report on midnight on the
first day of every month
Report should be Specifies where the server places report results. Choose
one:
Saved (default)
Mailed
Saved & Mailed
continued
Field
Description
Mail Recipient
If you chose Mailed or Saved & Mailed in the Report

should be field, enter the user name of the person who
should receive the report or select the user name from
the Domino Directory. The default is the name of the
administrator running the report.
Note The Earliest Message Found and Latest Message Found fields
are filled in automatically when you run the report. They display the
date and time of the earliest and latest message found.
7. (Optional) To narrow the scope of a report, complete any of these
fields:
Field
Enter
Senders Name
A text string for the senders name, and then choose

whether the name should contain the text string or
exactly match the text string.
Recipients
Name
A text string for the recipients name, and then choose

whether the string should contain the string or exactly
match the string.
Delivery Status Choose one:

Is - Delivered (all messages that were delivered)
Other than - Delivered (all messages that encountered
delivery failures or are still being processed)
Is - Not Delivered (all messages that encountered
delivery failures)
Other than - Not Delivered (all messages that were
either delivered or are still being processed)
Is - Being Processed (all messages that are still being
processed)
Other than - Being Processed (all messages that were
delivered or encountered delivery failures)
The delivery status corresponds to the message tracking
delivery status. Delivered refers to messages that were
delivered, transferred, or group expanded (that is, the
message was addressed to a group, and the group was
expanded to its member list on the server). Not
delivered refers to messages that were not delivered,
not transferred, or whose status is unknown.
Message Size
The maximum or minimum message size (in bytes) to

include in the report.
8. Reports are saved as Notes documents. Double-click the document to

view it.

2. Expand the view Reports for Servername and open the Scheduled
Reports folder.
3. Select the report view containing the scheduled report you want to
edit; for example, Daily or Weekly.
4. Select the report to edit and click Edit Report.
5. Edit the report settings as needed and click OK.
Changing the default time for generating a scheduled report
Domino generates any scheduled report at the default time for that type
of report. For example, daily reports run at midnight every day, and
weekly reports at midnight every Saturday. If the default schedule
conflicts with other operations on the server, you can reschedule the
report agent to run when the server is less busy. Changes apply to all
reports scheduled to run at that time; that is, if you change the default
time for running weekly reports, the server runs all weekly reports at the
new time.
The following procedure requires you to have Domino Designer installed
on the administrative workstation.
To change when the server generates a scheduled report
2. Expand the Reports for Servername view and open the Scheduled
Reports folder.
3. Select the report view containing the scheduled report you want to
edit; for example, Daily or Weekly.
4. From the View menu, select Agents to launch Domino Designer. If
Designer does not open automatically, launch the program manually
and then open the Reports database (REPORTS.NSF) from the server.
5. Double-click the report agent you want to reschedule.
6. Click Schedule.
7. Specify the time to generate the report.
8. Click OK.
Mail
Editing a scheduled report

Edit a scheduled report to change its execution interval (for instance,
daily to weekly) or the method of recording data (saved or mailed).
Enabling and disabling a scheduled report

By default, Domino enables a scheduled report immediately after you
create it, so that the server runs the report at the next execution interval
for example, a new daily report runs at midnight following the day
you create it. You can disable any scheduled report and enable scheduled
reports that are currently disabled.
If you created a scheduled report to diagnose a particular problem, you
can disable the report to prevent it from executing after obtaining the
information you need. Disabling a scheduled report conserves server
resources, but lets you retain the report settings for future use. You can
disable a report temporarily, or remove it from the server altogether.
2. Expand the Reports for Servername view and open the Scheduled
Reports folder.
3. Select the report view containing the scheduled report to disable; for
example, Daily or Weekly.
4. Select the scheduled report and do one of the following:
Click Enable Report Activates a currently disabled report so
that the server executes the report at the next scheduled interval.
Click Disable Report Prevents a currently enabled report from
running, so that the server cannot execute it at the scheduled
intervals. The report remains in the Reports database and can be
activated at a later time.
Press the DELETE key Permanently removes the report from
the Reports database.
Viewing mail usage reports

When Domino saves a report, it stores the report data in the Reports
database. Reports that are mailed, but not saved, are not added to the
Reports database.
You can use the Reports database to analyze server mail usage. Views in
the database display previously saved reports according to date,
schedule, report type, and user. An additional view displays all
scheduled reports by interval.
You can open the Reports database (REPORTS.NSF) using either of two
methods:
2. In the Server field, specify the name of the server where the database
resides.
3. Choose Reports for Servername from the list of available databases,
and then click Open.
To open the Reports database in the Domino Administrator
1. From the Domino Administrator client click, the Mail tab.
2. Select the Reports for Servername view.
Viewing report results
1. Expand the Report Results or Scheduled Reports folders.
2. From either folder, expand the category for the report you want to
view.
For example, from the Report Results folder, click the By Schedule
view, and then in the Results panel, expand the category Once to see
the results of all saved reports that were run one time only, rather
than on a repeating schedule.
3. To open a report, double-click it in the Results panel.
Note For scheduled reports, the user is the server running the report;
for reports that an administrator runs manually, the user is the
administrator.
Mail
To open the Reports database directly

1. From a Notes client, Domino Administrator client, or Domino
Designer client, choose File - Database - Open (CTRL + O).
Chapter 34
Setting Up the Domino Web Server
The Domino Web server

Lotus Domino provides an integrated Web application server that can
host Web sites that both Internet and intranet clients can access, and can
serve pages that are stored in the file system or in a Domino database.
When a Web browser requests a page in a Domino database, Domino
translates the document into HTML. When a Web browser requests a
page in an HTML file, Domino reads the file directly from the file system.
Then the Web server uses the HTTP protocol to transfer the information
to the Web browser.
Using Domino to store Web pages as documents in a database has a
major advantage over storing static HTML pages: using Domino, any
change that you make to a database is automatically reflected on the Web
server.
The following diagram shows how the Web server displays a Notes
document as an HTML page to a browser client.
Web-E/East/Acme
running the HTTP task
1. Request page
Notes document
2. Convert to HTML
Browser client
3. Return page
HTML
34-1
Web
This chapter describes how to set up a Domino server as a Web server.
Any Domino application can be a Web application. Before you create a

Web application, become familiar with the Domino features that can be
translated into HTML and determine whether Web browser users, Notes
clients, or both will access the application. You can use the Notes formula
language to detect which type of user is accessing the application and
then, based on the user type, change the display of information in the
application.
A Domino Web site can consist of a single database or several databases
that are connected by links. In addition to hosting Web sites, the Web
server can run other server tasks, such as mail or directory services. Be
sure to enforce security on databases if you do not want users outside
your organization to access the databases on the server.
For information on designing Web applications, see Application
Web server features

Domino includes these Web server features:
Translation of Notes features into HTML code. For example, in

HTML code, hot spot links are translated into anchor (<A>) tags.
Passthru HTML. This is HTML code that you include in a form,

document, or About and Using documents that Domino does not
interpret during the page translation. Passthru HTML lets you use
Web-only text formatting, links, images, commands, and programs.
Using passthru HTML, you can combine Domino features with
HTML code.
Security for applications using standard Domino security, such as the

database ACL and Internet security features, such as Secure Sockets
Layer (SSL) and name-and-password authentication.
Support for Java applets that are referenced using passthru HTML or
embedded in a document.
Support for JavaScript that is included as passthru HTML or

embedded directly in a document.
Support for CGI programs that are referenced using passthru HTML
in a document. CGI supports EXE, CMD, and BAT files and scripts
written in Perl, Python, and PHP.
Support for static HTML pages that are referenced in a directory on

the servers hard drive. Static HTML pages can be referenced by
passthru HTML included in a document or can be requested directly
using a URL.
Support for a last-modified header in Domino URLs, which allows

many Web browsers or proxy servers to cache Domino pages.
Support for URL extensions that expose Domino functionality to the

Web client for example, opening a database or view.
Redirecting and remapping URLs and directories to another location.
Support for multiple Web sites with separate DNS names to exist on
a single server machine.
Support for server clusters, which allow a server to fail over to an

answering server if the first server is unavailable and provides load
balancing to maximize response time for users.
Domino Web Server Application Interface (DSAPI) supports all

phases of request handling, including mapping and transforming
incoming URLs, authenticating and authorizing users, processing
requests, and logging.
For information on customizing the authentication of Web application

users, see the DSAPI documentation in the Lotus C API Toolkit for
Domino and Notes.
Making Web site content changes

You might find it convenient to set up one Web server as a production
server and another Web server as a staging server. Web content
managers can make changes on the staging server without exposing the
changes to users. After all changes to the Web site are complete, the Web
content manager replicates the Web site from the staging server to the
production server. In addition, using a staging server allows Web content
managers to view changes through a browser before replicating.
If you use a staging server, give access only to Web content managers.
Also be sure to give the Web content managers replication access on both
the staging server and the production server.
Setting Up the Domino Web Server 34-3
Web
In this example, Web content managers make changes on Webstage-E

and replicate these changes to Web-E, which is available to users outside
the firewall.
Web-E/East/Acme
running the HTTP
task
replicates with Web-E
1. Request page
Notes document
2. Convert to HTML
Browser client
3. Return page
HTML
Firewall
Setting up a Domino server as a Web server

You can specify that you want to run the HTTP task on a Domino server.
The Domino server then acts as a Web server so that browser clients can
access databases on the server.
1. Set up the Domino server.
Make sure you understand TCP/IP concepts, including DNS host
names and IP addressing.
Set up a Domino server.
Set up security for the server.
For more information, see the chapters Configuring Additional
Domino Servers and Planning Security.
2. Decide on an Internet connection strategy.
To allow users to connect to the server over the Internet, connect
the server to an Internet Server Provider (ISP) and register the
servers domain name and IP address on the ISPs DNS server. For
more information, contact the ISP.
To allow users to connect to the server internally, without
connecting to the Internet, register the servers domain name and
IP address on the DNS server at your organization.
3. Start the Domino server.
4. From the Domino Administrator, click Files, open the Server

document and enable Loads configuration information from the
Internet Sites view.
5. Create at least one Web site.
For information on setting up SSL, see the chapter Setting Up SSL

on a Domino Server.
7. (Optional) Enable the Domino Web server log.
8. Start the HTTP task.
To check the server setup, start your browser and enter the DNS name or
IP address for the server.
Starting and stopping the Domino Web server

To do this
Perform this task
Start the Web server manually
Enter load http at the console.
Start the Web server automatically


http. Domino adds the HTTP task by
default to the NOTES.INI file if you choose
to install a Web server during installation.
Stop the Web server
Enter tell http quit at the console.
Use new server configuration

settings by restarting the HTTP
server task.
Enter tell http restart at the console.
Use new server configuration

Enter tell http refresh at the server
settings without restarting the HTTP console.
server task.
Note This command only works with
settings specified in the Internet Sites view.
Note When the HTTP task starts up, a server console message indicates
the Domino Directory view the task is using for Web configuration
information (Servers\Internet Sites or Servers\Web Configurations).
For more information on server commands and NOTES.INI settings, see
the appendices Server Commands and NOTES.INI File.
Web
6. Decide on an HTTP port strategy. You can enable ports for TCP/IP,
SSL, or for both. In the Server document, click Ports - Internet Ports Web, and enable one or both: TCP/IP port status and SSL port
status.
Modifying Web server Internet port and protocol settings

In certain cases, you may need to change some default Internet port and
protocol settings. Check carefully before changing the defaults.
To modify Web server Internet port and protocol settings
1. Open the Server document that you want to edit.
2. (Optional) Click Ports - Internet Ports - Web. Under Web
(HTTP/HTTPS), complete these fields:
Field
Action
TCP/IP port
number
Enter a port number. Default is 80.
TCP/IP port
status
Choose one:
Enabled To configure the server to listen for HTTP
requests on the specified TCP/IP port.
Disabled To prevent the server from listening for
HTTP requests on the specified TCP/IP port.
Redirect to SSL To redirect any HTTP requests that
come into the TCP/IP port to the SSL port.
Enforce server
access settings
Choose one:
Yes To enforce server access settings for this
protocol on the server. Server access settings are
found on the Security tab of the Server document,
and specify the names of authenticated users who
have been granted access to this server, and those
who have not.
No To not enforce server access settings for this
protocol.
SSL port number Enter a port number. Default is 443.

SSL port status
Choose one:
Enabled To configure the server to listen for
HTTPS requests on the specified SSL port.
Disabled If you do not want to use SSL for this
server.
3. (Optional) Click Internet Protocols - HTTP, and complete these fields:

Field
Action
Bind to host
name
Choose one:
Disabled (default) To bind to all IP addresses on

the server.
DNS lookup
Choose one:
Enabled To have Domino look up the DNS name
of the requesting client. The Domino log files and
database contain host names corresponding to the
machine used by the Web client.
Disabled (default) To not look up the DNS name of
the requesting client. The Domino log files and
database contain IP addresses.
Choosing Disabled improves the performance of the
Domino server because the server does not use
resources to perform the DNS name lookup.
Note The majority of browser users connect to the
Internet through Internet server providers (ISPs), so the
host names returned by DNS lookup are those of the
ISPs proxy servers, not the individual user machines.
DNS lookup
cache
Choose one:
Enabled To have Domino cache the results of a
DNS lookup for faster retrieval.
Disabled To not have Domino cache DNS lookup
results.
DNS lookup
cache size
Specify the maximum size of the DNS lookup cache.

Default value is 256.
DNS lookup
cache found
timeout
Specify the length of time, in seconds, that IP addresses

remain in the cache. Default value is 120 seconds.

5. Enter this command at the console so that the changes take effect:
tell http restart
Web
Enabled To enter up to 32 IP addresses and/or

DNS names in the Host name(s) field to which the
Domino server will bind. This allows users to access a
Web server using a name other than the Domino
server name.
Setting up protocol security for the Web server

If you set up protocol security, you can filter out requests that may be
potential attacks, such as probing for buffer overflows or request parsing
errors.
If you host third-party applications, set the limits to the most stringent
values that still allow the applications to work normally. If the request
exceeds the limit, the Web server discards the request and returns an
error to the browser.
To set up protocol security for the Web server
1. Open the Server document you want to edit and click Edit Server.
2. Click the Internet Protocols - HTTP.
3. Under HTTP Protocol Limits, complete these fields:
Field
Action
Maximum URL
length
Enter the maximum size, in KB, allowed for URLs

received from HTTP clients. The length includes the
query string. The default is 4KB.
Increase the default only if you host an application that
requires an extremely long URL.
Maximum
number of URL
path segments
Enter the number of segments allowed. The default is

64, which is usually more than enough. A segment is
delimited by slashes; for example, the URL
/products.nsf/widgets contains two segments.
Maximum
number of
request headers
Enter the total number of HTTP request headers

allowed. The default is 48. Normally, there is no need to
increase the setting; typical requests sent from browsers
usually include less than a dozen headers.
Maximum size of Enter the total length, in KB, of all the headers in the
request headers request. The default is 16KB.
Maximum size of Enter the total amount of data, in MB, that can be
contained in a request. The default is 10MB. The two
request content
most common ways for users to send data to the server
is by submitting forms or by uploading files. If none of
the applications on the server allow users to upload
large files, you can probably set this to a much lower
value.
Restricting access by IP address on the Web server

You can determine the client machines that are allowed to access the
HTTP and HTTPS ports of the Web server by specifying a list of IP
addresses that have access, and a list of addresses that are denied access.
You can also specify which list takes priority if an address matches both
lists.
IP address filtering is useful for managing incoming requests to your

Web server for example, your server is behind a firewall and should
only be accepting requests from the firewall and from the Domino
Administrator client. It also helps in minimizing excessive requests, such
as those generated by machines infected by a Web worm.
Caution IP address restriction should not be used as the only means of
protecting your site, or as a substitute for user authentication. Client IP
addresses are specified in the network packets sent by the client, and this
information is easily spoofed. Additionally, hackers routinely use attack
techniques that hide their true IP addresses. IP address restriction cannot
protect the server against such attacks.
To restrict access by IP address on the Web server
2. Click the Internet Protocols - HTTP. In the Network Settings section,
Field
Action
IP address
Specify which IP address list Allow or Deny
allow/deny priority takes priority if an incoming IP address is listed in
both the allow list and the deny list (this can happen
when both lists contain wildcards).
The default is that the Allow list takes priority.
IP address allow list List the IP addresses that are allowed to access the
ports.
IP address deny list
List the IP addresses that are denied access to the

ports.
Note If a client IP address does not match either list, then the
connection is allowed.
Web
Addresses can include wildcard characters, so that all addresses within a

certain class of address will be restricted. For example, denying access to
address 123.45.6.* denies access to all addresses for that subnet.
Similarly, denying access to address 123.45.* denies access to all subnets
for that address.
Examples of typical IP address restriction settings

Example configuration Settings
Allow access to all
addresses (leave
default settings)
IP address allow/deny
priority: Allow
IP address allow list: <blank>
IP address deny list: <blank>
Deny access to
everyone
priority: Deny
IP address allow list: *
IP address deny list: *
Deny access to a
particular Web
crawler
priority: Deny
IP address deny list:
123.45.6.78
Deny access from

subnets that are
infected with a Web
worm
priority: Deny
IP address deny list: 123.45.*;
95.123.4.*
Allow access only

from two trusted
proxy servers
priority: Allow
IP address allow list:
123.45.6.78; 123.45.6.79
IP address deny list: *
Comment
All addresses are

allowed, but crawler
is denied because it
matches the deny list,
which takes priority
over the allow list.
In this case, you must

use a wildcard in the
deny list so that all
other addresses will
explicitly match that
list.
Hosting Java applets

Using the Java Notes classes, application developers can create applets
that perform Domino tasks, such as opening a session and retrieving
information from a database access control list. The Domino server can
host the applet and when a client requests it, download the applet to the
browser.
To run Java applets created with Java Notes classes on a Domino Web
server, you must enable the Domino IIOP (DIIOP) task on the server.
This task allows Domino and the browser client to use the Domino Object
Request Broker (ORB) server program. The Domino ORB processes the
applet requests and transmits the information to the browser client to
communicate. You must enable both the Domino IIOP task and the
Internet Inter-ORB protocol (IIOP) on the server before users can access
the Domino ORB to run the Java applets.
Application designers must create applets with the Java Notes classes
and, in addition, they must specify that the applets can use the Domino
ORB to communicate with browser clients. Application designers specify

this setting when they add the applets to a document or form.
For information on designing Web applications, see Application Development
with Domino Designer. For more information on Java Notes classes, see
Domino Designer Programming Guide, Volume 3: Java/Corba Classes.
2. Choose Ports - Internet Ports - DIIOP and complete these fields:

Field
Enter
TCP/IP port
number
The name of the port the Domino IIOP task listens on.
Do not change this port unless you have assigned port
number 63148 (the default) to another task.
The default on Linux servers is 60148 because of an
operating system restriction.
TCP/IP port
status
Choose one:
Enabled (default) To allow communication over
this port.
Disabled To prevent communication over this port.
3. Choose Internet Protocols - DIIOP and complete this field:

Field
Enter
Number of
threads
The number of threads you want to allow the DIIOP

server task to process at the same time. The default is 10.
4. Click Security and complete these fields in the Programmability

Restrictions section:
Field
Enter
Run restricted
The name that the applet or application uses to access
Java/Javascript/ the server. Applet or application names entered in this
COM
field are allowed to run programs created using a
restricted set of Java and JavaScript features. If the applet
or application logs on anonymously, enter the word
Anonymous in this field.
Run unrestricted The name that the applet or application uses to access the
Java/Javascript/ server. Applet or application names entered in this field
are allowed to run programs created using all Java and
COM
JavaScript features. If the applet or application logs on
anonymously, enter the word Anonymous in this field.
For information on this setting, see the topic Customizing Web server
setup.
Web
To set up the Domino ORB

1. Open the Server document you want to edit.
5. To restrict the level of authentication, choose a setting in the Internet

server authentication field on the Security tab and save the
document.
6. If necessary, edit the ServerTasks setting in the NOTES.INI file to
include the DIIOP task.
7. Set up SSL server authentication, name and password authentication,
or anonymous access to the IIOP port for the application or applet.
8. Define server access by browser clients that use Java and JavaScript.
If the applet or application uses name-and-password authentication,
enter the name for the applet or application. Otherwise, use the name
Anonymous when setting up server access.
Generating references to the Web server

You can specify how other servers generate URL references to this Web
server. This feature works only for servers that are in the same Domino
domain (share the same Domino Directory).
A typical example of how this feature is used is that of a user performing
a domain search from a browser. The user sends the search request to
Server A, but some of the search hits are actually located in a database on
Server B. When Server A generates the HTML for the search results page,
it needs to create URL links to Server B for those hits. To create those
links, Server A will look up the Server record for Server B in the Domino
Directory, and use the fields in the table below to generate the correct
syntax for the URLs.
To generate references to the Web server
2. Choose Internet Protocols - Domino Web Engine. Under Generating
References to this Server, complete these fields:
Field
Action
Does this (Domino 5.0x servers only) Specify whether this server uses the
server use Microsoft IIS stack instead of the native Domino HTTP stack.
IIS?
Note This setting is used only if the server is Domino 5.0x or
earlier; Domino 6 servers always generate IIS-compatible links.
Protocol
Indicate the protocol to be used in URL links to this server.

Choices are HTTP and HTTPS (for SSL).
Host name Indicate the fully-qualified host name to be used in URL links
to this server; for example, www.acme.com.
Port
number
Indicate the port number to be used in URL links to this server.

The default is 80, the standard HTTP port.
If Server A in the example above needs to generate a link to a database

on Server B, and Server Bs Server record has the fields set to these
values:
Protocol: HTTP
Host name: www.acme.com
Port number: 8081
http://www.acme.com:8081/<database replica-id>/....
Managing Java servlets on a Web server

A servlet is a Java program that runs on a Web server in response to a
browser request. Servlets for Domino must conform to the Java Servlet
API Specification, an open standard published by Sun Microsystems, Inc.
For information on creating Java servlets, see Application Development
with Domino Designer.
To manage Java servlets on a Web server
2. Click the Internet Protocols - Domino Web Engine tab. Under Java
Servlets complete these fields:
Field
Action
Java
servlet
support
Choose one:
None (default) To not load the Java Virtual Machine
(JVM) or the servlet manager when the HTTP task starts.
Domino Servlet Manager To load the JVM and the
servlet manager that comes with Domino.
Third Party Servlet Support To load the JVM, but not the
Domino servlet manager. This lets you use a servlet
manager other than Domino, such as IBM WebSphere.
Servlet
URL path
Enter the path in a URL that signals Domino that the URL
refers to a servlet. The default is /servlet.
continued
Web
then Server A will create the URL like this:
Field
Action
Class path Enter one or more paths that the Servlet Manager and JVM
search to find servlets and dependent classes. The standard Java
libraries installed with Domino are automatically in the class
path. This setting allows you to add additional paths. You may
specify directories, JAR files, and ZIP files. Paths may be
absolute or relative to the Domino data directory. For example:
domino\servlet specifies files in the
c:\lotus\domino\data\domino\servlet directory
c:\apps\myservlets specifies files in the
c:\apps\myservlets directory
c:\javamail\mail.jar specifies the mail.jar file in the
c:\javamail directory
domino\servlet\sql.zip specifies the sql.zip file in the
c:\lotus\domino\data\domino\servlet directory
The default is domino\servlet.
Servlet file Enter a list of URL file extensions that signal Domino that a
extensions URL refers to a servlet. You must map each extension to a
single servlet by a directive in the servlets.properties file. The
default is no extensions.
Session
state
tracking
Choose one:
Enabled (default) To have the Domino servlet manager
check periodically the user activity of all HttpSession
instances. Sessions that are idle for the period of time
specified in the Idle session timeout field are automatically
terminated. The servlet manager calls the method
HttpSession.invalidate() to inform the servlet that the session
will be terminated.
Disabled Does not check for user activity.
Domino uses this setting and the settings below only if the
servlet uses the Java Servlet API HttpSession interface. The
HttpSession interface support is completely separate from the
Domino HTTP session authentication feature.
Idle
session
time-out
Enter the amount of time in minutes the user is allowed to

remain idle before the session is terminated. The default is 30
minutes.
Maximum Enter the number of simultaneous active sessions allowed. The

default is 1000. After this limit is reached, the sessions that
active
have been idle the longest are terminated.
sessions
continued
Field
Action
Disabled (default) Discards all session data when the

HTTP task exits.
3. If appropriate for your servlet engine, control access to the servlet by

specifying who has access to the servlet files.
For more information, see the chapter Controlling Access to
Domino Servers.
Special properties for individual servlets can be specified in a text file
called servlets.properties, which is located in the Domino data directory.
For more information about the servlets.properties file, see the book
Setting up WebDAV
WebDAV (Web-based Distributed Authoring and Versioning) is a set of
extensions to the HTTP/1.1 protocol which allow users to collaboratively
edit and manage files on remote Web servers.
WebDAV support in the Domino Web Server enables accessing file
resource type design elements in a Domino database. This allows
application designers to work with design elements such as HTML files,
images and other file based resources using web based authoring and
development tools.
The WebDAV implementation in the Domino Web Server supports, and
has been tested with, the following clients; Macromedia Dreamweaver
4.01, Microsoft Office 2000, Microsoft Internet Explorer 5.0x and 6.0,
Windows Explorer on NT4, Windows 98, Windows XP, and Windows
2000.
You must be using Web Site documents to configure and manage the
Web sites on your server in order to use WebDAV.
Be aware that enabling WebDAV also enables the following HTTP
methods for the web site: PUT, DELETE, GET, HEAD, OPTIONS.
Web
Choose one:
Session
persistence Enabled To save session data to a disk file called
sessdata.ser in the Domino data directory when the HTTP
task exits. Domino saves the data in the Domino data
directory in a file named sessdata.ser. Domino reloads the
session data when the HTTP task restarts. Domino also
saves objects that the servlet has bound to sessions if the
objects implement the java.io.Serializable interface.
There are some restrictions when using a WebDAV-enabled server. For

the Web Site document for which you have WebDAV enabled, do not do
the following:
Configure URL redirection.
Enable the Redirect to SSL option.
Enable session authentication on the Web Site for which you have
WebDAV enabled.
Create a File Protection document for the Web site that restricts access
to the HTML root directory. If a File Protection document is preventing
access to the HTML directory (\domino\data\domino\html), then
some WebDAV clients will not be able to connect to or access the
WebDAV database when accessing this Web Site. The server console
displays one of these error messages:
You are not authorized to perform this operation
[_vti_inf.html]
You are not authorized to perform this operation
[_vti_bin/shtml.exe/_vti_rpc]
To allow access to a database using WebDAV, do the following:
Provide the user with either Designer or Manager access in the

database ACL (Access Control List). Also, the user must have both
Create documents and Delete documents privileges enabled in
the database ACL.
Set the Maximum Internet name & password field to either

Designer or Manager access. This option is located on the Advanced
tab on the database ACL dialog box.
Some WebDAV clients (such as DreamWeaver 4.01 and Microsoft

Office 2000) attempt to lock WebDAV items. In order for these clients
to work correctly with Dominos WebDAV implementation, you
must enable Design Locking for databases that will be used with
WebDAV. You do this on the Design tab of the Database Properties
dialog box.
In order to use Internet Explorer as a WebDAV client, the WebDAV

database needs to reside in the Domino data directory. Internet
Explorer cannot access databases if they reside in a subdirectory
within the data directory.
Enabling WebDAV
Before you can use WebDAV (Web-based Distributed Authoring and
Versioning), it must be enabled.
1. From the Domino Administrator, choose Configuration - Web Internet Sites.

4. Under Allowed Methods, select Enable WebDAV.
Note If you enable WebDAV, the following HTTP methods are also
enabled: GET, HEAD, OPTIONS, PUT, and DELETE.
5. Enter this command at the console so that the settings take effect:
tell http refresh
For detailed information about using WebDAV, see the book Application
Hosting Web sites

The model for hosting Web sites has changed in Lotus Domino 6. You
can now use Web Site documents to host Web sites on Domino. The Web
Site document is one type of Internet Site.
Web Site documents contain Web site configuration information and are
managed through the Servers\Internet Sites view along with other types
of Internet site documents. However, for backward compatibility the
Domino 6 HTTP task still supports the R5 Servers\Web Configurations
view. If you are migrating your site from Domino 5 to Domino 6 you do
not need to immediately convert from the old view to the new view.
However, you will need to convert to the new view to take advantage of
many of the new Web features in Domino 6.
Many of the HTTP task Server record settings used in Domino 5 are now
available in the Web Site document. If you enable the new Internet Sites
view, the HTTP task uses the Web Site settings instead of those in the
Server record.
To enable the Internet Sites view, in the Basics section of the Server
document, click Loads Internet configurations from Server\Internet
Sites documents.
For more information, see the topic Converting from Web Server
Configuration to Internet Sites view later in this chapter.
Web
2. Open the Web Site document on which you want to enable

WebDAV.
Hosting Web sites in Lotus Domino 6

Web sites are not explicitly associated with physical servers. A single
Domino domain can support many Web sites. Each Web site can be
associated with any number of host names or addresses. All servers in
the same Domino domain can use the same Web Site documents in the
Internet Sites view. You can specify which Domino servers support a
Web site. Each Web site has its own security, file-protection, and URL
rules, and you can modify them as needed.
By default, Web Site documents are not associated with specific Domino
servers. All servers that share the same Domino Directory that is,
reside in the same Domino domain automatically use the same Web
Site documents in the Internet Sites view. This means that you do not
have to re-create the same Web configuration each time you add a new
server to the domain. When you add or modify a Web Site document, the
changes are picked up automatically by all servers in the domain.
An optional field in the Web Site document allows you to specify the
Domino servers that will host a site. Servers that are not listed in this
field will not load the site configuration.
To set up a Web Site
To set up a Web site on a Domino server, you must complete these
procedures.
1. Enable the Internet Sites view.
2. Create a Web Site document.
a. Configure default mapping rules.
b. Configure DSAPI Filters and Allowed Methods.
c. Configure Domino Web Engine settings for the Web site.
3. (Optional) Create rules (directory, substitution, redirection) for the
Web site.
4. (Optional) Create file protection.
5. (Optional) Create an authentication realm document.
Hosting Web sites in Lotus Domino 5

Lotus Domino 5 uses the model of multiple virtual servers that are
associated with a single Domino Web server. Each site is configured with
its own IP address; default home page; customized Web server message;
and HTML, CGI, and icons directories. All of the virtual servers share a
single Domino data directory.
Converting from Web Server Configurations to Internet Sites view

You can convert Web sites that you created in Domino 5 to Lotus
Domino 6. Documents in the Web Configurations view correspond to
documents in the Internet Sites view:
Release 5
Lotus Domino 6
Server document
Web Site document

Note The Server document is still used for some
low-level HTTP task configuration settings
Virtual server
Web Site document
URL Mapping/Redirection
document
Rule
File Protection document
File Protection
Realm
Authentication Realm
If you are using virtual servers or hosts, create one Web Site document
for each virtual site. If you provided a default site in the Release 5 server
record, you must either make one of the Web Site documents the default
site, or create a document for the default site.
To convert from the Web Server Configurations view to the Internet
Sites view
If you do not have virtual servers or hosts, follow these steps to convert
to the new view:
1. Create a Web Site document.
2. Select the Web Site document and choose Edit Document.
Web
You set up each virtual server with a network connection with its own
separate, permanent numeric IP address or map multiple host names to
the same IP address. The number of virtual servers is dependent only on
your operating system and the system hardware. See your operating
system documentation and hardware documentation for more
information.
3. Click the Web Site button and create the corresponding documents in
Lotus Domino 6: Rule (URL Mapping/Redirection), File Protection
(File Protection), or Authentication Realm (Realm).
4. Open the Server document.
5. Click Basics and check Enabled for Loads Internet configurations
from Server\Internet Sites documents.
6. Save the document, and restart the HTTP server task to use the new
view.
Hosting multiple Web sites on a partitioned server

You can set up multiple Web sites for each servers HTTP process on a
partitioned server.
To set up multiple Web sites on a partitioned server (for Web Site
documents or for Virtual Servers)
1. Set up the partitioned server with separate TCP/IP addresses.
2. Assign IP addresses or hosts to each specific HTTP process. In each
Server document, click Internet Protocols - HTTP. In the host name
field, under Basics, include the host name or DNS name for each
Web server, separated by semicolons. (If you separate them with
commas, it will be saved with semicolons.)
3. Set up the Web sites, using either Web Site documents or virtual
server documents, to further define the HTTP configuration.
4. Restart HTTP. You should now be able to send HTTP requests to the
partitioned servers and all of the Web sites or virtual servers for each
partition.
Configuring HTML, CGI, icon, and Java files for Web Site documents
Domino looks for individual HTML, CGI, and icon files in specific
directories on the servers hard drive. You can change the URL path for
icons and CGI program files. The URL path is where Domino looks for
icons or CGI programs when it encounters a reference in the HTML code
to one of these.
Specifying icon and CGI URL paths is useful if you change the directory
location of icons or CGI programs and you do not want to modify HTML
code that references the previous location of these files.
2. Choose the Web Site document you want to edit and click Edit
Document.
3. Click Configuration. Under Default Mapping Rules, complete

these fields:
Action
Home
URL
Enter the URL command to perform when users access the

Web site without specifying a resource for example, the
user just requests http://www.acme.com. Usually the home
URL points to the Web sites home page for example,
/welcome.nsf/hello?OpenPage.
HTML
directory
Specify the directory that will be used to find HTML files if a

URL does not specify a path for example, http://www.
acme.com/welcome.html. Default is domino\html. The path
can be relative to the Domino data directory, such as domino\
myhtml, or it can be fully qualified, such as c:\websites\html.
Service providers: This directory is relative to the main
Domino data directory, not to the hosted organizations data
directory.
Icon
directory
Enter the directory where icon files are located. You can
specify the path for the icon directory using either the fully
qualified path or a relative path. Default is domino\icons.
directory.
Icon URL
path
Enter the URL path that is used to map to the icon directory.
The default is /icons.
For example, the URL http://servername/icons/abook.gif
returns the file c:\lotus\domino\data\domino\icons\abook.gif.
CGI
directory
Enter the default directory where CGI programs are located.

The default is domino\cgi-bin.
directory.
CGI URL
path
Enter the URL path that is used to map to the default CGI
directory. The default is cgi-bin.
For example, the URL http://servername/cgi-bin/test.pl runs
the CGI program
c:\lotus\domino\data\domino\cgi-bin\test.pl.
Java applet Enter the directory where the Domino Java applets are located.
directory The default is domino\java.
Java URL
path
Enter the URL path that is used to access files in the default
Java directory. The default is /domjava.
Note If you are using the Web Server Configuration view, open the
Server document, choose Internet Protocols - HTTP, and complete the
fields in the Mapping section.
Web
Field
Configuring DSAPI, HTTP methods, and WebDAV in Web Site

documents
You can set up a Web Site document to support the Domino Web Server
Application Programming Interface (DSAPI), various HTTP methods,
and Web-based Distributed Authoring and Versioning (WebDAV).
The Domino Web Server Application Programming Interface (DSAPI) is
a C API that you can use to write your own extensions to the Domino
Web Server. These extensions, or filters, let you customize
authentication for Web users. For more information about DSAPI and
filters, see the C API Users Guide and the C API Reference Guide.
WebDAV is a set of extensions to the HTTP 1.1 protocol which allows
users to collaboratively edit and manage files on remote Web servers.
WebDAV clients can only access design elements in the design collection
of a database. Users must have Notes manager or designer level access
rights to the database. Application developers are the typical uses of
WebDAV.
For more information, see the topic Setting up WebDAV later in this
chapter.
For more information about WebDAV, see the book Application
Note If you are using the Web Server Configurations view, the DSAPI
fields appear in the Server document on the Internet Protocols - HTTP
tab.
the Web section and click Internet Sites.
2. Choose the Web Site you want to edit, and click Edit Document.
3. Click the Configuration tab and complete these fields:
Field
Action
DSAPI filter file Enter the name of one or more DSAPI filter files.
names
Service providers: Each DSAPI filter applies to the entire
server; therefore, if the services must be different for
individual hosted organizations, the DSAPI filter itself
must be coded to handle those differences for each
individual hosted organization.
continued
Field
Action
Methods
Choose one or more:
WebDAV
GET (default)
HEAD (default)
POST (default)
OPTIONS (default)
TRACE (default)
PUT
DELETE
Choose this option to enable Web-based Distributed

Authoring and Versioning.
Note If you enable WebDAV, the following HTTP
methods are also enabled: GET, HEAD, OPTIONS, PUT,
and DELETE.
Domino Web Engine settings for Web Site documents

Use the Domino Web Engine tab to do the following:
Set up session authentication.
Specify GIF or JPEG conversion.
Specify the number of lines to display in a view.
Limit the number of documents displayed when searching.
Find links with the Redirect URL command.
Restrict the amount of data that users can send to a Domino

database.
Store Web user preferences in cookies.
Set up language preferences.
Specify an international character set when retrieving pages.
Note If you are using the Web Server Configurations view, use the
Server document.
Setting up session authentication for Web Site documents

You can enable session-based name-and-password authentication for a
Web site document. Web clients must use a browser that supports
cookies. You can customize an HTML login form for users to enter their
credentials, address multiple login prompts, allow logout using the
?logout URL or formula, and log user sessions.
the Web section, and click Internet Sites.
Web
2. Choose the Web Site document you want to edit, and click Edit
Document.
3. Click the Domino Web Engine tab. Under HTTP Sessions, in the
Session authentication field, do one of the following:
Choose Multiple Servers (SSO) to allow a Web user to log on once
to a Domino server, then access any other Domino server in the
same domain without logging on again. Under Web SSO
configuration, enter the name of the Web SSO configuration
document.
Choose Single Server to use cookies for a single server only. This
option applies only when users access this Web site. Under Idle
session timeout, enter the time (in minutes) when the cookie will
expire and the session will be deactivated. Default is 30 minutes.
Choose Disabled (default) to prevent cookies from being used by
the Domino server for authentication.
4. In the Maximum active sessions field, enter the maximum number of
active, concurrent user sessions on the server. Default is 1000.
For more information about session authentication and single sign-on,
see the chapter Setting Up Name-and-Password and Anonymous
Access to Domino Servers.
Specifying GIF or JPEG conversion in Web Site documents

You can control the format and method Domino uses to display images
that appear in documents. The Domino Web server supports both GIF
and JPEG image formats. This setting has no effect on images referenced
using passthru HTML.
When you enable progressive or interlaced rendering, the image appears
to download quickly and you can typically identify the image before it is
completely downloaded.
To specify GIF or JPEG conversion in a Web Site document
Document.
3. Click the Domino Web Engine tab. Under Conversion/Display,

To specify GIF conversion
Enter
Image conversion
format
GIF (default) To convert images in documents to

GIF format.
Interlaced rendering
Choose one:
Enabled (default) To display each line of the
image individually.
Disabled To wait for the entire image to
download before displaying the image.
To specify JPEG conversion

Field
Enter
Image conversion
format
JPEG To convert images in documents to JPEG

format.
Progressive
rendering
Choose one:
Enabled (default) To display the image
incrementally in several passes.
Disabled To wait for the entire image to
download before displaying the image.
JPEG image quality A percentage between 5 and 100 to indicate the level
of image quality. The larger the value, the larger the
file, the longer the files take to transmit, and the
better the image quality.
The default is 75.
Server document and click the Internet Protocols - Domino Web Engine
tab.
Specifying the number of lines to display in a view

You can specify the default number of lines to display in a view when
users do not specify a line count in a URL. The number of lines to display
depends on your preference. Displaying many lines per view makes it
easy to find an item in a large view. Displaying fewer lines per view
make it easy to read the items in the view.
You can also specify the maximum number of lines to display in a view
when the user specifies a line count in a URL.
Entering a maximum number of lines prevents users from overloading
server resources by requesting a large number of lines to display.
Web
Field
To specify the number of lines to display in a view

Document.
3. Click the Domino Web Engine tab. Under Conversion/Display
Field
Enter
Default lines per

view page
A number from 1 to the number specified in the

Maximum lines per view page field. Default is 30.
Maximum lines per

view page
A number that is limited only by the browser

software. Default is 1000.
Enter 0 if you do not want to limit the number of
lines in a view.
tab.
Limiting the number of documents displayed during a Web Site

search
You can specify a default and maximum number of documents to
display as a result of performing a search on a database. Users can
specify the number of documents for a search query to return using the
SearchMax parameter with the SearchSite and SearchView commands.
tab.
Change these options to prevent users from overloading server resources
with search results.
To limit the number of documents displayed during a Web Site
search
2. Choose a Web Site document you want to edit, and click Edit
Document.
3. Click the Domino Web Engine tab. Under Conversion/Display,

Action
Default search
result limit
Enter the maximum number of documents to display

when users do not specify the SearchMax parameter in
the URL.
If you set the value to 0, the number of documents
displayed is the same value as that specified in
Maximum search result limit.
The default is 250.
Maximum search
result limit
Enter the maximum number of documents that a user

can specify for the SearchMax parameter in a URL.
Enter 0 if you do not want to limit the number of
documents displayed. The default is 1000.
Finding links with the Redirect URL command

You use the Redirect URL command to create anchor, document, view,
and database links on a Web page. These links and the links for domain
search results can direct users to a database on the same server or
another server. Enable this option on any server that runs the domain
search and on servers for which you want to resolve links to other
servers.
To find links with the Redirect URL command
Document.
Web
Field
3. Click Domino Web Engine. Under Conversion/Display, complete

this field:
For information on the Redirect URL command, see Application
Field
Enter
Redirect to resolve
external links
Choose one:
Disabled (default) To prevent the server from
accepting Redirect URL commands and to
prevent the server from generating Redirect URL
commands as a result of a domain search.
By Server To look up the server name specified
in the URL in the Domino Directory on the Web
server. The Web server searches for the server
name in both the Host names field on the Internet
Protocols - HTTP tab or in the Fully qualified
Internet host name field on the Basics tab.
By Database To find the database in the
Domino Directory on any available server.
Domino locates the database in the domain
catalog, if available, or in the servers local
catalog. Make sure the domain catalog contains
up-to-date information on the location of
databases.
By choosing this option, resolving links take more
time than the By Server option since the Web server
searches for the database on an available server,
instead of just the server presented in the URL. The
By Database option however, may resolve more
links since the Web server tries to resolve the link
using a replica of the database on servers in addition
to the server presented in the URL. Use this option
on the server that runs the domain search so more
links are resolved for the user.
Since By Server and By Database both rely on the
information in the Domino Directory, make sure the
server information in the Domino Directory is
complete and correct.
Server document and click the Internet Protocols - Domino Web
Engine tab.
Restricting the amount of data users can send to a Domino

database
The Web Site document contains two additional settings that control
POST and PUT methods that target a database (for example, filling in a
form or uploading a file attachment). Formerly available in the Server
record, for Domino 6 these settings been moved to the Web Site
document so that you can specify different values for each Web site.
To restrict the amount of data that can be sent to a Domino
database
Document.
3. Click the Domino Web Engine tab. Under POST Data complete
these fields:
Field
Action
Maximum POST Enter the amount of data in KB that a user is allowed to

send to the Web site in a POST request that targets a
data
database. The default is 0, which does not restrict the
amount of data that users can send (however, the
amount is still limited by the Server record setting
Maximum request content). This limit applies to both
the PUT and the POST HTTP methods.
If users try to send more than the maximum allowed
data, Domino returns an error message to the browser.
File compression Choose one:
on upload
Enabled To compress files before adding them to a
database. Compressing files saves disk space on the
server.
Disabled (default) If clients use a browser that
supports byte-range serving. You cannot download
compressed files using Domino byte-range serving.
For more information on byte-range serving, see the topic

Improving file-download performance for Web clients earlier in
this chapter.
Web
The HTTP POST and PUT methods allow users to send data to the
Domino server. The Server record field Maximum size of request
content is new for Domino 6, and sets a limit on the amount of data that
can be sent using either POST or PUT. This limit is enforced for all POST
and PUT methods, whether the target is a database, CGI program, or
Java servlet, and applies to all Web sites.
Server document and choose the Internet Protocols - Domino Web
Engine tab.
Storing Web user preferences in cookies

Web users can configure their own time zone and regional preferences.
Customized preferences are stored in cookies that reside in Web client
browsers. Thus, your preferences cant be used if you access the server
from a browser other than the one for which you set up cookies.
Document.
3. Click Domino Web Engine. Under Web User Preferences, complete
these fields:
Field
Action
Store user preferences

in cookies
Choose one:
Disabled Users cannot customize their
regional preferences
Single Server Cookies for customized
preferences are generated for current Web
site/server only
Multi-server Cookies for customized
preferences are generated for the DNS domain
to which the current Web site/server belongs
Default regional locale Use this field for those cases in which a user does
not have any custom regional settings enabled for
their browser, and the format option for regional
setting fields is set to users setting. This
information is needed for formatting date, time,
number, and currency fields.
Server locale Use servers operating system
settings.
Browsers accept-language (default) Use
browsers accept-language. By default, both
Internet Explorer and Netscape send HTTP
requests with the accept-language header in the
users preferred language(s).
Note If you are using Server document settings and the Web Server
Configurations view, you can enable these settings in the Server
document in Internet Protocols - Domino Web Engine, under Web user
preferences.
Setting up language preferences

Document.
3. Click Domino Web Engine. Under Web User Preferences, complete
these fields:
Field
Action
Default string
resource language
Use this setting to select the default language string

resource module for Web clients who do not send
accept-language information with HTTP requests,
or for cases in which the languages specified in the
accept-language header are not in the languages
available on the server.
Additional string
resource languages
Use this setting to select the additional string

resource languages that are installed on the server.
document in Internet Protocols - Domino Web Engine, under
Language.
Specifying the character set to use when retrieving Web pages

Domino uses the default character set and character set mapping
selection to generate HTML text for the browser. If you have
international users who need to see text in nonwestern languages, youll
need to make changes to the settings. The character set setting affects all
databases on the server.
To specify an international character set
Document.
Web
The Web server uses language string resource modules to render Web
pages in different languages. The Domino 6 Web server can support
multiple languages and be configured to handle them on the fly. The
language in which a Web server generates a Web page is based on the
Accept-Language setting in the headers of client HTTP requests. For
example, a Web server with English and French resource modules will
generate a Web page in French if a Web client sends an HTTP request
with Accept-Langage:fr (French) in its headers.
3. Click the Domino Web Engine tab. Under Character Set Mapping
Field
Enter
Default character
set group
A character set group to allow users to choose their

preferred character set when they create or edit
documents. The default is Western.
Convert resource
strings to
A language to use for messages, HTML for default

search pages, and static strings in pages. You can
choose a language other than English only for
international versions of the Domino server that have
translated text. The default is English.
Use UTF-8 for

output
Choose one:
Yes To generate pages using UTF-8.
No (default) To generate pages using the
character set mapping you select.
Use auto-detection Choose one:

if database has no Yes To detect automatically the language to use
language
for the database if no default language is selected
information
on the Design tab of the Database Properties box.
No (default) To use the language specified by the
Use UTF-8 for output field.
If the language is specified for a database on the
Design tab of the Database Properties box, Domino
uses that language for text in the database.
Character set in
header
Choose one:
Yes (default) To add the character set to the
Content-Type HTTP header of an HTML page. If
you select Yes, then the browser finds the character
set before rendering the page.
No To exclude the characters from the HTTP
header of an HTML page. Use this option if you use
early versions of browsers that do not understand
the character set tag in the HTTP header.
Meta character set Choose one:

Yes To add the character set to the <META> tag
of an HTML page. This option lets you save the
character set information when you save an HTML
file on a server or on your hard disk.
No (default) To exclude the character set from
the <META> tag of an HTML page.
4. In the fields that display the character set group names, select one of
the available choices for character set mapping.
Character set group
Mapping choices
Western
This set includes Windows and
ANSI characters.
US-ASCII
ISO-8859-1 (default)
ISO-8859-15
Windows-1252
Central European
ISO-8859-2
Windows 1250 (default)
Japanese
SJIS (default)
JIS(ISO-2022-JP)
EUC-JP
Traditional Chinese
Big5 (default)
EUC-TW
Simplified Chinese
GB
Korean
KSC5601(EUC)
Cyrillic
ISO-8859-5
Windows-1251
KOI8-R (default)
Greek
ISO-8859-7
Windows-1253 (default)
Turkish
ISO-8859-9
Thai
Windows-874
Baltic
Windows-1257
Arabic
ISO-8859-6
Hebrew
ISO-8859-8 (default)
Windows-1255
Vietnamese
Windows-1258
Web
Table of character sets for Web server pages

The default character set governs the available choices for character set
mapping. If a character set group has mapping choices, you must also
select which character set to use.
Web Site rules and global Web settings

Web Site rules are documents that help you maintain the organization of
a Web site. They have two main uses:
Enable the administrator to create a consistent and user-friendly

navigation scheme for a Web site, which is independent of the sites
actual physical organization.
Allow parts of the site to be relocated or reorganized without

breaking existing links or browser bookmarks.
Web Site rules are created as response documents to Web Site

documents, and apply only to that particular Web Site document. If you
want to apply a rule to more than one Web Site document, copy and
paste the rule document from one Web Site document to the other.
Before Web Site rules can be applied to an incoming URL, the URL is
normalized according to a predefined set of filtering and validation rules
and procedures. These procedures reduce the URL to a safe form before
it is passed to an application for processing. Once the URL is normalized,
the HTTP task uses the rules defined for the Web Site to determine if the
URL is to be modified in any way.
Note Only the URL path is used for pattern matching. The query string
is saved for use by the application. Any patterns you specify for a rules
Incoming URL pattern field should not include a host name or query
string.
There are four types of Web Site rules. If more than one type of Web Site
rule has been created for a Web Site document, the rules documents are
evaluated in this order:
Substitution
Redirection
Directory
HTTP response header
Substitution rules
A substitution rule replaces one or more parts of the incoming URL with
new strings. Substitution rules should be used when you want to
reorganize your Web site, and you dont want to have to rewrite all the
links in the site, or when you want to provide user-friendly aliases for
complex URLs.
For example, a substitution rule would be useful if you moved a number

of files on your Web site from one directory to another. Instead of fixing
all the links that refer to the old directory, your substitution rule would
map the old directory to the new directory.
Redirection rules
Redirection rules redirect incoming URLs to other URLs. There are two
types of redirection rules: external redirection and internal redirection.
An external redirection rule causes the server to inform the browser that
a file or other resource requested by the browser is located at another
URL. If the incoming URL path matches an external redirection rule, the
HTTP task generates a new URL based on the redirection pattern and
immediately returns that URL to the browser. Using external redirection
rules allows existing links and bookmarks to keep working, but insures
that new bookmarks point to the new location.
An internal redirection rule acts like a substitution rule, as the HTTP task
generates a new URL and then re-normalizes it. There are two
differences, however. First, the redirection table is searched recursively,
so you can create and nest multiple redirection rules. Second, an internal
redirection rule does not require the use of a wildcard character. Thus,
you can choose to use an internal redirection rule instead of a
substitution rule if you want to force an exact match on the URL path.
If the incoming URL path matches an internal redirection rule, the HTTP
task generates a new path, normalizes the path, and searches the
redirection rule table again. Because the HTTP task does a recursive
search through the redirection rule table, you can write broad redirection
rules that capture URLs no matter what substitution or redirection has
been applied.
Note Having a recursive search means that there is the potential for
getting into an infinite loop if you write redirection rules that match each
other. To eliminate this possibility, the HTTP task has a built-in recursion
limit of ten.
Wildcards are allowed in redirection rules, but are not required.
Directory rules
A directory rule maps a file-system directory to a URL pattern. When the
Web server receives a URL that matches the pattern, the server assumes
that the URL is requesting a resource from that directory.
Web
The incoming and replacement patterns in substitution rules must each

specify at least one wildcard. If you do not explicitly include a wildcard
somewhere in a pattern, the HTTP task automatically appends /* to
the pattern when it stores the rule in its internal table.
When you install a Domino 6 Web server, several file-resource directories

are created automatically. These default directories are mapped by
directory rules that are defined on the Configuration tab of the Web Site
document. When the Web server starts up, it automatically creates
internal rules to map these directories to URL patterns. The three default
directories are:
HTML directory for non-graphic files
Icon directory for graphic images such as .GIFs
CGI directory for CGI programs
Directory rules can only be used to map the location of files that are to be
read directly (such as HTML files and graphic files) and executable
programs to be loaded and run by the operating system (such as CGI
programs). Directory rules cannot be used to map the location of other
types of resources, such as Domino databases or Java servlets.
When you create a Directory Web Site rule, you specify read or execute
access to a file-system directory. It is critically important to choose the
right access. Only directories that contain CGI programs should be
enabled for Execute access. All other directories should have Read access.
If you specify the wrong access level, unexpected results will occur. For
example, if you mark a CGI directory for Read access, when a browser
user sends a URL for a CGI program, the server will return the source
code of the program instead of executing it, which could be a serious
security breach.
Directory rules cannot override file-access permissions enforced by the
operating system.
Note Access level is inherited by all subdirectories under the specified
directory.
HTTP response header rules
Every HTTP browser request and server response begins with a set of
headers that describe the data that is being transmitted. An HTTP
response header rule allows an application designer to customize the
headers that Domino sends such as an Expires header or custom
headers to HTTP responses with responses to requests that match the
specified URL pattern.
The most important use of response rules is to improve the performance
of browser caching. An application designer can add headers that
provide the browser with important information about the volatility of
the material being cached.
You can also use response rules to customize headers. For example, you
can create response rules for custom headers that display specific error
messages for example, when a user is not authorized to access an
application.
Unlike other Web site rules, response rules are applied to the outgoing
response, just before the HTTP task transmits the response to the
browser. For response header rules, the pattern is matched against the
final form of a URL, after substitution and redirection rules have been
applied to it. For example, if you have a substitution rule that transforms
/help/* to /support.nsf/helpview/* and you want to create a response
rule to match the response, the pattern for the response rule should be
/support.nsf/helpview/*.
The pattern can include one or more asterisks as wildcard characters. For
example, the pattern /*/catalog/*.htm will match the URLs
/petstore/catalog/food.htm, /clothing/catalog/thumbnails.htm, and so
on. A wildcard is not required in a response rule. This allows you to
create a rule that matches a specific resource, for example,
/cgi-bin/account.pl. Also, as with all rules, the incoming pattern cannot
contain a query string.
Response header rules are different from other rules in that not only do
they have to match a URL pattern, they also have to match the HTTP
response status code. You need to specify one or more status codes in the
HTTP response codes field.
Global Web Settings

Global Web Settings enable you to apply Web rules to multiple Web
sites. You define a name for the Global Web settings document, and
specify the servers to which the Global Web settings apply. You then
create Web Rules documents for a Global Web Settings document. The
Web rules then apply to all Web sites hosted by the servers specified in
the Global Web settings document.
Web
The caching headers include the Last-Modified header, Expires header,

and Cache-Control header. The Last-Modified header indicates when the
resource or resources used to generate a response were last changed. The
Expires header tells the browser when resources are expected to change.
A designer can define a rule to add Expires headers to responses based
on when the designer expects resources to change. The Cache-Control
header provides explicit instructions to browser and proxy server caches,
such as no-cache for responses that should not be cached, or private
for responses that are cacheable but are specific to a particular browser
configuration.
Global Web Settings document and associated Web Site rule documents
are not automatically created. If you want to use the Global Web Settings
document and Web Site rules in your Web environment, you need to
manually create them.
Creating a Web Site Rule document

You can keep database files, HTML files, CGI scripts, and other related
Web files in multiple locations or move them to new locations without
breaking URL links or changing documents. Domino displays the Rules
document as a response to the Web Site document on the Configuration
tab in the Web - Internet Sites view.
Redirecting a URL displays the page in the new location and displays the
URL in the location box for the user. Mapping a URL or directory
displays the page in the new location and hides that new location from
the user.
To create a Web Site Rule document
Document.
3. Click the Web Site button and choose Create Rule.
4. Click the Basics tab and complete the following fields:
Field
Action
Description
Enter a name that differentiates this rule from others you

create.
Type of Rule
Choose one:
Directory To allow a server file-system directory to
be accessed by a URL path.
Redirection Resource identified by the URL has
been moved to a different location or Web site.
Substitution To replace a string in the URL with
another string.
HTTP response header To add an Expire header or
custom headers to HTTP responses that match
specified URL patterns and response codes.
Incoming URL
pattern
Pattern that describes the URLs affected by this rule.

If you are defining many rules, specify the longest unique
pattern for each rule. Do not include http or the host
name in the pattern.
continued
Field
Action
Replacement
pattern
(Substitution only) Enter the string that replaces the

matching part of the incoming URL.
Target server
directory
(Directory only) Enter the file-system directory path being

mapped. This can be specified as a fully-qualified path or
a path relative to the data directory. If you want to map a
directory that isnt under the Domino data directory,
specify the fully qualified path.
Service providers: use the organizations data directory.
Access level
(Directory only) Choose one:

Read access To allow browser users to read files
from the directory are displayed in the browser or
downloaded. When a user requests a file from the
directory, the server sends the contents of the file back
to the browser.
Execute access To allow browser users to load and
run CGI programs in the directory. The server relays
the output from the program to the browser.
HTTP response (HTTP Response Header only) Enter the HTTP response
codes
codes to which you want your response headers applied.
Expires header (HTTP Response Header only) Choose one:
Dont add header Files in the directory are
displayed in the browser or downloaded.
Add header only if application did not Files in the
directory are CGI files to be executed on the server.
Always add header (override applications header)
Note If you choose to add a header, you must specify an
expiration period either by specifying the number of
days for which you want to enable this header, or a date
after which you want to disable this header.
Custom header (HTTP Response Header only) For each custom header
you want to use, specify:
Name The name of the response header.
Value The value of the response header.
Override Override applications header
Web
Redirect to this (Redirection only) Enter the new URL location. If the URL
URL
pattern in this field starts with a slash, the rule is treated
as internal redirection. Otherwise, the rule is assumed to
be external redirection.
The pattern for an external redirection needs to start with
an Internet protocol string that the browser understands,
such as http: or ftp.

document. Open the Server document and click Create Web (R5) and
select URL Mapping/Redirection.
Configuring a Web Site rule to run PHP

PHP (from Personal Home Page Tools) is a script language and
interpreter. The PHP script is embedded within a Web page along with
its HTML. To enable a Web Site document to use PHP, you need to create
a directory rule for that site document to point to the PHP executable
files.
Note The default directory for PHP scripts is defined by the
DOCUMENT_ROOT CGI variable, and is the /<notes root
directory>/data/domino/html. PHP looks for scripts relative to this
directory.
To configure a Web Site rule for PHP
1. Install PHP on the Web server. Make sure that the PHP.EXE file can
find the PHP.INI file. Be sure that all paths are set up correctly for
PHP. See the PHP installation documentation for more information.
2. Create a directory rule to run PHP scripts. Use the following settings:
Field
Action
Description
Enter a name that differentiates this rule from others you

create.
Type of Rule
Select Directory
Incoming URL
pattern
Enter :/php-bin
An example of an incoming URL would
be:http://<server>/php-bin/PHP.EXE/<php-scripts>
Target server
directory
Enter the location of the PHP binary file (for example,

c:\PHP)
Access level
Click Execute.
Creating a Global Web Settings document

The settings you enable in the Global Web Settings document apply to all
Web Site documents that you have set up on this server. After you have
created the Global Web Settings document, you can create rules for this
document. These rules will apply to all of the servers that are specified in
the Global Web Settings document.
To create a Global Web Settings document

2. Click Create Global Web Settings.
Field
Action
Domino servers that host this List all the servers in the domain that will
site
host this Web site
Protecting files on a server from Web client access

File protection documents control access to non-database files that users
can access via Web browsers. Like database file (.NSF) access control lists
(ACLs), which specify the names of the users who can access them and
the level of access they have, you can enforce file protection for files that
browser users can access for example, HTML, JPEG, and GIF also
by specifying the level of access for these types of files and the names of
the users who can access them.
While you can also apply file protection to CGI scripts, file protection
does not extend to other files accessed by those scripts. For example, you
can apply file protection to a CGI script that restricts access to a group
named Web Admins. However, if the CGI script runs and opens other
files, or triggers other scripts to run, the File Protection document cannot
control whether Web Admins has access to these additional files.
Do not create file protection documents that restrict access to the
following directories, which contain default image files and Java applets
that are used by the Domino Web server and other applications, such as
mail databases:
Domino\data\domino\java, accessed via Web browser using the

path http://server/domjava
Domino\data\domino\icons, accessed via Web browser using the

path http://server/icons
File protection does apply, however, to files that access other files for
example, HTML files that open image files. If a user has access to the
HTML file but does not have access to the JPEG file that the HTML file
uses, Domino does not display the JPEG file when the user opens the
HTML file.
You can create a File Protection document for a directory or for an
individual file. Protection defined for a directory is inherited by all of its
subdirectories. You must set up File Protection documents for all
Web
Descriptive name for this site Enter a name for this Web site.
directories accessible to Web users. Files and file directories that do not
have File Protection documents can be accessed by anyone using a Web
browser.
Note You do not need to use a file protection document to protect a
database (.NSF) file; instead, you use a database ACL.
Examples of controlling Web browser access to server files
Specifying these settings in fields in the File Protection document allows
all users in the Web User Group to open files and start programs in the
c:\notes\data\domino\html directory.
Path: c:\notes\data\domino\html
Access: Web User Group (GET)
Access: - Default - (No Access)
The file secret.htm resides in the notes\data\domino\html
subdirectory. You can deny access to this file to members of the Web
User Group and allow access only to user Joe Smith. To do this, create an
additional File Protection document with the following settings:
Path: c:\notes\data\domino\html\secret.html
Access: - Default - (No Access)
Access: Joe Smith (GET)
Creating file protection for Web Site documents
In Domino 6, you create a file protection document for a specific Web
Site. This file protection documents then only applies to that specific Web
Site.
File protection documents provide limited security. Use Domino security
features, such as database ACLs, to protect sensitive information.
To create file protection for a Web Site document
2. Open the Web Site document for which you want to create file
protection.
3. Click Web Site and choose Create File Protection.
4. Click Basics and complete these fields:

Action
Description
(Optional) Enter a name that differentiates this document

from others you create.
Directory or
file path
Specify the directory or file path that you want to which you
want to restrict access. It should be either in the
fully-qualified path format, which includes the drive letter
for example, c:\lotus\domino\data\domino\cgi-bin,
or enter the path relative to the servers data directory for
example,domino\cgi-bin.
Current
Access
Control List
Displays the users and groups who can access the file or
directory you specified, and the type of access they are
allowed. Similar to a database ACL, the access control list is
always created with a -Default- entry, set to No Access,
which you can modify. As with a database ACL, those not
listed in the Access List receive the default access level.
Set/Modify
Access
Control List
To add users to the Access Control List, click Set/Modify

Access Control List. Select a user name or group from the
Domino Directory or type a name in the Name field. Select
Read/Execute access (GET method), or
Write/Read/Execute access (POST and GET methods, or
No Access. Click Add to add the entry to the Access
Control List.
GET lets the user open files and start programs in the
directory. POST is typically used to send data to a CGI
program; therefore, give POST access only to directories
that contain CGI programs. No Access denies access to the
specified user or group.
To remove an entry from the list, select it and click Clear.
If users connect to the server using Anonymous access,
enter Anonymous in the Name field and assign the
appropriate access.
Note If you wish to enter a user name that resides in an
LDAP Directory, you must replace the comma delimiters
with slashes. Do not enter the name with commas as
delimiters.
For example, an LDAP user with the following name
format:
cn=Anthony Jones,l=westford,o=airius.com
should be entered into the access list of a File Protection

document like this:
cn=Anthony Jones/l=westford/o=airius.com
Web
Field
5. Click Administration and complete the Owners and Administrators

fields. By default, the administrator name you logged in with is the
name that is assigned to both fields.
7. Enter this command to refresh the settings:
tell http refresh
Creating file protection for virtual servers (Domino 5.0x)

From the Domino Administrator, choose Configuration - Servers,
and open the Server document for the server to which the file
protection will apply.
If you are creating a File Protection document for a virtual server,
chose Web - Web Server Configurations, and open the Virtual
Server document.
2. Click Create Web (R5) and choose File Protection.
Field
Action
Applies to
(Read-only) This setting applies to the base server, and all

virtual servers or virtual hosts that do not have file
protection settings. If a virtual server or virtual host has
any file protection settings, then this setting does not
apply.
Path
Specify the drive, directory, or file to which you want to

restrict access. You can use fully-qualified path or the
relative path.
4. Click Access Control, complete this field, and then save the
document:
Enter
Current access
control list
The users and groups who can access the files or

directories you specified and the type of access they are
allowed. By default, the access control list contains a
-Default- entry, set to No Access. Users who are not listed
in this field receive the -Default- access level.
To add users to this list:
1. Click Set/Modify Access Control List.
2. Select a user name or group from the Domino
Directory or enter a name in the Name field.
3. Select Read/Execute access (GET method), or
Write/Read/Execute access (POST and GET
methods), No Access.
4. Click Next to add this entry to the access list.
Note GET lets the user open files and start programs in
the directory. POST is typically used to send data to a
CGI program; therefore, give POST access only to
directories that contain CGI programs. No Access denies
access to the specified user or group.
To remove an entry from the list, select the entry and
click Clear.
If users connect to the server using Anonymous access,
enter Anonymous in the Name field and assign the
appropriate access.
5. Enter this command at the console to refresh the server settings:

tell http refresh
Domino displays the File Protection document as a response to the Server

document.
Creating a Web Site authentication realm document

Using a Domino Web Site authentication realm, you can specify the text
string that appears when a user tries to access a certain directory, or file
on a Domino Web server. When the browser prompts the user for a name
and password, the browsers authentication dialog displays the text
string. The browser uses the realm to determine which credentials that
is, user name and password to send with the URL for subsequent
requests. The Domino Web server caches the users credentials to use for
different realms, in order to avoid prompting the user repeatedly for the
same credentials.
Web
Field
The realm string also applies to requests mapped to paths that have the
specified path as their root, provided that the child paths of the root do
not already have a specified realm. For example, the realm string
specified for D:\NOTES\DATA also applies to a request mapped to
D:\NOTES\DATA\FINANCE, if the latter does not have a realm
specification.
If there is no realm specification for a given path, Domino uses the path
from the request as a realm string.
If you are using Web Site documents, you can create a Web Site
Authentication Realm document for a specific Web Site document. The
Authentication Realm document appears as a response document to the
Web Site document in the Internet Sites view.
If you are using the Web Server Configurations view, or a virtual server
(Domino 5), you create a Web realm. The Web Realm document appears
as a response to the Server document which can be seen in the Web
Server Configurations view.
To create a Web Site authentication realm document
2. Choose the Web Site document for which you want to create an
authentication realm, and click Edit Document.
3. Click Web Site and choose Create Authentication Realm.
Field
Action
Description
(Optional) Enter a name that differentiates this document

from others you create.
Directory or
file path
Enter the name of the path that you want to protect. It

should be in either the fully-qualified path format, which
includes the drive letter; for example, use
c:\lotus\domino\data\domino\cgi-bin, or the relative
path to the servers data directory for example,
domino\cgi-bin.
Realm label
returned to
browser
Enter a text string that describes the location on the server

or any other descriptive string, which will be used as the
realm that is displayed to the user and stored by the
browser. This string should not contain any accented or
international characters, because they will not be displayed
correctly by the browser.
The browser displays the text string whenever there is an
authentication or authorization failure at the location. The
text appears in the browsers authentication dialog.

tell http refresh
To create a Web Realm (Domino 5.0x)

If you are creating a Web Realm document for a virtual server,

click Web - Web Server Configurations.
Open the Server document for the server to which the Web realm
will apply.
If you are creating a Web Realm document for a virtual server,
open the Virtual Server document.
3. Click Create Web (R5) and choose Realm.
4. Complete these fields and then save the document:
Field
Enter
IP Address
(Optional) The IP address of the virtual server.

Complete this field only if you are creating a Web realm
for a virtual server.
Path
Enter the name of the path that you want to protect. It

should be in either the fully-qualified path format,
which includes the drive letter; for example, use
c:\lotus\domino\data\domino\cgi-bin, or the
relative path to the servers data directory for example,
domino\cgi-bin.
Realm returned to Enter a text string that describes the location on the
server or any other descriptive string, which will be
browser when
access is denied used as the realm that is displayed to the user and
stored by the browser. This string should not contain
any accented or international characters, because they
will not be displayed correctly by the browser.
The browser displays the text string whenever there is
an authentication or authorization failure at the location.
The text appears in the browsers authentication dialog.
tell http restart
Web
From the Domino Administrator, click Configuration and click

Servers.
Custom Web server messages

You can customize some of the error messages or responses that are
generated by the Web server. If an Error & Response form-mapping
document exists in DOMCFG.NSF, custom errors, not generic errors, are
used.
To create a message page, create a form for each type of message and
then create a mapping document in the Domino Configuration database
(DOMCFG.NSF) to specify which form to display. While you can store
message pages in any database, the one most commonly used is
DOMCFG.NSF.
You can customize the messages that a user receives when:
The user fails to authenticate with the server.
The user is not authorized to access one of the databases that is part
of the Web site on the server.
The user issues a command to delete a document from a database,

and the server successfully completes the deletion.
The users Internet password has expired.
The user attempts to change their Internet password and that is not
allowed.
The user changes their Internet password and the change is

submitted and accepted.
In addition, you can specify a general message that appears for all other
types of errors or responses that occur on the Web server.
Note The general error message will not be generated for errors that
occur when accessing non-database files. This type of custom error
message only works when errors are encountered while accessing .NSF
files.
If you enabled session-based name and password authentication,
Domino displays an HTML page you specify to request name and
password information from the user. Domino does not use customized
error pages to display errors when authenticating with the server or
accessing a database if session-based name and password authentication
is enabled.
Database designers also have the ability to create custom error messages
for individual databases that reside on Domino servers. These types of
custom error messages are stored within the database and will only be
generated when errors occur while accessing that specific database.
For information on customizing messages that a user receives for a

specific database on a server, see Application Development with Domino
Designer. For information on session-based name and password
authentication, see the chapter Setting up Name-and-Password and
Anonymous Access to Domino Servers. For information on changing
Internet passwords, see the chapter Protecting and Managing Notes
IDs.
Users must have Reader access to the Domino Configuration

(DOMCFG.NSF) database and Any database (ANYDB.NSF).
Web-E/East/Acme
2. Get message
page
Domino
Configuration
database
(DOMCFG.NSF)
3. Find message
form
Any database
(ANYDB.NSF)
1. Request page
4. Display message
Browser client
You can create custom error pages that apply to the entire server, a
specific Web site, or specific databases. If you have a custom error page
configured for a specific database, it overrides the server-wide Web site
specific custom error pages. If you have a Web site specific custom error
page configured, it overrides the server-wide custom error message.
Creating custom Web server messages
Complete these procedures:
1. Create the Domino Configuration database.
2. Customize the Web server messages.
Creating the Domino Configuration database

You use the Domino Configuration database to map custom messages
that you create. These messages can be those that browser users receive
when they access a Web application, or they can be custom HTML pages
that you use to authenticate Web users with a name and password.
Web
In this example, the form for the message exists in the database
ANYDB.NSF and is returned to the user when the user encounters an
error.
For information on customizing HTML pages for name-and-password

authentication, see the chapter Setting Up Name-and-Password and
1. Make sure the Web server exists.
3. Under Server, enter the name of the Domino server on which you
want to create this database.
4. Select the Domino Web Server Configuration template
(DOMCFG5.NTF) from the Advanced Templates list.
5. Under Title, enter a name for the database.
6. Under File name, enter DOMCFG.NSF.
Note The database must have this file name.
7. Click OK.
8. Add an entry named Anonymous to the database ACL and give the
entry Reader access.
9. Map custom Web server messages.
Mapping custom Web server messages

You can change the message users receive when they encounter an error
or delete a document while working with a site on the Web server.
1. Make sure the Domino Configuration database exists.
2. Open the database that will store the customized messages.
You can store custom messages in DOMCFG.NSF or in any database
on the server.
3. Using Domino Designer, create a form that contains the message you
want to display, and save the form.
4. Repeat Steps 2 and 3 for each custom message. The forms can exist in
the same database or in separate databases.
5. Select the Error & Response Mappings view and then click Add
Mapping.
Choose All Web Sites/Entire Server to customize a message for
all Web sites on the server.
Choose Specific Web Site/Virtual Server and enter the host
name or IP address for the Web site. The custom messages will
then only apply to the specified Web Site or virtual server.
7. (Optional) Enter a comment about the error message or response.
8. For each type of error or response, under Target Database, enter

the name of the database that contains the form you want to display.
9. For each type of error or response, under Target Form, enter the
name of the form you want to display.
10. Save the Error Message Response Mapping document.
For information on creating forms and customizing Web server messages

for a specific database on a server, see Application Development with
Domino Designer.
Example of custom Web server messages

This Error Message & Response Mapping document uses forms stored in
the database named MESSAGES.NSF on the current server. These forms
contain custom messages for authentication and authorization failures
and for responses to document deletions. For all other general error
messages, Domino displays the default message text stored in the
Domino Configuration database.
Web
11. In the ACL for the database that contains the forms, assign Author
access to the server that stores the database.
Improving Web server performance

After you set up the Domino Web server and make sure that it runs
properly, check the servers performance and response time. To improve
server performance and response time, you can do any of the following:
Manage the memory cache on the Web server.
Specify network timeouts on the Web server.
Specify the number of threads used by the Web server.
Improve file-download performance for Web clients.
Specify whether more than one Web application agent can run at one
time, as well as the timeout period for all Web application agents.
Restrict the amount of data that users can send to the server using
the HTTP POST command.
Set up the Domino Web server in a cluster.
For more information on improving clustered Web server performance,

see Administering Domino Clusters.
Managing the memory cache on the Web server

Mapping information about databases and authenticating users can take
time. To optimize response time, Domino uses a memory cache
(command cache) to store this information. The memory cache stores the
information for quick access.
For more information, see the chapter Monitoring the Domino System.
For more information on tuning the performance of an application, see
To manage memory cache on a Web server
2. Choose Internet Protocols - Domino Web Engine. Under Memory
Caches, complete these fields:
Field
Action
Maximum cached
designs
Enter the number of database design elements to

cache for users. The default is 128.
When a user opens a database, Domino maps each
design element name to an identification number.
This mapping procedure takes time. Use this field to
specify how many elements you want to store in
memory so the next time a user accesses that
element, it is immediately available.
continued
Action
Maximum cached
users
Enter the number of users to cache. The default is 64.

After a user successfully authenticates with a server,
Domino stores in memory the users name,
password, and the list of groups to which the user
belongs. Use this field to increase the number of
users for whom Domino stores this information.
Cached user
expiration interval
Enter the time interval in seconds during which

Domino regularly removes user names, passwords,
and group memberships from the cache. The default
is 120.
Remove user names, passwords, and group
memberships from the cache periodically to force
Domino to look up credentials in the directory the
next time those users access the server.
Specifying network time-outs on the Web server

Open, inactive sessions can prevent users from accessing the server.
Specify time limits for activities between the Domino Web server and
clients or CGI programs so connections do not remain open if there is no
network activity between them.
To specify network time-outs on the Web server
2. Click Internet Protocols - HTTP. In the Timeouts section, complete
these fields:
Field
Action
HTTP
persistent
connection
Specify whether you want to enable persistent HTTP

connections on the Web server. These connections remain
active under the following conditions:
HTTP protocol is 1.1.
The server application returns an HTTP response code
less than 400. (If the server application returns an HTTP
response code greater than or equal to 400, the
connection will be closed by the server.)
The HTTP request did come through a proxy server.
The client did not send a connection close header.
The number of connections that the server can support is
running low, or the number of connections queued for
the thread processing the request is too large.
If the connection is kept open, then the following settings
apply:
continued
Web
Field
Field
Action
HTTP
persistent
connection
(continued)
The connection will be closed if the maximum number of

requests per connection is exceeded.
The connection will be closed if the persistent time-out is
exceeded.
The connection will be closed if no data is received by
the server within the specified input timeout.
The connection will be closed if a complete request is not
received within the specified request timeout.
Note Persistent connections require more server overhead
than connections that are limited by network activity.
Maximum
requests per
persistent
connection
Specify the maximum number of HTTP requests that can be

handled on one persistent connection. The default is 5.
Persistent
connection
timeout
Specify the length of time for which you want persistent

connections to remain active. The default is 180 seconds.
Request
timeout
Specify the amount of time for the server to wait to receive

an entire request. The default is 60 seconds. If the server
doesnt receive the entire request in the specified time
interval, the server terminates the connection.
Input timeout Enter the time, in seconds, that a client has to send a
request after connecting to the server. The default is 15
seconds. If no request is sent in the specified time interval,
then the server terminates the connection. If only a partial
request is sent, the input timer is reset to the specified time
limit in anticipation of the rest of the data arriving.
Output
timeout
Enter the maximum time, in seconds, that the server has to

send output to a client. The default is 180 seconds.
CGI timeout
The maximum time, in seconds, that a CGI program started

by the server has to finish. The default is 180 seconds.
Running Web agents

You can specify whether Web application agents that is, agents
triggered by browser clients can run at the same time. These include
application agents invoked by the WebQueryOpen and WebQuerySave
form events, and for agents invoked by the URL command
OpenAgent. If you choose to enable this option, the agents run
asynchronously. Otherwise, the server runs one agent at a time.
You should set an execution time limit for Web application agents. The
purpose of the time limit is to prevent Web agents from running
indefinitely and using server resources. However, do not rely on this
mechanism for the routine shutdown of agents. When the server shuts
down an offending agent, resources that the agent was using (such as
disk files) may be left open.
To run Web application agents
Field
Enter
Run Web agents

concurrently?
Choose one:
Enabled To allow more than one agent to run on
the Web server at the same time (asynchronously)
Disabled (default) To run only one agent at a
time (serially)
Web agent timeout The maximum number of seconds (elapsed clock time)
for which a Web application agent is allowed to run. If
you enter 0 for the value (default value), Web
application agents can run indefinitely.
Note This setting has no effect on scheduled agents
or other types of server or workstation agents.
Specifying the number of threads used by the Web server

An HTTP request is processed by a thread. A thread, in turn, can handle
a number of network connections. You can specify the number of threads
the Web server can process. In general, the number of threads specified is
an indication of the number of users who can access the server
simultaneously.
If the number of active threads is reached, the Domino server queues
new requests until another request finishes and threads become
available. The more power your machine has, the higher the number of
threads you should specify. If your machine spends too much time on
overhead tasks, such as swapping memory, specify a lower number of
threads.
To specify the number of threads used by the Web server
1. Open the Server document you want to edit, and click Edit Server.
2. Click the Internet Protocols - HTTP tab.
3. Under Basics, enter a number for Number active threads. The
default is 40.
Web
2. Choose Internet Protocols - Domino Web Engine. Under Web

Agents, complete these fields:
Improving file-download performance for Web clients

Web clients can download a file that is attached to a page or that is in a
server directory that is mapped by a URL. If a client is using a product
that supports byte-range serving (available in HTTP 1.1 and higher) the
client downloads the file in sections ranges of bytes and tracks the
progress of each file download. If an interruption occurs, the client can
resume the download from the point where it was interrupted. Without
byte-range serving, users must repeat interrupted downloads from the
beginning.
Domino is compatible with clients that support the HTTP 1.1
specification. The clients may be implemented in a variety of ways for
example, as browser plug-ins, applets, or stand-alone programs.
Attached files must be decompressed so that clients that support
byte-range serving can access them. When you attach a file, you must
deselect the Compress option. To verify that an existing attachment is
decompressed, from a Notes client choose File - Document Properties,
select the $FILE item, and verify that the Compression Type property is
NONE.
Example of downloading a file from the server's file system
The file INSTALL.EXE is located in a directory that is enabled for
downloading using a URL-mapping. A GetRight 3.1 client can use the
following URL to download the file:
http://hostname/install.exe
where hostname is the name of the site.
If the download is interrupted, the client can restart the download from
the point where it was interrupted.
Example of downloading a file attachment
A user can download a PDF file one page at a time if the PDF file is
attached to a document and the user has set the configuration option in
Adobe Acrobat to download a page at a time. Downloading one page at
a time can greatly improve performance if the user is interested in only a
portion of a large file. For example, a user accesses the PROJECT.PDF file
using the following URL:
http://hostname/dbname/viewUNID/docUNID/$FILE/project.pdf
where hostname is the name of the site, dbname is the name of the
database that stores the attachment, viewUNID is the Universal ID of the
view for the attachment, and docUNID is the Universal ID of the
document to which the file is attached.
Chapter 35
Setting Up Domino to Work with Other Web Servers
Setting up Domino to work with other Web servers

Back-end Domino 6 servers can receive, and respond to, requests from
front-end IBM HTTP Servers (IHS) or from Microsoft Internet Information
Servers (IIS). For this communication to occur, the appropriate
WebSphere Application Server (WAS) 4.0.3 or later plug-in must be
installed on the front-end server. These plug-ins recognize HTTP requests
for Domino applications and pass them along to the Domino server. Other
HTTP requests will be handled by the front-end server itself.
A typical scenario is for the front-end server to be outside a firewall. The
front-end server receives requests from Web users, the plug-in relays the
requests over HTTP, through the firewall, to the HTTP task on the
back-end Domino 6 server. The Domino 6 server then processes the
request and sends the reply back to the plug-in, which relays it to the user.
A plug-in can be configured to support any number of backend servers.
Since Domino uses the same plugins as WebSphere, you can also
combine Domino and WebSphere servers. For example, a Domino server
hosting a mail application and a WebSphere server hosting a J2EE
application could both be placed behind the same IIS front-end server.
The backend Domino server can be on any supported operating system
platform. The following front-end servers are supported:
IBM HTTP Server on AIX, Windows NT 4.0, and Windows 2000 Server.
Microsoft IIS on Windows NT 4.0 and Windows 2000 Server.
The plug-in files are packaged with the Domino 6 server and their use is
covered by your Domino license. You do not need to install any other
WebSphere components to use the Microsoft IIS plug-in. However, to use
the IHS plug-in you must install the IHS components of WebSphere on
the front-end server.
35-1
Web
This chapter describes how to set up Domino to process requests from

other types of Web servers.
The following features are supported for the Domino back-end servers:
core Domino database functionality, Lotus iNotes Web Access, Lotus
Domino Off-Line Services (DOLS), Lotus Discovery Server. Additional
Domino products may also be supported; refer to the product
documentation for details.
Setting up Domino to work with IBM HTTP servers

The IBM HTTP Server (IHS) is packaged as part of the WebSphere
server. For information on installing IHS and the WebSphere server see
the WebSphere installation documentation. Installing the plug-in is an
option during WebSphere installation. For information on installing the
plug-in during WebSphere setup, see the WebSphere installation
documentation.
The plug-in files are also packaged with the Domino 6 server. If the
plug-in was not installed during WebSphere installation, the
administrator can copy the plug-in files from the Domino 6 server.
To install the WebSphere plug-in from Domino
1. Install a Domino 6 server. The plug-in files are packaged with the
server.
2. On the IHS server, create the appropriate directory structure.
For AIX:
/usr/WebSphere/AppServer/bin
/usr/WebSphere/AppServer/config
/usr/WebSphere/AppServer/logs
For Win32 (you can use any drive):
c:\WebSphere\AppServer\bin
c:\WebSphere\AppServer\config
c:\WebSphere\AppServer\logs
Note The rest of these instructions assume you are using an AIX
server.
3. Copy the following files from the Domino server to the IHS server:
Copy <Domino data
directory>/domino/plug-ins/aix/mod_ibm_app_server_http.so to
/usr/WebSphere/AppServer/bin
Copy <Domino data directory>/domino/plug-ins/plugin-cfg.xml to
/usr/WebSphere/AppServer/config
4. On the IHS server, edit the IHS configuration file httpd.conf (on a
default installation this file is located at
/usr/HTTPServer/conf/httpd.conf). Add the following lines to the
bottom of the file:
LoadModule ibm_app_server_http_module
/usr/WebSphere/AppServer/bin/mod_ibm_app_server_http.so
5. Modify the plugin-cfg.xml file according to the instructions for

configuring the WebSphere plug-in.
6. Set up the Domino server according to the instructions for IIS.
7. Restart the IHS server and test your installation.
Testing the IHS installation
To test your IHS server with plug-in:
1. Start Domino.
2. To verify that the Domino server HTTP task is functional, from a
browser enter the URL:
http://<domino server name:http port>/homepage.nsf
(or any other NSF request supported by your Domino Web

application). This request should be sent directly to the Domino
server, and the Domino HTTP task should respond with the expected
page.
3. Start the front-end Web server.
4. To verify that the frontend server is functional and that the plug-in is
working, in the browser enter:
http://<frontend-server:http port>/homepage.nsf.
This request should be sent to the front-end server; the WebSphere

plug-in should relay it to the Domino server. The resulting page
should look identical to Step 2.
Setting up Domino to work with Microsoft IIS servers

To use a Microsoft IIS server as a front-end machine, you must install the
WebSphere Application Server 4.0.3 plug-in for IIS on the IIS server. The
plug-in files are packaged with the Domino 6 server and must be copied
from the Domino server to the IIS server. After you copy the plug-in files,
you must configure the plug-in, then configure the Domino server to
work with the plug-in IIS. You do not need to install any other
WebSphere components to use the Microsoft IIS plug-in.
Setting Up Domino to Work with Other Web Servers 35-3
Web
WebSpherePluginConfig
/usr/WebSphere/AppServer/config/plugin-cfg.xml
See the following topics:
To install the WebSphere plug-in on an IIS server
To configure the WebSphere plugin
To configure the Domino server to work with Microsoft IIS
Setting up security for Microsoft IIS
Details of Microsoft IIS security options
To install the WebSphere plug-in on an IIS server

Do the following to install the WebSphere plug-in on the IIS server and
enable it for a Web site. Before beginning this procedure, you should be
familiar with the Internet Services Manager configuration tool. On
Windows NT this tool is accessed through the Microsoft Management
Console.
1. Create the following directory structure on the IIS machine (you may
use any drive);
C:\WebSphere\AppServer\bin
C:\WebSphere\AppServer\config
C:\WebSphere\AppServer\etc
C:\WebSphere\AppServer\logs
2. Copy the following files from the Domino server to the IIS server:
a. Copy data/domino/plug-ins/plugin-cfg.xml to
c:\WebSphere\AppServer\config.
b. Copy data/domino/plug-ins/w32/iisWASPlugin_http.dll to
c:\WebSphere\AppServer\bin.
c. Copy data/domino/plug-ins/w32/plug-in_common.dll to
c:\WebSphere\AppServer\bin.
3. Start the Internet Service Manager application.
4. Create a new Virtual Directory for the Web site instance you want to
work with WebSphere. To do this with a default installation, expand
the tree on the left until you see Default Web Site. Right click on
Default Web Site and select New - Virtual Directory. This opens
the wizard for adding a Virtual Directory.
5. In the Alias field, enter sePlugins.
6. In the Directory field, browse to the WebSphere bin directory
(C:\WebSphere\AppServer\bin).
7. For access permissions, check and uncheck all other permissions.
8. Click Finish. A virtual directory titled sePlugins is added to your
default Web site.
9. Right click the machine name in the tree on the left and select
Properties.
10. On the Internet Information Services tab, select WWW Service in
the Master Properties drop down box and click Edit.
11. In the WWW Service Master Properties window, click the ISAPI
Filters tab.
13. In the Filter Name: field, type iisWASPlugin.
14. In the Executable: field, click Browse. Open the WebSphere bin
directory and select iisWASPlugin_http.dll.
15. Close all open windows by clicking OK.
16. Open the Windows registry file and create the following key path:
HKEY_LOCAL_MACHINE - SOFTWARE - IBM - WebSphere
Application Server - 4.0. Select 4.0 and create a new string value
Plug-in Config. Set the value for this variable to the location of the
plugin-cfg.xml file (C:\WebSphere\AppServer\config\
plugin-cfg.xml)
17. To enable the plug-in for additional Web sites, repeat Steps 4
through 8.
To configure the WebSphere plug-in
The WebSphere configuration file WebSphere\AppServer\config\
plugin-cfg.xml controls the operation of the plug-in. In order for the
plug-in to relay requests to the target Domino server, you must add
directives to plugin-cfg.xml to define a transport route to the server, and
pattern rules for the URL namespaces that identify requests which are to
be relayed to Domino. The plug-in will only relay requests that match a
namespace rule. All other requests will be handled by the front-end Web
server.
Web
12. Click Add. This opens the Filter Properties dialog.
To configure plugin-cfg.xml
1. Open plugin-cfg.xml in Notepad.
2. Modify the <Transport> element to target the appropriate Domino
server. To do this, change the Hostname and Port parameters to the
proper values required for the plug-in to reach your backend servers
HTTP task. For example:
<! Server groups provide a mechanism of grouping
servers together. >
<ServerGroup Name=default_group>
<Server Name=default_server>
<! The transport defines the hostname and
port value that the web server
plug-in will use to communicate with the
application server. >
<Transport Hostname=mydomino.server.com
Port=81 Protocol=http/>
</Server>
</ServerGroup>
3. Add these directives to the top of the <UriGroup> section. These

directives specify common URL patterns needed for accessing
Domino Web applications.
<UriGroup Name=default_host_URIs>
<Uri Name=/*.nsf*/>
<Uri Name=/icons/*/>
<Uri Name=/domjava/*/>
If your Domino application requires additional namespaces, you can

create <Uri> directives for those patterns also.
Note All the WAS plug-ins automatically reread the configuration file
once a minute to pick up changes. If you dont want to wait that long,
you must stop and restart the front-end Web server. In the case of the IIS
plug-in, you must stop the World Wide Web Publishing Service from the
Windows services control panel, then restart the Web site from the
Internet Services Manager. Just stopping and restarting the Web site by
itself wont work because the plug-in DLL wont be reloaded.
To configure the Domino server to work with Microsoft IIS

On the back-end Domino server, add the following line to NOTES.INI:
HTTPEnableConnectorHeaders=1
Setting up security for Microsoft IIS

When you have set up an IIS plug-in and a Domino backend server, Web
applications are subject to both IIS security and Domino security. After
IIS authenticates a user based on the NT Windows account registry, those
credentials, if any, are passed to Domino for user authorization.
Microsoft IIS supports four methods of user authentication. The Domino
plug-in configuration supports all except Digest authentication.
Anonymous access (the user does not enter a name or password)
Basic Authentication (the user enters a name and password)
Digest authentication (an enhanced version of Basic authentication

available only on Windows 2000). The Domino plug-in configuration
does not support this authentication method.
Integrated Windows authentication (a special protocol supported by

Microsoft Internet Explorer. On NT, this protocol is called Windows
NT Challenge/Response)
SSL
IIS requires user authentication in order to control access to resources

owned by IIS such as the file system and Active Server Pages. If a user
requests access to a Domino resource, the IIS plug-in passes the
authentication information to Domino. The information passed depends
on the combination of authentication methods enabled on IIS. After the
information is passed, Domino authenticates the user according to the
procedures discussed in the topic Details of Microsoft IIS security. All
of the Domino directory options are available, such as using multiple
Domino Directories and LDAP directories.
For information on setting up security options on the Domino server, see
the chapter Planning Security.
Web
This setting enables the Domino HTTP task to process the special headers
added by the plug-in to requests. These headers include information
about the frontend servers configuration and user authentication status.
As a security measure, the HTTP task ignores these headers if the setting
is not enabled. This prevents an attacker from mimicking a plug-in.
To set up security on the IIS server:

1. Start the Internet Services Manager (or Microsoft Management
Console on NT).
2. Right-click the IIS Web site and select Properties.
3. Click the Directory Security tab.
4. Click Edit in the Anonymous Access and Authentication Control
section.
5. Choose one or more of the authentication options and click OK.
Details of Microsoft IIS security options
Anonymous Access
Anonymous Access lets Web users access a Web site without a user name
or password. IIS always maps anonymous Web users to a specific NT
anonymous user account, which you can configure. If Anonymous
Access is the only IIS authentication method enabled, IIS does not use
any user credentials that is, a user name and password sent by the
browser for authentication, but the IIS plug-in passes the credentials to
Domino, and Domino will authenticate the user according to the normal
procedure for Web users. If an anonymous user attempts to access a
Domino resource that requires authentication, Domino will respond
appropriately according to the security options you have set for the
Domino Web site (a Basic name-and-password challenge, or a session
authentication login page). Therefore, if you want Domino to completely
handle user authentication, you should enable Anonymous Access as the
only security option for the IIS Web site.
For information, see the chapter Setting Up Name-and-Password and
Anonymous Access uses the following guidelines:
The Web user does not need to be a registered NT user.
If you want a user to access secure resources, the Web user must be a
registered Domino user and the user must have an Internet
password.
If Domino finds the name in a Domino Directory, then Domino uses the
primary name in the Person record for authorization (ACL checking). If
Domino does not find the name, then Domino uses the pre-authenticated
name as-is for authorization.
In both cases, Domino builds the users group list from the set of groups
in the Domino Directory which include the user as a member, and
Domino also adds the special group -WebPreAuthenticated- to the
group list. You may use -WebPreAuthenticated- as a group entry in
database ACLs and other access lists.
Note If you want to list IIS users by name in database ACLs, you must
be careful to use the correct form of the name. Use the primary name if
the user is listed in the Domino Directory, or the IIS pre-authenticated
name if the user is not in the directory. Remember that if a user is listed
by name in an ACL and is also a member of a group in the ACL
(including -WebPreAuthenticated- or any other group), the name entry
takes precedence over the group entry.
In summary, Basic Authentication uses the following guidelines:
Anonymous access is not allowed.
The Web user must be a registered NT user.
The Web user does not have to be a registered Domino user.
Domino does not use the users Internet password.
The Web user is automatically assigned to the

-WebPreAuthenticated- group.
Integrated Windows Authentication (called Windows NT

Challenge/Response on NT)
Integrated Windows authentication is a Microsoft-specific protocol
supported by Internet Explorer (IE). When a Web user makes a request to
the site, IE automatically sends to IIS the users current Windows logon
account name. IIS verifies the name against the Windows registry on the
Web
Basic Authentication
When using Basic Authentication, IIS verifies the user credentials that the
browser sends as a valid NT user account. If Basic Authentication is the
only IIS authentication method enabled, IIS requires all browser requests
to have credentials anonymous access is not allowed. Whenever a user
sends a Domino request, the IIS plug-in passes the user name to Domino
and informs Domino that the user has been authenticated by IIS. Such a
user is called a pre-authenticated user. The plug-in passes the
pre-authenticated name exactly as the user entered it in the browser.
Domino then attempts to look up that name in its directories. Since IIS
has already verified the users password, Domino does not use the
Internet password stored in the users Person document or LDAP entry.
IIS server. When a user makes a Domino request, the IIS plug-in passes
to Domino the users Windows name and Domino processes the
pre-authenticated name as described above for Basic authentication.
Windows account names use the form domain\username or
machinename\username for example, SALES\JSmith. If Domino is
using Person documents in the Domino Directory to authenticate the
Windows users, the documents must contain the exact Windows account
names as aliases. For example, if Joe Smith has a Notes ID in the
CorpSales domain and a Windows user account in the SALES
Windows domain, the User name field in Joe Smiths Person document
needs to contain:
Joe Smith/CorpSales
SALES\JSmith
This allows Domino to authenticate the Windows user SALES\JSmith as
the Domino user Joe Smith/CorpSales.
In summary, integrated Windows authentication uses the following
guidelines:
If this is the only authentication method enabled, only IE users can

access the Web site.
Anonymous access is not possible since IE automatically sends the

users Windows account name on every request.
The Web user must be a registered NT user.
If you want to match the Windows user to a Domino Person

document, You need to add the users NT Windows account name as
an alias to the Person documents.
Domino does not use the Internet password.
The user is automatically assigned to the -WebPreAuthenticatedgroup.
SSL
If you enable SSL on a Web server, IIS handles the actual SSL connection.
However, if a Web user provides a client certificate, the IIS plug-in
passes the certificate to Domino and Domino uses the certificate to
authenticate the user. If Domino cannot find a certificate for the user,
then Domino will downgrade the user to Anonymous access.
Chapter 36
Setting Up the Web Navigator
Web
This chapter describes how to set up the server that runs the Web
Navigator and how to manage the information retrieved from the
Internet.
The Web Navigator

The Web Navigator lets Notes workstations access the Web, without
having a direct connection to the Internet. The Web Navigator server,
which has a direct connection to the Internet, retrieves pages for users.
The Web Navigator retrieves pages on Internet servers for example,
servers that use Internet services such as HTTP, FTP, or Gopher.
When someone requests a new page, the Web Navigator server connects
to the Internet server, retrieves the requested page, and copies the page
as a document into the Web Navigator database (WEB.NSF). If the
requested page already exists in the database, Domino immediately
opens the document without requesting it again from the Internet server.
Using the Web Navigator provides many benefits, including:
Reduced Internet connection costs. Storing all the retrieved Web

pages in a centralized database allows users to access the page on the
database instead of connecting to the Internet.
Monitoring capabilities. You can monitor Web-based activity, if

needed.
Simplified troubleshooting for Internet connections. You

troubleshoot only one connection instead of troubleshooting one
connection for each workstation.
Familiar Notes interface. The retrieved Web pages are stored as

documents in a database where people can request, view, and
manage them using the Notes interface.
36-1
The following diagram shows the process the Web Navigator uses to
retrieve a page that a Notes client requests from a Web site.
2. Server requests page
from WWW.ACME.COM
1. Notes client requests
page from
WWW.ACME.COM
Web-Navig/East/Acme
running the Web task
3. Return Web page as

a Notes document
Notes client
4. Display Web page as a

Notes document
Notes
document
Setting up a Web Navigator server

The first time you start the Web task, Domino creates the Web Navigator
database (WEB.NSF) and enters default settings for the Web Navigator
database.
1. Set up a Domino server.
For more information, see the chapter Installing and Setting Up
Domino Servers.
2. Start the Web task on the server.
3. Set up the connection between the server and the Internet.
For information on setting up the Internet connection, contact your
Internet Service Provider.
4. If necessary, use a proxy to connect the Web Navigator server to the
Internet.
5. Edit the Server document for the users home/mail server.
6. Set up users to use the Web Navigator.
Starting and stopping the Web Navigator program

To do this
Perform this task
Start the Web Navigator manually
Enter load web at the console.
Start the Web Navigator automatically Edit the ServerTasks setting in the
NOTES.INI file to include the
command web.
Enter tell web quit at the console.
For more information on server commands and NOTES.INI settings, see

the appendices Server Commands and NOTES.INI File.
Using a proxy server to connect the Web Navigator to the Internet

You can set up the Web Navigator to connect to the Internet through a
proxy server instead of using an Internet Service Provider (ISP) to
connect directly to the Internet. If you dont specify a proxy, you must
use a direct Internet connection to access the Internet.
1. Make sure that:
The proxy is set up to connect to the Internet.
The Web task is running on the server.
3. Expand the Server section and click All Server Documents.
4. Open the Server document for the Web Navigator server.
5. Click the Ports - Proxies tab, complete these fields, and then save the
document:
Field
Enter
HTTP proxy
The name or IP address of the proxy and the port to

access HTTP pages.
FTP proxy

access FTP pages.
Gopher proxy

access Gopher pages.
SSL Security
proxy
The name or IP address of the proxy and the port you

want to go through for pages on Internet servers that
use SSL.
continued
Setting Up the Web Navigator 36-3
Web
Stop the Web Navigator
Field
Enter
HTTP Tunnel
proxy
Do not enter a value.

This field is used to send Notes remote procedure calls
(NRPC). NRPC is the architectural layer of Notes and
Domino that control services such as replication and
mail. The Web Navigator does not use NRPC for
communication.
SOCKs proxy
The name or IP address of the proxy and the port.

If you enter a name or IP address in both the SSL
Security proxy and SOCKs proxy fields, Domino uses
the SSL Security proxy.
If you enter a name or IP address in both the HTTP
proxy and SOCKs proxy fields, Domino uses the SOCKs
proxy.
No proxy for
these hosts and
domains
The names of the hosts and domains you want to access

without going through the proxy. You can bypass the
proxy to access certain domains on the Internet or to
access your internal intranet domain.
Do not enter the IP address in this field; you must use
the name. Separate multiple entries with commas or
returns. You can use wildcard (*) characters, for
example, *lotus.com or www.*.com.
6. Complete the procedure Editing the Server document for the Web
Navigator.
Editing the Server document for the Web Navigator

1. Make sure that you already set up the connection between the server
and the Internet. If necessary, use a proxy to connect the server to the
Internet.
3. Expand the Server section and then click All Server Documents.
4. Open the Server document for the Web Navigator server.
5. Click the Basics tab. Open the Server Location Information section
and go to the Servers section. Complete the InterNotes server field,
and save the document.
Field
Enter
InterNotes server The hierarchical name of the server running the Web
task. This is the default server to use if the InterNotes
server field in the users Location document is blank.
6. Complete the procedure Setting up users to use the Web

Navigator.
7. Restart the Web task on the server.
Setting up users to use the Web Navigator
Setting up users using a policy

If you are using policies, you can specify the browser setting as the
default for all users or groups. The option is located on the Basics tab of
the Setup Policy document, under Setup Policy Options for Browsers.
Complete each field using the information described in the procedure
Setting up users individually.
Setting up users individually
1. Edit the Server document for the Web Navigator server.
2. On each users machine, choose File - Mobile - Edit Current Location.
3. Click the Internet Browser tab and complete these fields:
Field
Enter
Internet browser
Notes
Retrieve/open
pages
From InterNotes server to use the Web Navigator

server specified in the InterNotes server field on the
Servers tab.
4. Click the Servers tab and complete this field:

Field
Enter
InterNotes server The hierarchical name of the server running the Web
task. The server you specify in this field takes
precedence over the server specified in the InterNotes
server field on the Server document.
To allow users to access private Web pages

When users fill out forms on the Web or pages from Internet servers to
which users authenticate, the Web Navigator encrypts those pages with
the users public key and stores the pages in private folders in the Web
Navigator database.
To ensure that the Web Navigator can encrypt these private pages, be
sure that users public keys exist in the Person documents in the Domino
Directory on the server. Domino automatically adds the users public key
to the Person document when you register the user.
Web
You must specify the Web Navigator as the Internet browser for each
user. You can specify the browser in a policy, or you can set it
individually for each user.
Customizing the Web Navigator

After you set up the Web Navigator on a server, you can customize it as
follows:
Allow multiple users to retrieve pages
Control access to Web sites
Control access to Internet services
Set up the Web Navigator to retrieve pages from sites that are
secured by SSL
Send mail from Web pages to the Internet
For information, see the topics that follow.
Allowing multiple users to retrieve pages concurrently

You can specify the number of users who can use the Web Navigator to
retrieve pages concurrently. If users start more concurrent Web retrievals
than allowed, Domino queues them and starts them as soon as it can.
Increasing the number of users who can retrieve pages improves
response time, but increases the server load.
then open the Server document for the Web Navigator server.
2.
Click the Server Tasks - Web Retriever tab, complete this field, and
Field
Enter
Concurrent
retrievers
The number you enter depends on the system configuration

for your server. If user access is slow because the number of
users specified in this field is less than the number of users
attempting to retrieve pages from the Internet, increase the
number.
Default is 50.
Controlling access to Web sites

You can control the Web sites that users access. For example, you might
want to prevent users from browsing sites that are not work-related.
When you specify access settings, keep these tips in mind:
Use a DNS name rather than an IP address. Entering an IP address

forces the Web Navigator to take extra steps to perform a Domain
Name System (DNS) lookup. If the DNS cannot resolve an IP
address, access to that site is denied.
A more specific reference overrides a less specific reference. For

example, if you enter www.*.com in the Deny access field and
enter www.ibm.com in the Allow access field, users can access
www.ibm.com but cannot access sites with names such as
www.lotus.com.
If you enter an identical reference in both the Allow access and

Deny access fields, the Allow access entry overrides the Deny
access entry.
There is an implied [*] in the Allow access field at all times. This [*]
allows access to all sites by default, unless you enter settings in the
Deny access field to override this default.
To control access to Web sites

2. Click the Server Tasks - Web Retriever tab, complete these fields, and
Field
Enter
Allow access to
these Internet
sites
One or more of the following, separated by commas or

spaces:
Deny access to
these Internet
sites
Same as above.
A DNS name for example, www.lotus.com

An IP address for example, 205.159.212.10
A DNS name or IP address with a wildcard (*) for
example, www.*.com. You can use only one
wildcard per entry for example you cannot enter
w*.*.com.
Controlling access to Internet services

You can control which Internet services users can access. The Web
Navigator supports HTTP, FTP, HTTPS, Gopher, and Finger.
2. Click the Server Tasks - Web Retriever tab, complete this field, and
Field
Enter
Services
One or more of the Internet services provided. The default is

HTTP, FTP, and GOPHER.
Web
Setting up the Web Navigator to retrieve pages on sites secured by

SSL
If users are accessing Web sites that are secured by SSL, you must set up
the Web Navigator to retrieve pages on these sites. The Web Navigator
server does not need to use SSL in order to retrieve pages from a Web
site that uses SSL.
To set up the Web Navigator server for SSL, do the following:
Store the Web sites SSL certificate in the Domino Directory on the
Web Navigator server.
Enable the HTTPS protocol on the Web Navigator server as an

Internet service.
For more information on SSL, see the chapter Setting Up SSL on a

Domino Server.
The Web Navigator supports sites that have SSL certificates issued by the
RSA Certificate Authority (CA), so you do not need to obtain the Web
sites SSL certificate if it was issued by the RSA CA. If the Web site does
not have a certificate issued by the RSA CA, you must obtain the Web
sites certificate and add it to the Domino Directory on the Web
Navigator server. Obtaining the certificate from a secure location ensures
that the certificate you receive is valid and creates an optimally secure
environment by allowing access only to servers with which you share a
valid certificate.
Although not recommended, you can set up Web Navigator to add the
Web sites SSL certificate automatically to the Domino Directory. Set up
this way, the Web Navigator allows users to access pages on any Web
site that uses SSL, even if the Domino Directory does not already contain
the certificate. This approach allows easy access for users, but
compromises the security of the data sent by users, since the server does
not verify the identity of the remote server before allowing the user to
access it.
To add specific certificates
1. Identify the certificate required by the secured Web site by browsing
to the site and obtaining the certificate name.
2. Use a Notes workstation to merge the certificate for the CA into the
Domino Directory.
For information, see the chapter Setting Up Clients for S/MIME and
SSL.
3. On the Server Tasks - Web Retriever tab of the Server document,
select HTTPS in the Services field.
To add certificates automatically

2. Click the Ports - Internet Ports tab and complete this field:
Field
Enter
Accept SSL site certificates
Choose Yes.
Field
Enter
Services
Choose HTTPS.
To view certificates
choose Miscellaneous - Certificates.
2. Look at the Internet Cross Certificates category.
Sending mail from a Web page to the Internet

When users click a mailto URL on a Web page, Domino opens a new
mail message and enters the Internet address (user@company.com) in the
To: field.
Note If you use the Lotus SMTP MTA (Domino 4.6 and earlier) as the
gateway for Internet mail, users must append the foreign domain of the
SMTP Gateway for each Internet address for example,
user@company.com@foreigndomain. So that users dont need to specify
the foreign domain each time, you can specify the foreign domain of the
gateway.
1. Make sure that users Notes workstations are already set up to use
Notes mail.
For information, see the chapter Setting Up and Managing Notes
Users.
Field
Enter
SMTP Domain The name of the foreign domain of the SMTP mail
gateway.
Web
The Web Navigator database

The Web Navigator database (WEB.NSF) resides on the Web Navigator
server and stores all pages that users retrieve from Web sites. Storing
Web pages in a central database reduces connection costs, since after one
user retrieves a page, the page is available in the database for others to
browse. The Web Navigator database contains features for Notes users
and administrators.
Database access
The default user access for the Web Navigator database is Editor, which
allows users to create HTML forms, Recommendation documents, and
Web tours. Domino adds the administrator names listed in the
Administrators field in the Server document for the Web Navigator
server to the ACL for the Web Navigator database and gives them
Manager access with the WebMaster role.
Administration document
The Administration document is stored in the Web Navigator database
and controls default settings for the database. You must have the
WebMaster role to access the document. Open WEB.NSF and access the
document from the Actions menu.
Agents
The Web Navigator database contains three agents that administrators
can use to manage documents in the database. The Purge agent removes
documents that meet the criteria you specify. Regularly purging
documents keeps the size of the Web Navigator database manageable.
The Averaging agent creates an average rating of user-recommended

pages. The top ten pages appear in the Recommended by Top Ratings
view.
Web tours and Recommendation documents

Web tours and Recommendation documents allow users to collaborate
with others who use the Web Navigator database.
Using a Web tour document, users can group a set of Web pages for
others to view sequentially for example, to create training materials or
to collect a set of pages that you previously viewed on the Web.
Using a recommendation document, users can add useful Web sites to
the Web Navigator database.
Customizing the Web Navigator database

You can customize the Web Navigator database as follows:
Display the names of users who retrieve pages
Customize the default appearance of elements on retrieved Web

pages
Save and view HTML sources
Rename and move the database
Set preferences for the Purge, Refresh, and Averaging agents
Use the Purge agent to manage the size of the database
Use the Refresh agent to update pages in the database
Use the Averaging agent to calculate page ratings in the database
For information, see the topics that follow.
Web
The Refresh agent updates the contents of pages stored in the Web
Navigator database with the Web site content from which they were
originally retrieved. Pages in the database are not automatically updated
after they are retrieved; therefore, the page content may quickly become
outdated unless you use this agent.
Displaying who retrieved a page in the Web Navigator database

By default, the Web Navigator database uses a view named ($All) to
display information about each page that users retrieve. However, this
view does not display the name of the user who retrieved a particular
page.
To display the name of the user who retrieved a page, the Web Navigator
template provides a view titled ($All with Authors). The name displays
next to the title of the Web page. To use this as the default view, rename
it to ($All) so that the references to ($All) in the navigators work.
1. Make sure you have Designer access in the ACL of the Web
Navigator template (PUBWEB50.NTF) on the server.
2. Start the Domino Designer, open the Web Navigator template, and
select the ($All) view.
3. Choose Edit - Copy and then choose Edit - Paste to paste the Copy
of ($All) view into the template.
4. Delete the ($All) view.
5. Open the ($All with Authors) view.
6. Choose Design - View Properties and rename the view to ($All).
7. On the Options tab, select Default when database is first opened to
make this view the default.
8. Close and save your changes.
9. Replace the design of the Web Navigator database.
10. Make sure you have the WebMaster role in the ACL of the Web
Navigator database.
11. Select the Web Navigator database using a network connection to the
server.
12. Choose View - Go to and select All Documents.
13. Choose Actions - Administration, and select Save author
information.
Customizing the default appearance of pages in the Web Navigator

database
Web page authors use HTML tags to specify elements of a Web page.
The Web Navigator interprets these tags to determine how to display
these elements. You can customize the default appearance of many
elements on retrieved Web pages.
The Web Navigator supports Courier, Helvetica, and Times fonts.
Navigator database.
2. Using the Notes client, open the Web Navigator database using a
network connection to the server.
3. Choose View - Go to and select All Documents.
Field
Enter
URL links
Anchors
Underline/Blue
Font and size of elements not

Body Text Times 11-point
defined in other fields in the HTML
Preferences section
Font for text in the <PLAINTEXT>, Plain
<PRE>, and <EXAMPLE> tags
Courier
The font size is defined by
the Body Text field.
Font for text in the <CODE>,

<SAMPLE>, <KBD>m and <TT>
tags
Fixed
Courier
Font for text in the <LISTING> tag
Listing
Courier
Font for text in the <LISTING> tag
Listing
Courier
Font for text in the <ADDRESS> tag Address
Times
Saving and viewing HTML sources in the Web Navigator database

You can save and view the HTML source for a Web page. Domino saves
the source in the Body field in the Web Navigator database.
This setting affects all pages retrieved by the Web Navigator server.
To save HTML sources
Navigator database.
2. Using the Notes client, select the Web Navigator database using a
network connection to the server.
3. Choose View - Go to, and then select All Documents.
Web
4. Choose Actions - Administration, and then in the HTML Preferences

section, customize any of these settings:
4. Choose Actions - Administration.

5. In the HTML Save Options field, choose one of the following:
Save as Rich Text only To store the rich text in the document in
a Body field
Save as Rich Text and HTML To create separate Body fields for
the rich text and HTML tags
Save as MIME only To store the document using MIME type
format in a Body field
To view HTML sources
1. Open the document in the Web Navigator database.
2. Choose View - Show - HTML Source.
Renaming and moving the Web Navigator database

To rename the Web Navigator database
By default, Domino names the Web Navigator database WEB.NSF. You
can use another name if necessary.
1. Exit Domino and use the operating system to rename the database
file name.
2. Start Domino.
Field
Enter
Web Navigator
database
The new file name of the Web Navigator database
To move the Web Navigator database

By default, Domino looks for the Web Navigator database in the data
directory on the Web Navigator server. You can move the Web
Navigator database to somewhere other than the data directory, for
example, to consolidate databases in a subdirectory.
1. Copy the Web Navigator database to a new subdirectory.
2. Delete the original Web Navigator database in the data directory.
3. Create a database link to the new database. You must create a
database link using the file name specified in the Web Navigator
database field in the Server document for the Web Navigator server.
Setting agent preferences for the Web Navigator

The Web Navigator database includes three agents Purge, Refresh,
and Averaging that help you manage the database. Before you use the
agents, set up the preferences for them in the Server document for the
server on which the Web Navigator runs. You can specify agent security,
execution time, and schedule.
To specify agent security

2. Click the Security tab, complete these fields, and then save the
document:
Field
Enter
Your user name so that you can run agents that use a
Run restricted
LotusScript/Java subset of the LotusScript features and run agents
created with Java
agents
Run unrestricted Your user name so that you can run agents with the full
LotusScript/Java set of LotusScript features and run agents created with
agents
Java
To specify agent execution options

2. Click the Server Tasks - Agent Manager tab, complete these fields in
the Daytime Parameters and Nighttime Parameters sections, and
Field
Enter
Maximum is 360. The default is 10 (Daytime

Max
LotusScript/Java Parameters) and 15 (Nighttime Parameters.)
execution time
This field controls the time, in minutes, that the
LotusScript agent has to run. Also controls execution
time of agents created with Java.
Max % busy
before delay
Maximum is 90. The default is 50 (Daytime Parameters)

and 70 (Nighttime Parameters.)
This field controls the percentage of time the agent
manager can spend running agents. The time is a
percentage of the Start and End times.
Web
Caution The options you set in the Server document affect all agents
that run on the server.
To specify the agent schedule

The Web Navigator agents run at default times, but you can reschedule
them. By default, the Purge agent runs at 1 AM; the Refresh agent runs at
3 AM; and the Averaging agent runs at 12 AM.
1. Start the Domino Designer and select the Web Navigator database
(WEB.NSF).
2. Open the agent that you want to reschedule.
3. Select a value in the When should this agent run field.
4. Click Schedule and then specify the starting time for the agent.
Using the Purge agent to manage the size of the Web Navigator
database
As users open Web pages, the Web Navigator database gets larger. To
manage the database, use the Purge agent.
The Purge agent uses settings in the Web Navigator Administration
document, which is in the Web Navigator database (WEB.NSF), to
determine what and how much to purge. Each night at 1 AM, the Purge
agent goes through the database three times, each time purging
documents according to the criteria you specify. As soon as the database
size you specify is obtained, the Purge agent stops and queues to run the
following night.
The Purge agent purges the database in three passes:
First pass Checks the Expired header on each Web page. If the
Web page has expired, deletes that page.
Second pass Checks the document creation date on each Web

page and deletes pages older than the date you specify.
Third pass Checks for pages that are larger than the size you
specify, and then deletes them.
To specify purge criteria

1. Make sure that you have already set up security for Web Navigator
agents and that you have the WebMaster role in the ACL of the Web
Navigator database.
2. Using the Notes client, select the Web Navigator database
(WEB.NSF) using a network connection to the server.
4. Choose Actions - Administration, edit any of the following fields,

and then save the document:
Enter
Maximum
database size
The maximum size of the Web Navigator database

The default is 500MB
Purge agent
action
One of these methods to use when purging documents:

Delete page to delete pages permanently from the
database.
Reduce page to delete the contents of the page, but
saves the URL so you still see the page in the
database views.
Delete page is the default.
Purge to what % A percentage of the maximum database size setting that

of maximum size the Purge agent should reach before stopping.
The default is 60%.
Purge documents When to delete documents based on the number of days
older than
they have been in the database.
The default is 30 days.
Purge documents When to delete documents based on their size.
larger than
The default is 512KB.
Purge Private
documents
One of these that determines if the Purge agent deletes

documents stored in users private folders:
Unselected (default) To not purge documents
stored in private folders
Selected To purge documents stored in private
folders
To enable the Purge agent

The Purge agent is set up to run at 1 AM, but it does not start this
schedule until you enable the agent.
1. Make sure you have already set up security for Web Navigator
Navigator database.
2. Using a Notes client, select the Web Navigator database (WEB.NSF)
using a network connection to the server.
5. Click the Enable Purge agent button.
6. Select the name of the server on which the Web Navigator runs in the
Choose Server To Run On dialog box, and then save the document.
Web
Field
Using the Refresh agent to update pages in the Web Navigator

database
Regularly refreshing pages keeps the page content up to date. You can
refresh pages using the Refresh agent or set an interval for the update
cache.
To use the Refresh agent to update pages
To keep the most up-to-date pages in the Web Navigator database, use
the Refresh agent, which compares the date of each Web page inside the
database with the date of the Web page on the server. If the Web page on
the server is newer, the Refresh agent replaces the Web page in the Web
Navigator database. By refreshing out-of-date pages, the Refresh agent
ensures that users can quickly access the latest version of a page.
The Refresh agent refreshes only HTTP pages. It does not refresh FTP
pages, Gopher pages, or private pages stored in a users private folder in
the database.
By default, the Refresh agent is scheduled to run at 3 AM, but it does not
start this schedule until you enable the agent.
1. Make sure you have already set up security for Web Navigator
Navigator database.
2. Using a Notes client, select the Web Navigator database (WEB.NSF)
using a network connection to the server.
5. Click the Enable Refresh agent button.
6. Select the name of the server on which the Web Navigator runs in the
Choose Server To Run On dialog box, and then save the document.
To update pages when users retrieve pages
Domino stores each retrieved Web page in the Web Navigator database.
You can specify how often you want Domino to check the Web page on
the server to determine if the page has changed.
Field
Enter
Update
cache
Choose one:
Every time To check each time the user opens a page that is
already in the database
Using the Averaging agent to calculate page ratings in the Web

Navigator database
The Averaging agent collects ratings that users assign to Web pages and
calculates the rating of pages in the Web Navigator database (WEB.NSF).

The pages appear in the Recommended by Top Ratings view in the
database. The Averaging agent also calculates the average rating for
pages that have multiple ratings from different users.
By default, the Averaging agent is scheduled to run at 12 AM, but it does
not start this schedule until you enable the agent.
1. Start the Domino Designer and open the Web Navigator database
(WEB.NSF).
2. Select the Averaging agent , and then choose Actions - Enable.
3. Choose the Web Navigator server to run the agent.
Web
Never (default) To perform no verifications

Once per session To check only the first time the user
accesses the page during a session
Index
Symbols
$AdminP View
creating, 15-30
$Revisions fields
size, 61-7
$UpdatedBy fields
size, 61-7
$Users view
in Domino Directory, 27-47
@Certificate
recertification and, 5-80
@Else command
described, I-2
@EndIf command
described, I-2
@If command
described, I-2, I-12
<ECLOwner>
Administration Execution
Control List, 41-14
8-bit MIME
default character set for, 28-131
ESMTP extension, 28-96,
28-103 to 28-104
A
Abstract object classes
described, 21-2
Accelerator keys. See Shortcut keys
Access
anonymous, 38-13, 40-8,
42-25 to 42-26
denying, 28-90, 38-7, 40-6
Access control list. See ACL
Access level privileges
ACL, 40-16
database, 7-7
Access levels
ACL, 40-1, 40-15
assigning, 40-11
database, 7-5
servers, 7-6
troubleshooting, 63-19 to 63-20
Access protocols
mail, 26-5
Accessed (in this file) property
performance and, 61-5
Accessibility
and, 11-23
information about, H-1
shortcut keys, H-1
Accounts
LDAP, 18-5
ACL, 40-1
access for Web users, 40-30
access level privileges, 40-1, 40-16
access levels, 40-13, 40-15
adding names to, 40-23
aliases in, 40-7
brackets in, 40-20
concurrent changes to, 40-25, 58-9
configuring, 40-11
creating, 49-4
database libraries, 51-1
database security, 40-23
default entries, 40-2
deletions, 7-7
directory, 18-7, 19-10
Domino Change Control
database, 54-51 to 54-52
enforcing on replicas, 40-28
extended, 25-1
for mail database moves, 54-53
format for entries, 40-4
group names, 40-5
in a hosted
environment, 13-5, 14-4
in mail files, 26-13
LDAP users and, 40-7
managing, 40-22
modifying for Administration
Process, 15-13
modifying multiple
ACLs, 40-11, 40-25
monitoring, 40-27
order of evaluation for
entries, 40-10
precedence of, 38-4
replica IDs, 40-10

replication and, 7-6, 63-88
Resource Reservations
database, 8-8, 8-16
roles in, 40-20
server groups in, 7-6
server names, 40-5
setting up, 40-11
setting up Administration Process
for, 40-24
terminations group, 40-6
updating with Administration
Process, 40-23
user types, 40-1, 40-19
viewing all database ACLs on a
server, 40-27
Web administrator
and, 16-20, 40-24
wildcard entries, 40-4
Acquire scripts
editing, 4-51
making a call with, 4-50
Active Content Filtering
disabling, 32-8
Activity Logging
accessing logged
information, 57-1
agents and, 57-3
analyzing logged
data, 57-1, 57-13, 57-15
Checkpoint records, 57-2
configuring, 57-12
configuring for billing in a hosted
environment, 13-23
described, 57-1
enabling, 54-18
example of records
generated, 57-11
for service providers, 12-14
HTTP and, 57-4
IMAP and, 57-4
LDAP and, 57-4, 57-13
mail and, 57-6
Notes databases and, 57-8
Notes sessions and, 57-7
passthru and, 57-9
Index-1
POP3 and, 57-10

replication and, 57-10
SMTP and, 57-10
the log file and, 57-1
types of information logged, 57-2
viewing logged
data, 13-24, 57-13, 57-15
Web servers and, 57-4
Activity Trends
data collection, 54-21
interpreting profile charts, 54-41
overview, 54-17
profiles, 54-22 to 54-25
resource balancing, 54-26 to
54-28, 54-30 to 54-43
resource balancing,
overview, 54-34
resource balancing,
setting up, 54-27
setting up, 54-18
viewing, 54-47
viewing charts, 54-25
AD DUS (Active Directory Domino
Upgrade Service), 17-25
Add command
described, I-3
Address Book
deleting groups from, F-11
deleting servers from, F-25
deleting users from, F-15
Address format
Domino domain, 26-21
Internet, 27-54
outbound mail, 27-54
Address lookup
for inbound SMTP
messages, 27-47
Addresses
Internet, 27-50, 27-52, 27-57
mail routing, 26-21, 26-25, 27-42
SMTP, 27-52
using group names in, 28-32
using phrases in, 28-134
Addressing, type-ahead
disabling, 28-6
troubleshooting, 63-27
Adjacent domain document
creating, 27-23
Admin setting
described, C-2
Administration document
Web Navigator database, 36-10
Index-2
Administration Execution Control

List, 41-6, 41-14
creating, 41-11
default security and, 41-7
Administration preferences
setting, 16-5, 16-7 to 16-9, 16-11,
16-24
ACL requirements, 15-13
and Domino Change
Manager, 54-48
creating replicas with, 7-9
customizing, 15-29
described, 15-1
error messages, 15-36
Extension Manager and, 15-30
number of threads, 15-29
password checking with, 39-9
setting up, 15-5
setting up directory assistance
with, 23-30
setting up for databases, 40-24
suspending, 15-28
Tell commands, A-46
updating the ACL with, 40-23
verifying setup of, 15-7
Administration Process requests
described, F-1
statistics, 15-35
Administration requests
across domains, 15-8
approving, 15-21
cross-domain, F-70
managing, 15-25
scheduling, 15-31
suspending, 15-28
time-based, F-90
Administration Requests
database, 15-2
described, 15-19
icons, 15-23
replicating, 19-17
size, 15-26
troubleshooting with, 63-2
user access, 15-28
views in, 15-19
Administration roles
Domino Directory ACL, 19-10
Administration servers
Domino Directory, 15-2 to 15-3,
21-5
extended, 15-33
for databases, 15-6
options, 15-4
Administrator approval
administration requests, 15-21
Administrator ID-recovery
information
changing, 39-21
Administrators
allowing access to Web
Administrator, 16-20
full access, 38-8
restricted system, 38-8
restricting access, 38-8
server access, 59-1, 38-8
system, 38-8
Administrators field
Domino Directory, 19-12
AdminP Mail Notification
Agent, 5-57
ADSync
options, 17-29
Advanced controls
setting, 28-46
Advanced user registration, 5-13
Agent log
Agent Manager
capacity, 60-8
performance, 60-6
Tell commands, A-47
troubleshooting, 63-12 to 63-13
viewing status of, 60-9
Agents
activity logging, 57-3
Averaging, 36-19
controlling on servers, 28-9
creating, 40-17
for deleting and archiving
documents, 61-27
Purge, 36-15
Refresh, 36-18
restricting, 40-18
scheduling, 60-8
Server.Load, 62-4
setting time-out for mail, 28-9
SNMP, 53-1
Web Navigator database, 36-11
Agents, uses for
in Domino Off-Line
Services, 11-19
offline applications and, 11-19
AIX
configuring partitioned
servers, 2-50
configuring SNMP Agent
for, 53-12
Alarms
for Server Health Monitor, 54-10
Alias dereferencing
Directory Assistance documents
and, 23-48
Aliases
in ACL, 40-7
in DNS, 2-18
Allow_Access setting
described, C-3
Allow_Access_portname setting
described, C-3
Allow_Passthru_Access setting
described, C-4
Allow_Passthru_Callers setting
described, C-4
Allow_Passthru_Clients setting
described, C-5
Allow_Passthru_Targets setting
described, C-5
Alternate Language Information
document
creating, 20-31
viewing, 20-31
Alternate languages
described, 5-38
LDAP service, 20-29
Alternate names
adding to a user ID, 5-40
certifier IDs and, 5-39
changing, 5-62, 5-57
deleting, 5-57
in ACL, 40-7
AMgr_DisableMailLookup setting
described, C-5
AMgr_DocUpdateAgentMinInterval
setting
described, C-6
AMgr_DocUpdateEventDelay
setting
described, C-6
AMgr_NewMailAgentMinInterval
setting
described, C-7
AMgr_NewMailEventDelay setting
described, C-7
AMgr_SchedulingInterval setting
described, C-7
AMgr_UntriggeredMailInterval
setting
described, C-8
AMgr_WeekendDays setting
described, C-8
Analysis report
for decommissioning a
server, 59-3
Anonymous access
in a hosted environment, 14-4
Internet/intranet users, 42-25
LDAP service and, 20-16 to 20-17,
20-20
setting up, 38-13, 38-16
SSL, 46-15
virtual servers, 3-42
Web users and, 40-8
Anti-relay controls
effect on message transfer, 28-85
setting, 28-81
Anti-spam controls
settings for, C-101
API
creating event notification, 52-16
AppleTalkNameServer setting
described, C-8
Application design element
security, 37-15
Application security, 37-14
Application templates
table of, D-1
Applications
for hosted environments, 12-15
Approve persons name change
request, F-5
Archive criteria
for policies, 9-28
Archive policy settings
creating, 9-25
Archives, database
accessing, 61-26
Archiving
agents for, 61-27 to 61-28
databases, 58-37
deleted documents, 61-25
documents, 61-20
policies for, 9-22
policy settings example, 9-24
transaction log files, 55-5
viewing document Archiving
Log, 61-27
Assign Policy tool
using, 9-40
Attachments
compressing, 61-6
Domain Index and, 10-12
format for sending from
Macintosh clients, 28-133
Attributes
adding to LDAP schema, E-20
adding to schema, 21-13
described, 21-1, 21-4
Authentication
described, 38-1
examples, 42-21
IMAP port, 31-5
Internet/intranet
clients, 42-3, 42-27
of hosted organizations, 14-4
overview, 38-1
password checking with, 39-4
POP3 port, 30-2 to 30-3
session-based, 42-6
SMTP AUTH
command, 28-62, 28-69
SMTP port, 28-59
SSL, 46-15
SSL client, 46-25, 47-18
SSL server, 47-3
user names, 40-7
Web Administrator, 63-109
Web clients and, 42-19, 42-23
IMAP service
and, 28-60, 31-2, 31-6,
Author access
actions, 40-14
privileges, 40-16
Authors
displaying for Server Web
Navigator, 36-12
Authors field
updating, 40-29
AutoDialer task
Network dialup connections
and, 4-40
Notes Direct Dialup and, 4-44
setting up, 4-42
AutoLogoffMinutes setting
described, C-9
Automated client installation, 5-45
Autoscale
scaling statistics, 52-37
Auxiliary object classes
adding to schema, E-17
described, 21-2
Index-3
Availability threshold
setting, C-91
Averaging agent
enabling, 36-19
B
Backing up
databases, 55-2
servers, 63-7
Basic password authentication
setting up, 42-3
SSL, 46-15
Basic user registration, 5-11
Batch file installation
clients, 5-46
BatchRegFile setting
described, C-9
BeginCrit command
described, I-4
BeginLoop command
described, I-4
BeginLoop2 command
described, I-5
Benchmarks
server performance, 60-2
Billing
BillingAddinOutput setting
described, C-9
BillingAddinRuntime setting
described, C-10
BillingAddinWakeup setting
described, C-10
BillingClass setting
described, C-10
BillingSuppressTime setting
described, C-11
Binary tree topology
Bindery Service
Domino and, 2-30
server names and, 2-31
Binding
port-to-IP address, 2-46 to 2-47
Bookmarks
search forms and, 10-18, 10-20
Break command
described, I-5
Broadcast command
described, A-12
using before restarting the
server, A-23
Index-4
using before shutting down the

server, A-14
Browsers
accessing Web server with, 34-5
using for administration, 16-17
Browsing
Web, 36-1
Build number
in Server document, F-47
BUSYTIME.NSF
purge interval, C-86
Byte-range serving
Web server and, 34-56
C
CA key ring
displaying, 45-7
exporting, 45-7
CA policy information
storing in Domino Directory, F-62
CA process
adding certifiers, 44-7
creating certifiers, 44-8
described, 44-1
Tell commands, A-48
viewing certifiers list, 44-24
Cache
setting for Server Web
Navigator, 36-18
Cal command
described, I-5
Calendar and scheduling
collecting detailed user
information, 8-20
collecting user calendar
information, 8-20
described, 8-1
example, 8-2
Holiday documents, 8-17
profile command, I-26
Server.Load script command, I-5
Call waiting
disabling, 63-49
Capacity planning
tools, 60-2
Catalog task
Domain Catalog
database, 10-2, 10-6
Catalog, Domain. See Domain
Catalog
Catalogs, database
for servers, 51-4 to 51-5
cconsole, A-8
command line switches for, A-9

commands for, A-9
CD format. See Notes rich text format
CDP_Command setting
described, C-11
CD-ROM updates
Central Directories view
Central directory architecture
described, 19-2
and, 19-4
managing, 19-5
planning, 18-2, 19-4
primary Domino Directories
and, 19-9
Certificate
removing from Domino or LDAP
directory, F-49
Certificate Authority
CA key ring, 45-2
creating, 45-2
displaying the CA key ring
file, 45-7
exporting the CA key ring
file, 45-7
internal, 45-1
merging certificates, 46-10
recertifying, F-47
removing as trusted root, 46-21
server-based, 44-1
setting up, 45-1
setting up SSL on
server, 45-5, 44-17
third-party, 47-10, 47-21
viewing server certificates, 46-20
Certificate Authority administrator
tasks, 44-4
Certificate Authority profile
configuring, 45-4
Certificate requests
processing, 44-1
viewing, 44-24
Certificate Requests database
creating, 44-14
Certificate revocation lists
described, 44-2
CertificateExpChecked setting
described, C-12
Certificates
defined, 39-1
deleting, 47-12
described, 39-3
displaying, 39-3
Internet, 45-2, 47-10, F-4
managing server, 46-20
merging server, 46-12
renewing, 46-21
revoking, 44-2, 44-23
self-certified, 46-22
signing and adding to Domino
Directory, 47-7
SSL and S/MIME, 47-5
SSL server
authentication, 47-3
troubleshooting and, 63-83
trusted root, 46-9, 47-3
Certificates, SSL
adding for Server Web
Navigator, 36-8
creating a Certificate
Authority, 45-2
expired, 46-21
self-certified, 46-22
setting up, 47-3
viewing information, 46-20
viewing requests for server, 46-21
Certification
described, 39-2
Certification Log
requirements, 15-3
described, 3-28
Certifier documents
modifying, 44-22
Certifier IDs
migrating to CA process, 44-5
modifying, 44-21
organization, 3-34
organizational unit, 3-35
overview, 1-7
recovering, 44-25
CertifierIDFile setting
described, C-12
Change Control database
location, 54-34
Change HTTP password in Domino
Directory request, F-6
ChangeTo command
described, I-6
Channel encryption option
directory assistance, 23-43
Character encoding
LDAP service, 20-32
Character sets
aliases for, 28-131
enabling auto-detection of, 28-126
language codes and encoding
for, 28-120
specifying for MIME
messages, 28-118, 28-126
Web, 34-31, 34-33
Checkpoint records
activity logging and, 57-2
and, 23-3, 23-14
directory catalogs and, 24-9, 24-11
directory search order, 18-15
SSL, 46-1
Client information
updating in Person record, F-64
Client installation, 5-41
setting up for users, 5-41
single user, 5-43
Clients
setting up for S/MIME, 47-13
setting up for SSL client
Clients, mail
POP3, 30-11
routing protocols and, 27-3
types of, 26-15
ClockType setting
described, C-13
Close command
described, I-8
Clrepl_Obeys_Quotas setting
described, C-13
Cluster failover
configuring for mail
routing, 28-40
directory assistance and, 23-21
Cluster Replicator
monitoring, C-86
quotas and, C-13
Tell commands, A-51
Cluster_Replicators setting
described, C-13
Clusters
on, 3-12
Free Time database, 8-2
port setting, C-91
removing servers, F-49
replication topology and, 4-8
workload balancing and, 60-4
Collector task
overview, 52-1
Command line installation, 5-47
Commands
capturing output to file, A-2
Controller, A-3
custom, A-6
entering from the UNIX
command line, A-8
help for, I-12
modem command file, 63-48
shell, A-3
table of, A-10
Common Gateway Interface, 34-2
time-out setting, 34-53
Common names
Internet, 45-2
renaming, 5-57
server IP name and, 2-16, 2-22
Communication ports
options, 4-47
setting up, 4-34, 4-46
COMnumber setting
described, C-14
Compact task
archiving documents with, 61-20
IND file, 61-22
options, 61-17
renaming databases, C-74
running, 61-16
scheduling, 61-23
specifying database path, 61-22
upgrading database format, 31-28
with file reduction, 55-2
Compact_Retry_Rename_Wait
setting
described, C-14
Compacting
databases, 61-13, 61-16,
61-21 to 61-23
Companies, external
communicating with, 39-27
Compound document format. See
Notes rich text format
Compressing
attachments, 61-6
network data, 2-42
Concurrent retrievers
Server Web Navigator, 36-6
Concurrent transfer threads
maximum, 60-11
Condensed Directory Catalogs
client authentication and, 24-10
Index-5
described, 24-2
full-text indexes, 24-25
multiple, 24-33
performance settings for, 24-30
planning, 24-29
replicating, 24-32
servers using, 24-5
setting up, 24-34 to 24-35
sorting, 24-29
Soundex and, 24-30
Configuration Directories
changing to primary, 19-6
configuring remote primary
directory, 19-7
described, 19-2
and, 19-4
managing, 19-5
showing remote primaries
for, 19-9
Configuration document
Cross-domain, 15-9 to 15-10
Configuration Settings document
creating, 27-18
editing NOTES.INI file with, C-1
host names, 27-49
LDAP settings, 20-9, 20-17
for SMTP mail routing, 27-38
Configuring
mail routing, 27-37
offline applications, 11-11
Connect scripts. See Login scripts
Connection documents
described, 4-1
Internet servers, 4-22
LAN, 4-15
mail routing
and, 26-20, 28-36, 28-50
Network Dialup, 4-36, 4-46
Notes Direct Dialup, 4-35
passthru server, 4-29
port order and, 2-40
for replication, 7-20
scheduling mail routing, 28-50
Connections
mail routing, 27-2
restricting SMTP inbound, 28-71
routing cost and, 28-39, 28-53
SSL, 46-18
tracing, 63-37, 63-77, A-59
Index-6
troubleshooting in TCP/IP, 63-64

Console
accessing from UNIX
platforms, A-8
commands, 63-8, A-10, J-4
displaying performance
events, C-97
monitoring events with, 52-22
password protecting, A-26, C-92
running server tasks, B-1
setting attributes, 52-21
XPC, C-121
Console command
described, I-8
issuing remotely, J-4
Console_Log_Enabled setting
described, C-15
Console_Log_Max_Kbytes setting
described, C-16
Console_Loglevel setting
described, C-15
Content categories
Domain Catalog, 10-21
Content maps
Domain Search and, 10-21
Controller
commands, A-3
described, 16-28
starting and stopping, 16-29
Conversion
between message formats, 27-1
IMAP mail files, 31-2
MIME messages, 28-122
Convert task
enabling mail files for
IMAP, 31-2, 31-30
categorizing users by, 19-14
described, 19-13
Corruption
database, 58-25
Cost reset
for connections, 28-39
Country_Language setting
described, C-16
CPU count value
in Server document, F-64
Create IMAP delegation request, F-7
Create Mail-in database request, F-7
Create replica request, F-8
Create roaming user
administration request, F-9
Create_File_Access setting
described, C-17
Create_Replica_Access setting
described, C-17
CRL. See Certificate revocation lists
Cross-certificates, 39-29, 39-38
accessing servers with, 39-27
adding, 39-29, 39-33 to 39-34,
39-36, 47-15
creating, 39-29, 39-37 to 39-38
described, 39-27
displaying, 39-38
examples, 39-27, 39-31
Internet, 39-28, 47-4
Person documents and, 39-37
S/MIME messages and, 39-27
Cross-domain administration
requests
described, F-70
Cross-domain Configuration
document
creating, 15-9 to 15-10
replicas and, 7-9
Cross-domain processing
administration requests, 15-8
benefits of, 15-10
setting up, 15-9
CSRV50.NTF
setting up, 46-3
CTF setting
described, C-18
Custom Welcome Page
creating, 5-87
Customer support
contacting, 63-4
Customized client installation, 5-47
D
Data
overwriting, 61-5
storing for a hosted
organization, 13-7
Data directory
for a hosted organization, 13-5
restricting access, 49-4
Database access
for SSL clients, 46-19
troubleshooting, 63-17,
63-19 to 63-20
Database activity
monitoring, 58-11
reporting, 58-13
statistics, 58-12
Database Administrator, 38-8

Database analysis
described, 58-37
of replication events, 58-6
running, 58-39
Database cache
disabling, 61-12, C-74
monitoring, 61-10
overview, 61-9
size, C-74
Database catalogs
administering, 51-4
assigning categories in, 51-6
categories in, 10-10
creating, 51-5
excluding databases from, 51-6
uses for, 51-4
Database creator
access level, 40-3
Database design
replicating, 63-86
tasks, 48-1
Database event generator
creating, 52-5
Database fields
increasing number of, 61-29
Database files
displaying, 58-2
opening, 58-2
Database format
determining, 61-17
upgrading, 31-28
Database instance ID
overview, 55-2
Database libraries
ACL, 51-1
adding databases, 51-3
creating, 51-2
defined, 51-1
deleting databases, 51-4
local, 51-2
location, 51-1
Database links
creating, 49-3
creating on the Web, 34-27
deleting, 49-4
described, 49-2
managing, 32-7, 58-5
Database maintenance
NOTES.INI settings, 58-41
Database management
for mail journaling, 28-107
maintenance tasks, 58-1

tasks, 48-1
tools, 58-4
Database organization
Database performance
improving, 60-9, 61-1, 61-3, 61-12
Database quotas
obeying for message
delivery, 28-10 to 28-11
setting, 61-24
Database replicas
creating, I-19
described, 7-1
Database view indexes
purging, 58-23
Databases
access level privileges, 7-7
access levels, 7-5
access problems, 63-17
adding documents, I-3,
I-20 to I-21
administration servers and, 40-24
analyzing, 58-37
archiving, 58-37, 61-26,
Archiving Log, 61-27
backing up, 55-2
categories in, 10-10
compacting, 61-13, 61-16,
61-21 to 61-23
controlling access to, 40-1
controlling creation of, 38-14
copying to servers, 48-2, 48-4
corrupted, 58-25, 63-43
creating, J-2 to J-3
deleting, 58-36, I-8
deleting documents from, I-9
deleting inactive
documents, 61-25
excluding from Domain
Index, 10-17
file format of, 61-17
forcing replication, 7-33
forcing SSL connections, 46-18
indexing, 10-7, 50-1 to 50-2
monitoring, 40-27, 58-1
moving, 54-32, 54-53, 54-62,
58-33, 58-35, F-36, F-39
organizing, 49-1
performance problems, 58-11
pinning and
unpinning, 54-32, 54-45
replicating, 7-32, 58-6, I-19

replicating specific, 7-27
replication history, 58-6
replication log, 58-8
rolling out, 48-1
security, 40-19
server crashes and, 63-99
setting up to receive mail, 48-5
shortcut keys, H-4
signing, 48-7
size, 58-12
size, controlling, 28-112, 61-1,
61-13, 61-23
size, monitoring, 61-13
statistics, 58-11
synchronizing, 58-24
tools, 58-4
transaction logging, 58-25
troubleshooting, 58-26,
63-16, 63-84
updating, I-27
Databases, shared mail
using multiple, 29-2
Dates
on Web pages, 36-18
Daylight saving time settings
described, C-29 to C-30
Dbcache flush
described, A-13
DbDelete command
described, I-8
DBIID, 55-2
DDE_Timeout setting
described, C-18
Dead mail
described, 28-41, A-39
holding, 28-40
releasing, 28-44
Debug_Outfile setting
described, C-18
Debug_SSL_Cert setting
described, C-19
Decommission Server Analysis tool
running, 59-3
Default database security
Default Global Domain document
designating a, 27-55, 27-57
Default group
access level, 40-2
Default subject
extended ACL, 25-11
Index-7
Default_Index_Lifetime_Days setting
described, C-19
Delay notifications
generating for low-priority
mail, 28-30
Delegate mail file on administration
server
Delete command
described, I-9
Delete database
administration requests, F-10
Delete hosted organization
Delete Person administration
requests
described, F-78
Delete resource
Delete Server administration
requests
described, F-25, F-78
hierarchical server names, F-81
Deletion stubs
described, 63-90
purging, 7-12
Deletions
Deletions, soft
defined, 61-8
effect on quotas, 28-11
Delivery
configuring for mail, 28-8
Delivery controls
setting, 28-9
Delivery Failure Reports
Delivery failures
customizing message for, 28-46
quotas and, 28-16
Delivery status notification
enabling, 28-96, 28-103 to 28-104
Delivery threads
setting maximum
number, 28-9, 60-11
Demand sets
and database moves, 54-55
Deny_Access setting
described, C-19
Deny_Access_portname setting
described, C-20
Deployment
certifier IDs, 1-7
Index-8
Domino domains, 1-5

Domino environment, 1-14
guidepost, 1-1
naming conventions, 1-12
server functions, 1-2
server names, 1-3
server services, 1-11
Depositor access
actions, 40-14
privileges, 40-16
Design menu
hiding, C-71
Designer access
actions, 40-14
privileges, 40-16
Designer task
updating databases with, 58-24
Desktop policy settings
creating, 9-14
Desktop setting
described, C-20
Destination servers
passthru, 4-28
Dialog boxes
shortcut keys, H-5
Dialup connections
described, 4-34
mail routing and, 27-59
number of modems for, 4-33
DIIOP server task
starting, 34-10
DIIOP_Debug_Invoke
described, C-22
DIIOPConfigUpdateInterval setting
described, C-21
DIIOPCookieCheckAddress setting
described, C-21
DIIOPCookieTimeout setting
described, C-22
DIIOPDNSLookup setting
described, C-22
DIIOPIgnorePortLimits setting
described, C-23
DIIOPIORHost setting
described, C-23
DIIOPLogLevel setting
described, C-24
Dircat server
Dircat task
pausing, 24-48
planning, 24-14
restricting to one server, 24-15

running, 24-47
Tell commands, A-53
Dircat_Include_Readerslist_Notes
setting
described, C-24
Directories
Domino server, 3-2
LDAP alternate languages
searches, 20-30
search order of multiple, 18-15
Directories, secondary
directory services for, 18-12
LDAP service, 18-3
authenticating, 42-23
client authentication, 23-3
compared to directory
catalogs, 18-14, 24-4
concepts, 23-12
Configuration Directories
and, 23-26
directory replicas, 23-36
domain names, 23-18
examples, 23-51 to 23-53, 23-55
and, 23-22, 24-26
failover, 23-20, 23-22
group lookups for database
authorization, 23-6
LDAP directories, 23-5
LDAP service and, 20-6, 23-17
monitoring, 23-60
naming rules, 23-12
Notes mail addressing and, 23-8
planning, 18-13
preventing LDAP searches of
primary Domino
Directory, 23-27
and, 23-26
remote primary directories
and, 19-7
replicas, 23-20
search orders, 23-16
services, 23-3
setting up, 23-29, 23-33, 23-37
setting up servers to use, 23-30
statistics, 23-60
troubleshooting, 63-21, 63-40
updating name, F-60
Directory assistance database

creating and replicating, 23-30
number of, 23-29
Directory Assistance documents
alias dereferencing, 23-48
Channel encryption option, 23-43
creating, 23-33, 23-37
described, 23-2
local directory replicas, 23-36
Notes distinguished name
attribute in, 23-49
password in, 23-44
search filters in, 23-46
Directory Catalog Configuration
document
additional fields to
include, 24-22
creating, 24-36, 24-43
directories to include, 24-15
documents to aggregate, 24-17
groups in, 24-19
performance settings, 24-30
Remove duplicate users, 24-18
selection formula, 24-20
sort order for, 24-29
Soundex option, 24-30
viewing, 24-48
Directory Catalog Status Report
described, 24-49
Directory Cataloger. See Dircat task
Directory catalogs
client authentication
and, 24-9, 24-11
assistance, 18-14
controlling what
aggregates, 24-16
described, 24-1
directories to include in, 24-15
documents aggregated, 24-17
fields to include, 24-22
groups in, 24-19
improving performance
of, 24-18, 24-20, 24-27, 24-30
monitoring, 24-49
multiple, 24-33
Notes mail encryption, 24-14
offline, 11-21
offline applications and, 11-21
planning, 18-12, 24-9, 24-26, 24-29
removing duplicate users, 24-18
replicating, 24-32, 24-45
reports for, 24-49
selection formulas, 24-20

servers and, 24-4
setting up, 24-8, 24-34 to 24-35,
24-41 to 24-42
sorting, 24-29
Soundex and, 24-30
Directory file name
setting, F-60
Directory folders
creating, 49-2
deleting, 49-2
Directory indexer
described, 58-15
Directory links
creating, 49-3
database corruption and, 2-9
deleting, 49-4
described, 49-1
network security and, 2-9
Directory Profile document
described, 19-16
directory catalogs
and, 24-35, 24-42
Directory searches
order of, 18-15, 23-16
Directory servers
described, 18-2
Notes clients and, 19-15
Directory services
directory customization, 18-19
directory search
order, 18-15 to 18-17
international, 18-18
Notes client, 18-10
overview, 18-1
secondary directories, 18-12
terminology, 18-20
Directory setting
described, C-25
Directory tree
verifying for LDAP service, 20-4
Directory type
storing in Server record, F-63
Disable_Cluster_Replicator setting
described, C-25
Disable_View_Rebuild_Opt setting
described, C-25
DisabledPorts setting
described, C-26
DisableLDAPOnAdmin setting
described, C-26
Disclaimers
adding to messages, 32-9
Disk I/O tuning

performance, 60-15
Disk space
displaying information on, 58-5
monitoring, 28-10
saving, 40-17 to 40-18
Disposition-Notification-To header
configuring for return
receipts, 28-116
Distinguished names
Domino Directory and, 18-8
Internet certificates, 45-2
LDAP service
and, 20-3, 20-25 to 20-26, 20-31
DNS
defined, 2-11
described, 26-25
domains, 2-11
examples of MX records, 26-27
multiple domains, 2-16, 2-19, 2-22
name resolution in NRPC and,
2-11, 2-15 to 2-17, 2-19, 2-22
outages in a hosted
environment, 14-11
preventing problems with, 2-56
verifying connecting hosts
in, 28-71
verifying sending domain
in, 28-90
DNS Blacklist filters, 28-86
DNS lookups
use in controlling inbound SMTP
sessions, 28-71
Document tables
forms and, 61-4
Documents
adding, I-20 to I-21
archiving, 61-20
archiving from server, 61-27
archiving with
agents, 61-27 to 61-28
categorizing for Domain
Search, 10-21
concurrent editing of, 58-8
Configuration Settings, 27-18
deleting, I-9
deleting inactive, 61-25
finding by Note ID, 63-20
Foreign domain, 27-30
Foreign SMTP domain, 27-32
Global domain, 27-55
Non-adjacent domain, 27-26
Index-9
DOLS. See Domino Off-Line

Services
Domain Catalog
backing up, 10-18
categories in, 10-10, 10-21
creating, 10-6
described, 10-5
setting up, 10-2
updating, F-65
views in, 10-6
Domain Catalog server
decommissioning, 59-12
Domain documents
adjacent domains, 27-23
foreign domains, 27-30
global, 27-55
non-adjacent domains, 27-26
using multiple Internet domain
names, 27-44
Domain Index
adding databases, 10-7
adding file systems, 10-9
backing up, 10-18
creating, 10-14
deleting databases, 10-17
LDAP searches of, 20-36
location, 10-17
planning, 10-3 to 10-4
size, 10-11 to 10-12
updating, 10-14
Domain Indexer task
performance, 10-16
setting up, 10-14
Domain Search
described, 10-1
Notes users and, 10-19
performance, 10-16
policy settings and, 10-19
security, 10-12
server requirements, 10-2
WANs and, 10-3
Web clients and, 10-20
Domain Search forms
adding categories to, 10-10
customizing, 10-18
Domain Search results
access to, 10-12
Domain Search server
decommissioning, 59-12
Domain servers
denying access, 38-7
Domain setting
described, C-27
Index-10
Domains
communication between, 39-27
DNS, 2-11
finding user names in, 5-85
mail routing
and, 26-19, 26-21, 27-20
multiple DNS, 2-16, 2-19, 2-22
planning, 1-5
restricting mail in, 28-36, 28-55
verifying in DNS, 28-90
Domains, external
connecting to, 4-18
DOMCFG.NSF, 34-48
creating, 34-49
Domino 5 certificate authority
setting up, 45-1
setting up SSL on the CA
server, 45-5
signing server certificates, 45-7
Domino 5 IMAP Initialization
Workload script
sample, J-5
Domino 5 IMAP Workload script
sample, J-6
Domino Administrator
Broadcast command, A-12
Configuration tab, 16-15
configuring mail routing, 27-18
creating groups with, 6-2
creating replicas, 7-9
disk space information, 58-5
displaying directory
contents, 58-3
displaying files, 58-2
Domino Console, Domino
Controller and, 16-28
Drop command, A-14
entering server commands, A-1
file information, 58-3
Files tab, 16-13, 58-2
installing, 16-1
Load command, A-15
managing databases with, 58-4
managing files with, 58-2
managing folders with, 58-5
Messaging tabs, 16-15
monitoring events with, 52-22
monitoring statistics with, 52-31
overview, 16-1
password protecting the
console, A-26
People and Groups tab, 16-13
quitting a task from, A-46
remote console, A-5 to A-7

Replicate command, A-18
Replication tab, 16-15
Route command, A-24
running Server Setup program
with, 3-18
server list, 16-4
Server tabs, 16-14
setting local attributes, 52-21
setting preferences, 16-5, 16-7 to
16-9, 16-11
setting up, 16-2
shortcut keys, H-3
Show Directory command, A-30
Show Diskspace command, A-31
Show Port command, A-33
Show Server command, A-36
Show Stat command, A-37
Show Tasks command, A-39
shutting down the server
from, A-14
starting, 16-2
tabs, 16-13
Tell command, A-46
tools, 16-16
user interface, 16-3, 16-13
viewing hosted
organizations, 14-14
viewing replication
topology, 7-34
Web Administrator and, 16-23
Domino CA
configuring application profile
for, 45-4
creating, 45-2
in a hosted
server-based certification
authority, 45-1
Domino CA server
Domino 5, 45-1
Domino Change Control database
ACLs for, 54-51 to 54-52
database moves, 54-56
location, 54-34
Domino Change Manager
and database moves, 54-55
and resource
balancing, 54-47 to 54-48
maximum current tasks, 54-49
setting up, 54-48
Tell ChangeMan command, 54-50
Domino Character Console, A-8

Domino Configuration database
creating, 34-49
Domino Console
Domino Controller
default TCP port, 2-56
Domino Data folder
displaying contents, 58-3
managing files in, 58-2
Domino Directory
ACL, 19-10
adding Internet/intranet users
to, 42-3
address lookup and, 27-47
administration server, 15-2
Administrators field, 19-12
authenticating Web clients
with, 42-23
changing passwords, F-6
changing type, 19-5
Configuration Settings
document, 27-18
creating Internet
certificates, 47-10
creating subforms in, E-17
cross-certificates, 39-27
customizing, E-1 to E-2,
E-4 to E-5
deleting groups from, F-11
deleting policy record from, F-20
deleting servers from, F-25, F-78
deleting users from, F-15
described, 19-1
distinguished names, 18-8
domain documents, 27-23, 27-26
global domain documents, 27-44
lookup command, I-17
mapping fields with Active
Directory, 17-31
offline, 11-21
offline use, 32-8
performance settings, 19-1, 60-9
replicating, 19-17
restoring, 14-11
restricting name
lookups, 27-47, 28-40
roles, 19-10
scheduled replication and, 7-20
secondary, 15-7, 23-1, 23-3, 23-8,
23-10, 23-33, C-68
server access and, 63-93

server registration and, 3-29
setting access to, 19-9, 20-16,
20-22 to 20-23
setting up primary, 19-2
synchronizing with Active
Directory, 17-38
tools for adding entries, 18-7
tools for managing entries, 18-9
updating, I-18
upgrading to new default
template, E-22
views in access control lists, 38-4
Domino Directory template
copying, E-4
customizing, 18-19, E-22
Domino domains
in Internet reply addresses, 27-54
planning, 1-5
planning directory
architecture, 18-2, 19-4
restricting mail, 28-36, 28-55
Domino environment
building, 1-14
Domino LDAP Schema database. See
Schema database
Domino Management Information
Base (MIB)
overview, 53-7
using with SNMP, 53-21
Domino named network
defined, 27-20
mail routing and, 26-19, 27-39
accessibility and, 11-23
administrator tasks, 11-2
agents and, 11-19
creating a security policy, 11-7
described, 11-1
in a hosted
overview, 11-1
security, 11-10
setting up the server
for, 3-11, 32-2
Domino ORB
setting up, 34-26, 34-29, 34-31
Domino Performance Zone
Web site for, 60-1
Domino security
application, 37-14
application design element, 37-15

overview, 37-1
planning, 37-11
Domino server
access, 38-2
anonymous access for Notes
users, 38-13
configuring for NDS, G-6
controlling browser client
access, 38-22
customizing access to, 38-7
Indic language support, 3-17
installing, 3-1, 3-3
monitoring databases for, 52-1
NDS objects, G-2
planning services and tasks, 1-11
setting console attributes, 52-21
Setup program, 3-8,
3-17 to 3-18, 3-34
starting and shutting down, 3-46
Domino server event generator
creating, 52-6
Domino server monitor
adding a task, 52-43
adding servers, 52-44
described, 52-40
profiles, 52-43, 52-44
starting, 52-41
using, 52-44
views, 52-41
Domino SNMP Agent
architecture, 53-5
completing configuration
of, 53-18
configuring for AIX, 53-12
configuring for Linux, 53-13
configuring for Solaris, 53-14
configuring for Windows, 53-11
configuring for zOS, 53-17
manual start and stop, 53-20
overview, 53-1
system requirements, 53-7
Domino statistics
Windows NT Performance
Monitor and, 17-23
Domino system administration
tasks, 48-1
Domino Web Engine
configuring for Web Site
documents, 34-23
Domino Web server, 34-1
configuring, 34-12
Index-11
Internet port and protocol

settings, 34-6, 34-8 to 34-9
log file, 56-8 to 56-10
logging server requests, 56-8
logging to text files, 56-10
running, 34-5
search results, 34-26
security, 34-8, 34-9
setting to work with other Web
servers, 35-1
setting up, 34-4
Domino Web server log file
setting up, 56-12
DominoNoBanner setting
described, C-27
DominoNoDirLinks setting
described, C-28
DominoR5IntlURLDecoding setting
described, C-28
DominoXURLProcess setting
described, C-28
DOMLOG.NSF
described, 56-8
viewing, 56-10
Downgrade user from roaming to
non-roaming user, F-28
Downloading files
improving performance for Web
clients, 34-56
Drop command
described, A-13, I-9
DSAPI
values, 11-11
DSN
enabling, 28-96, 28-103 to 28-104
DST setting
described, C-29
DST_Begin_Date setting
described, C-30
DST_End_Date setting
described, C-30
DSTlaw setting
described, C-29
Duplicate names, 24-18
during client authentication, 23-5
Duplicate Person documents
directory catalogs and, 24-18
Dynamic cost reset interval
resetting, 28-39
Dynamic lookup
of host names, 27-49
Index-12
E
ECL
administration, 41-6, 41-11
creating a workstation, 41-12
described, 41-1
guidelines for creating, 41-6
Java applets and, 41-4
JavaScript and, 41-4
security access options, 41-3
updating a workstation, 41-13
workstation security and, 41-3
EditExpnumber setting
described, C-31
EditImpnumber setting
described, C-32
Editing
concurrent, 58-8, 63-91
shortcut keys, H-6 to H-8
Editor access
actions, 40-14
privileges, 40-16
EDNI document
creating, 4-18
updating, F-65
Effective access
extended ACLs and, 25-30
Effective policies
described, 9-3
determining, 9-36
viewing, 9-37 to 9-38
EmptyTrash setting
described, C-32
Enable_ACL_Files setting
described, C-33
EnableBiDiNotes setting
described, C-33
Encrypted fields
indexing, 50-2
Encryption, 43-1
certificates, 2-41
defined, 43-4
dual Internet certificates
and, 47-17
Internet transactions and, 40-31
mail, 43-4, 43-7
mail journaling and, 28-111
network data, 46-1
outbound mail routing, 24-14,
C-90, C-100 to C-101
SSL settings, C-108
EndCrit command
described, I-10
End-to-end topology
End-user installations
with Transform files, 5-50
Entries command
described, I-10
Error messages
Administration
Process, 15-36, 63-8
Agent Manager and agents, 63-13
Domino Off-Line Services, 11-24
IPX/SPX network, 63-73
mail, 28-46
mail routing, 63-38
meetings and resources, 63-45
modems and remote
connections, 63-50
network dialup
connections, 63-74
OS/2, 63-100
partitioned servers, 63-78
replication, 63-82
server access, 63-91 to 63-93, 63-95
server crashes, 63-98
TCP/IP, 63-57, 63-61
Web Navigator, 63-107
Web server, 63-104
ErrorDelay command
described, I-10
Escrow agent
ESMTP
supporting inbound
extensions, 28-96
supporting outbound
extensions, 28-103
ETRN extension
enabling for inbound SMTP
connections, 27-61, 28-96
Event filters
creating, 52-19
viewing, 52-20
Event generators
creating, 52-13
database, 52-5
defined, 52-3
disabling, 52-12
Domino server, 52-6
mail routing, 33-3, 52-7
statistic, 52-9
task status, 52-10
TCP server, 52-11
viewing, 52-14
Event handlers
creating, 52-13, 52-17, 52-23
defined, 52-3, 52-14
disabling, 52-18
notification
methods, 52-15 to 52-16
viewing, 52-20
Event messages
viewing, 52-20
Event Monitor server task
overview, 52-1, 52-3
Event task
monitoring replication, 63-80
Events
filtering, 52-19
from SNMP traps, 53-4
logging, 52-21
notification methods, 52-15
severity levels, 52-4
types of, 52-16
viewing, 52-20
Examples
directory assistance, 23-51 to
23-53, 23-55
extended ACL, 25-19
Extended Directory
Catalogs, 23-53, 23-55
LDAP service write
operations, 20-26
ldapsearch utility, 22-6
registering a hosted
organization, 13-8
replication, 7-19
xSP server in a hosted
environment, 12-16
Execution Control List. See ECL
Execution Security Alert dialog
box, 41-2
trusting signatures, 41-2, 41-13
Exit command
described, A-14
Expired certificates
renewing, 46-21
Explicit policies
adding, 9-40
assigning, 9-40
changing, 9-40
described, 9-2
removing, 9-40
Extended accelerator keys. See
Shortcut keys
Extended access
disabling, 25-31
enabling, 25-23
Extended ACLs
activity log for, 25-31
changing, 25-28
directory, 18-7
disabling, 25-31
effective access and, 25-30
enabling, 25-23
examples of, 25-19
and, 24-7
LDAP and, 20-20, 25-6
other database security and, 25-2
planning, 25-22
privileges for, 25-2 to 25-3, 25-5
restoring, 14-11
schema database and, 25-7
setting up, 25-22, 25-24
subjects in, 25-9, 25-17
target scope, 25-14, 25-17
targets in, 25-12 to 25-13
Extended administration servers
removing, 15-34
setting up, 15-33
benefits of, 24-5
central directory architecture
and, 19-4
client authentication
and, 23-3, 24-10
directory assistance and, 23-6,
23-8, 23-22, 23-33, 24-26
examples, 23-53, 23-55
groups for database
authorization, 24-27
integrated into primary
directory, 24-28
LDAP service, 23-10
multiple, 24-33
native documents, 24-7
planning, 24-26
replicating, 24-45
size of, 24-26
Extended key usage
public keys, 44-13
Extension manager
and, 15-30
in a hosted
environment, 12-5
External companies
communicating with, 39-27
External Domain Network
Information document. See
EDNI document
External Internet mail
preventing relaying, 28-75
External servers
access levels for, 7-7
ExtMgr_AddIns setting
described, C-34
F
Failover
directory assistance, 23-20, 23-22
for mail routing, 28-40
Fault recovery, 55-10
cleanup script, 55-11
enabling, 55-11
operating systems and, 55-10
Fields
customizing in Domino
Directory, E-2
LDAP attributes and, 21-4
Fields, database
increasing number of, 61-29
File format
database, 61-17
mail, 31-28
File names
key ring, 45-2
File protection, 34-42
File Protection documents, 34-41
described, 34-44
example, 34-42
File systems
searching, 10-9
FileDlgDirectory setting
described, C-34
Files
compressing when uploading to
Web, 34-29
displaying, 58-2
displaying information
about, 58-3
downloading from Web
server, 34-56
managing, 58-2
preferences, 16-7
Index-13
protecting from Web

access, 34-41, 34-44
replicating specific, 7-27
Files/Directories to Replicate
field, 7-27
Filtering
message, 28-20
Find name in domain request, F-29
FindbyKey command
described, I-11
FindByName command
described, I-12
Finger Internet service
Firewalls
using a relay host, 27-58
Fixup task
BRP files, C-115
options, 58-28
running, 58-26, 58-30
transaction logging and, 55-2
use in preparing mail files for
IMAP use, 31-29
Fixup_Tasks setting
described, C-34
Flat names
converting to
hierarchical, 5-67, F-68, F-84
Folder prefixes
IMAP, 31-15, 31-17
Folders
creating, 40-17, 49-2
deleting, 49-2
managing, 58-5
Fonts
mapping, C-117
Windows system, C-121
Foreign domains
configuring, 27-30
scheduling and, 8-6
Foreign SMTP domain documents
creating, 27-32
Internet mail configuration
and, 27-58
Format preference for incoming mail
setting for IMAP
users, 31-3, 31-23, 31-35
setting for POP3 users, 30-7
Forms
and document tables, 61-4
and object classes, 21-3
Index-14
Directory, E-2
HTML, 36-5
Forwarding address
in Person document, 27-42
Forwarding rules
enabling and disabling support
for, 28-9
FQDN
as servers common name, 2-19
specifying in Connection
document, 2-17
specifying in Server
document, 2-16, 2-22
Frame types
IPX, 63-70
TCP/IP, 63-68
Free Time database
described, 8-1
Free-time lookups, 8-5
in non-adjacent domains, 8-6
FT_DOMAIN_DIRECTORY_NAME
setting
described, C-35
FT_DOMAIN_IDXTHDS setting
described, C-35
FT_Index_Attachments setting
described, C-36
FT_Intl_Setting setting
described, C-36
FT_Max_Search_Results setting
described, C-36
FT_No_Compwintitle setting
described, C-37
FT_Summ_Default_Language setting
described, C-38
FTG_No_Summary setting
described, C-37
Full-text indexes
creating, 50-2
deleting, 50-7
described, 50-1
disabling, C-115
LDAP service and, 20-15
security and, 50-2
size, 50-3
updating, 50-3, 50-5 to 50-6
G
Gateways
routing mail to, 27-30
GetAll command
described, I-12
GIF files
Global Domain documents
default, 27-55
in a hosted organization, 13-5
Global domains
configuring, 27-44
defining multiple, 27-55
Global Web settings document, 34-40
creating, 13-21, 34-40
described, 13-19, 34-34
editing, 13-22
Gopher Internet service
Graphics
Web server format, 34-24
Group documents
editing, 6-10
object classes for, 21-5
Group members
registering in Notes, 17-18
Group names
finding, 6-15, F-29
in Internet message
headers, 28-131
Groups
adding and deleting
members, 6-6
adding to Notes, 17-20
Administrator, 13-7
assigning a policy to, 6-9
creating and modifying, 6-2
creating with Domino
Administrator, 6-2
creating with Web
Administrator, 6-4
database authorization, 18-16,
23-6, 24-27
deleting, 6-14, 17-42
Deny List Only, 6-8
described, 6-1
directory catalogs and, 24-19 to
24-20, 24-35, 24-42
editing, 6-10
finding members, 6-18
mail, 28-32
managing, 6-8, 6-16
registering, 17-39
renaming, 6-10, 17-41, F-50
renaming immediately
throughout domain, 6-13
Windows NT, 17-16
H
Headers
resent, 28-131
Headline monitoring
controlling, 38-16
Health reports
for servers, 54-11 to 54-12,
54-14 to 54-15
for servers, purging, 54-12
Health_Report_Purge_After_N_Days
setting
described, C-38
Help
customer support, 63-4
Help command
Hierarchical IDs
cross-certification by phone, 39-33
cross-certification through Notes
mail, 39-36
cross-certification through postal
service, 39-34
Hierarchical names
converting flat names
to, 59-10, F-84
creating scheme for, 1-3
deleting servers with, F-81
server registration and, 3-29
Hierarchical organizations
certification and, 39-27
communication between, 39-27
Holding undeliverable mail
in MAIL.BOX, 28-40
Holiday documents
creating, 8-17
modifying, 8-20
Home pages
for virtual servers, 3-42
Web server, 63-106
Host names
DNS and, 26-25
restricting inbound connections
by, 28-71
Hosted environments
Domino features in, 12-4
example, 12-16
server options, 12-2
Hosted organizations
access to Web sites, 14-12
anonymous access to
databases, 14-4
deleting, 14-3, F-14
disabling services, 14-4
distribution of data, 12-9
for, 13-18, 13-20
loopback addresses, 13-17
mail addressing to, 14-16
maintaining, 14-1
managing users, 14-14
managing users and
groups, 14-16
moving to other servers, 14-5
on multiple servers, 14-2
policies for, 9-7, 13-4
registering, 13-5, 13-8, 13-11
registration, F-48
removing from an additional
server, 14-10
security and, 12-3
server crash recovery in, 14-11
server environments for, 12-1
setting up Domino Certificate
Authority for, 13-3
setup checklist, 13-3
using the Resource Reservations
database, 14-12
using the Web
viewing, 14-14
viewing Web Site and Internet
Site documents, 13-20
Web Site documents for, 13-18,
13-20 to 13-21
HostedOrganizationAdmin
group, 13-7
Hosting
Java applets, 34-10
Hosts files
system settings for, 2-13
HP OpenView
and SNMP traps, 53-21
HTML
displaying source for Server Web
Navigator, 36-13
passthru, 34-2
HTML login form
customizing, 42-10
HTML preferences
in Server Web Navigator, 36-12
HTTP
HTTP proxy
connecting Server Web Navigator
through, 36-3
HTTP server task
running, 34-5
HTTP servers
Domino working with the IBM
HTTP Server, 35-2
setup mode setting, C-99
HTTP service
binding to an IP address, 2-49
HTTP sessions
tracking, 34-13
HTTPEnableConnectorHeaders
setting
described, C-39
HTTPLogUnauthorized setting
described, C-39
HTTPS
SSL and, 46-18
Hub-and-spoke topology
example of, 4-10
limitations of, 4-8
Hunt group connection document
creating, 4-31
Hunt groups
I
IBM HTTP Server
setting Domino to work with,
35-2
IBM Office Vision
scheduling and, 8-6
IBM Tivoli Analyzer
Activity Trends, 54-17
installing, 54-6
overview, 54-1
ICL. See Issued Certificate Lists
ICMNotesPort setting
described, C-40
Index-15
Icons
database, 15-23
ID recovery
ID table
Note IDs, I-12
Idle Workload script
described, 62-14
running, 62-14
sample, J-4
IDs
defined, 39-1
displaying certificates, 39-3
IMAP users and, 31-23
multiple-password, 39-6
password protection, 39-4
passwords for, 39-13
recovering, 39-14,
39-17 to 39-18, 39-20
security and, 37-16
server, recertifying, 59-9
IDs, certifier, 1-7, 3-34 to 3-35
Ignore message priority
setting for mail routing, 28-39
IIOP
setting up, 34-10
Image display
ImailCheckForNewMail command
described, I-13
ImailCloseMailbox command
described, I-13
IMAILExactSize setting
described, C-40
ImailFetchEntry command
described, I-13
ImailFetchOld command
described, I-14
ImailGetLastEntries command
described, I-14
ImailGetNewMail command
described, I-14
ImailHelp command
described, I-14
ImailListMailboxes command
described, I-14
ImailLogin command
described, I-15
ImailLogout command
described, I-15
Index-16
ImailOpenMailbox command
described, I-15
ImailPostMessage command
described, I-15
ImailSetSeen command
described, I-16
IMAP
IMAP attributes
adding to IMAP-enabled mail
files, 31-3
IMAP delegation
IMAP Initialization Workload script
sample, J-5
IMAP protocol
Domino mail server
and, 26-5, 31-1
IMAP public folders
designating, 31-15
IMAP service
and shared mail files, 31-12
authenticating options, 31-5
changing default port
information for, 31-6
configuring internal thread
use, 31-19
customizing, 31-5
greetings, 31-21
limiting sessions, 31-9
logging in to server, I-15
logging out of server, I-15
mail commands, I-13 to I-16
NAMESPACE
command, 31-12 to 31-13
setting up, 31-4
starting, 31-5
IMAP users
allowing SMTP relays from, 28-82
creating mail files for, 31-26
enabling mail files for, 31-2, 31-10,
31-27, 31-30
setting acceptable login names
for, 31-24
setting up, 31-22
setting up Person documents
for, 31-23
IMAP_Config_Update_Interval
setting
described, C-40
IMAP_Convert_Nodisable_Folder_
Refs setting
described, C-41
IMAP_Session_Timeout setting
described, C-43
IMAPDisableFTIImmedUpdate
setting
described, C-42
IMAPDisableMsgCache setting
described, C-42
IMAPGreeting setting
described, C-42
IMAPNotesPort setting
described, C-43
IMAPRedirectSSLGreeting setting
described, C-43
IMAPShowIdleStatus setting
described, C-44
IMAPSSLGreeting setting
described, C-44
Inactive documents
deleting, 61-25
Inbound connections
restricting for SMTP, 28-71, 28-86
Inbound mail routing
restricting, 28-70, 28-75, 28-90
Inbound relay controls
enforcement of, 28-81
and message transfer, 28-85
Inbox folder
adding documents to, J-2
Incoming Mail Sound setting
described, C-44
Index command
described, I-16
Index entries
searching, I-11 to I-12
Index, Domain. See Domain Index
Indexes
creating, 50-2
deleting, 50-7, 58-23
described, 50-1
Domain Search and, 10-2, 48-7
encrypted fields, 50-2
replicating, 50-1
security and, 50-2
size, 50-3
updating, 50-3, 50-5 to 50-6, 58-14
Indic languages
support for, 3-17
INET_Authenticate_with_Secondary
setting
described, C-45
Informational logging, 28-7

iNotes Web Access
active content filtering for, 32-8
adding disclaimers, 32-9
alternate name support in, 32-10
configuring, 32-4
creating a portal for, 32-3
customizing, 32-4, 32-7 to 32-9
overview, 32-1
registering users, 32-2 to 32-3
Sametime and, 3-14
setting up a server for, 3-13
Install directories
customizing location of, 5-49
Installation
automating client, 5-45
batch file, 5-46
client, 5-41
command line, 5-47
customizing client, 5-47
End-user with Transform
files, 5-50
interactive mode, 3-5
multi-user client, 5-46
by scriptable setup, 5-52
script mode, 3-7
setting to multi-user by
default, 5-49
setting up, 5-42
shared network directory, 5-43
silent, 3-7
single user, 5-43
on UNIX systems, 3-4
on Windows systems, 3-3
Installation options
using Transform files, 5-49
InstallShield Tuner for Lotus
Notes, 5-47
InstallType setting
described, C-45
Interlaced rendering
Web images and, 34-24
International characters
International settings
specifying for Web, 34-31
Internet
anonymous
access, 42-25 to 42-26
through, 36-3
connecting to, 4-21 to 4-22, 4-40
creating a key ring and certificate
request, 45-2
cross-certification, 39-37
enforcing encrypted
transactions, 40-31
name-and-password
authentication, 42-1, 42-6
security, 38-2, 38-4
Internet address
changing, 5-73
Internet addresses
adding senders in outbound
mail, 27-50
formats for, 28-134
outbound mail, 27-54
as reply addresses, 27-52
Internet addresses, inbound
looking up in the Domino
Directory, 27-47
Internet certificates
adding, F-4
adding to Domino Directory, 47-7
creating, 47-14
creating with Domino
Directory, 47-10
deleting, 47-12
dual, 47-17
signing, 47-7
SSL and S/MIME, 47-5
Internet clients
name variations accepted for
login, 31-24
Internet cross-certificates
creating, 47-4
described, 39-28
Internet domains
primary vs. aliases, 27-55
Internet mail, 27-38
restricting inbound, 28-90
restricting
outbound, 28-98 to 28-99
restricting relays, 28-75
restricting who can receive, 28-92
routing, 26-23, 27-6, 27-34,
27-37 to 27-38, 36-9
Internet passwords, 42-24
security and, 42-24
user registration and, 42-3
Internet protocols
setting up passwords for, 42-3
Internet services
accessing, 36-7
binding to IP addresses, 2-47

default TCP ports, 2-56
proxies for, 2-7
configuring for hosted
organization, 3-40, 13-20
creating, 3-40
and DNS outages, 14-11
IMAP configuration
and, 28-60, 31-6
overview, 3-37
POP3 configuration and, 30-3
SMTP configuration and, 28-59
Internet users
renaming, 5-66
InterNotes server
described, 36-1
saving HTML source, 36-13
setting up, 36-2
Intranets
name-and-password
Invitations
responding to, I-24
IP address configurations
IP addresses
binding ports to, 2-46 to 2-47
binding to xSP servers, 13-16
DNS and, 26-25
multiple, 2-19, 2-22
partitioned servers
and, 2-21, 2-50
resolving, 12-14
restricting inbound connections
by, 28-71
using in Connection
documents, 2-18
using in Server documents, 2-12
IP names
IPv6 standard
described, 2-25
enabling support for, 2-45, C-110
IPX/SPX
assigning sockets, 2-62, C-70
frame types, 63-70
integrating Domino
with, 2-29, G-1
name resolution in, 2-30, 63-72
Index-17
Notes port for, 2-34 to 2-36,

2-38 to 2-42, 2-61
security, 2-9
setting up servers on, 2-32, 2-61
Token-Ring and, 63-71
ISpy database
creating mail-in database record
for, F-7
ISpy task
mail routing event generator
and, 52-7
TCP server event generators
and, 52-11
Issued Certificate Lists
described, 44-2
J
Java agents
restricting, 40-18
Java applets
hosting, 34-10
on Web server, 34-2
Java servlets
managing, 34-13
JavaEnableJIT setting
described, C-46
JavaJITName setting
described, C-46
JavaMaxHeapSize setting
described, C-46
JavaMinHeapSize setting
described, C-47
JavaNoAsyncGC setting
described, C-47
JavaNoClassGC setting
described, C-47
JavaScript
on Web server, 34-2
JavaStackSize setting
described, C-48
JavaUserClasses setting
described, C-48
JavaVerbose setting
described, C-48
JavaVerboseGC setting
described, C-49
Journaling
mail, 28-105
methods, 28-109
Index-18
retrieving journaled
messages, 28-113
setting up, 28-106
JPEG files
K
Keep alive headers
sending to Web server, 34-53
Key ring files
changing the password for, 46-22
creating a test version, 46-22
creating for internal CA, 45-2
displaying, 45-7
entering for server, 46-15
exporting, 45-7
merging a certificate from an
external CA, 46-9
merging server certificates
into, 46-12
naming, 45-2
viewing certificates, 46-20
Key usage extensions
public keys, 44-12
Keyboard shortcuts. See Shortcut
keys
KeyFileName setting
described, C-49
Keys
private, 43-1
public, 43-1
KitType setting
described, C-50
L
LAN Connection document
creating, 4-15
LANA numbers
NetBIOS ports and, 2-58
Language codes
specifying for a character set
group, 28-120
Language groups
configuring font options
for, 28-126
Languages
choosing default for Web, 34-31
LDAP service tags, 20-29
LANnumber setting
described, C-50
LANs
connecting servers on, 4-15
integrating Domino with, 2-2
network compression and, 2-42
setting up servers on, 2-32
LDAP accounts
assistance, 23-9
planning, 18-5
LDAP activity logging
information logged, 57-4
limiting information
logged, 57-13
LDAP directories
alias dereferencing and, 23-48
authenticating SSL clients, 46-25
authenticating Web clients
with, 42-23
authenticating Web users
with, 40-7
connecting using SSL, 47-23
described, 23-1
directory assistance, 23-3, 23-6,
23-9, 23-11, 23-37, 23-43
failover, 23-22
LDAP service referrals to, 20-33
lookup command, I-17
Notes distinguished names
in, 23-49
search filters and, 23-46
server passwords for
connecting, 23-44
LDAP features
overview, 18-3
LDAP migration tool, 20-2
LDAP operations
LDAP schema
checking, 21-18 to 21-19
described, 21-1
Domino, 21-2
Domino LDAP Schema
database, 63-34
extending, 18-19, 21-10, 21-16 to
21-17, E-3, E-7 to E-9,
E-16 to E-17, E-20
retrieving, 21-20
root DSE searches, 21-20
viewing, 21-9
LDAP service
anonymous search
access, 20-16 to 20-17, 20-20
client setup, 20-34

condensed Directory Catalogs
and, 20-6
configuration, 20-9, 20-37
described, 20-1 to 20-2
directory assistance and, 20-6,
23-10 to 23-11, 23-17 to 23-18
directory tree verification, 20-4
disabling, 20-8
distinguished names
and, 20-3
Domain Index searches, 20-36
and, 20-6
full-text indexes and, 20-15
Internet address
formation, 20-5
Internet Draft supported, 20-42
language tags, 20-29
monitoring, 20-37
name and password
authentication failure, 63-31
name-and-password
security, 20-31
performance settings, 20-28
planning, 18-4
ports and port security, 20-12
preventing use of primary
referrals, 20-33
RFCs supported, 20-42
schema daemon, 21-5,
C-88 to C-89
schema database, 21-7
search, 20-28
secondary directories, 18-4
setting up, 20-7
statistics, 20-38
Tell commands, A-53
Unicode and, 20-3
UTF-8 encoding, 20-32
write operations, 20-22 to 20-23,
20-25 to 20-26
LDAP_MailOnlyGroupOption
setting
LDAPGroupMembership
setting, C-53
LDAPBatchAdds setting
described, C-51
LDAPConfigUpdateInterval setting
described, C-51
LDAPGroupMembership setting
described, C-52
LDAPLookup command
described, I-17
LDAPNotesPort setting
described, C-53
LDAPPre55Outlook setting
described, C-54
ldapsearch utility
described, 22-1
examples, 22-6
operational attributes and, 22-5
parameters, 22-2
planning, 18-6
search filter operators, 22-5
search filters, 22-4
ldapsearch.exe
retrieving schema with, 21-20
Leased-line connections
connecting to the Internet by, 4-21
Librarians
assigning, 51-3
database libraries, 51-2
Libraries. See Database libraries
License tracking
described, 5-85
License tracking information
updating in Domino
Directory, F-65
Linux
servers, 2-50
for, 53-13
Listener task
Server document, 27-41
SMTP, 27-41
Live console
LNSNMP service
removing, 53-11
LNSNMP.INI file
configuring, 53-9
Load command
described, A-15
Load server command
running server tasks, B-1
LocalDomainAdmins group
described, 6-2
LocalDomainServers group
access level, 7-6, 40-3
described, 6-1
Location documents
Internet addresses in, 27-53
Location setting
described, C-54
Log file
accessing, 56-5
activity logging
information, 57-1, 57-13
analyzing, 56-5
compacting, 56-1
Domino server, 56-1
Domino Web server, 56-12
extended ACL, 25-31
logging modem I/O in, 63-48
NSD, 63-96, 63-101
passthru connections and, 63-79
replication events, 58-8
replication views, 63-80
Results database, 56-5
Schedule Manager errors in, 63-47
searching, 56-5
selecting level of
logging, 28-7, 56-3
using commands to record
information, 56-3
viewing the Domino server, 56-3
Log filters
for events, 52-15
Log setting
described, C-55
for log file size, 56-1
LOG.NSF, 28-7
introduced, 56-1
monitoring servers and, 52-3
Log_AgentManager setting
described, C-55
Log_Authentication setting
described, C-56
Log_Connections setting
described, C-57
Log_Console setting
described, C-57
Log_DirCat setting
described, C-58
Log_Replication setting
described, C-59
Index-19
Log_Sessions setting
described, C-59
Log_Tasks setting
described, C-60
Log_Update setting
described, C-60
Log_View_Events setting
described, C-61
LogFile_Dir setting
described, C-58
Logging
configuring for Domino Web
server, 56-12
to the console, 52-21
informational, 28-7
internal server errors, 56-10
phone calls, C-76
replication, 63-80
Web server requests, 56-8
Logging level
selecting, 28-7
Login names
authentication for Internet
clients, 31-24
Login scripts
editing, 4-51
Lookup command
described, I-17
Loopback addresses
creating, 13-17
Lotus NDS Manager
administering Windows clients
with, G-3
for IPX/SPX setup, G-1
Lotus Organizer
scheduling and, 8-6
Lotus Support Services
contacting, 63-4
Web site, 63-4
LotusScript agents
restricting, 40-18
Low-priority mail
generating delay notifications
for, 28-30
LSCHEMA.LDIF
M
Mail
blocking, 28-20
encrypting, 28-9, 43-4, 43-7, 47-13,
47-15, C-90
Index-20
held, 28-16
limiting the size of
messages, 28-28
pending, 28-16
polling, I-19
restricting, 28-70, 28-90
routing from Web page, 36-9
security, 29-4
shortcut keys, H-7 to H-8
signing, 43-9, 43-11, C-90
tracing connections, 63-37
virus protection, C-71
Mail activity logging
information logged, 57-6
Mail addresses
formats for Internet, 28-134
Mail addressing
domain names and, 63-40
format for sending to another
and groups, 28-32
Mobile Directory Catalogs
and, 24-3
type-ahead, 28-6
Mail agents
controlling, 28-9
Mail clients
POP3, 30-11
supported, 26-15
Mail connections
routing and, 27-2
Mail conversion utility
enabling mail files for IMAP, 31-2
Mail databases
archive criteria, 9-28
archive log, 9-24
archiving, 9-22, 9-25
IMAP service and, 31-2
moving, 54-53
overview, 26-12
sharing IMAP, 31-13
Mail delivery
configuring, 28-8
shared mail and, 29-8
Mail encryption administration
request, F-31
Mail file quotas
enforcing, 28-14, 28-28
soft deletions and, 28-14
Mail file size

calculating, 28-14
Mail files
converting for IMAP, 31-2, 31-10,
31-29 to 31-30
creating, J-4, , 31-26
delegating access
to, F-9 to F-10, 31-13
deleting during Delete user, 5-73
encrypting, 31-24, 43-8
for hosted organizations, 13-5
initializing, J-4
move request, F-31
moving, 5-77, 29-21
overview, 26-12
POP3 user and, 30-10
quotas, 28-10 to 28-11, 28-15 to
28-16, 28-28
replication and shared mail, 29-19
shared, 31-13
Mail files, storage format, 26-13
setting for IMAP users, 31-3,
31-23, 31-35
Mail journaling
defined, 28-105
retrieving journaled
messages, 28-113
specifying messages to
journal, 28-113
Mail Journaling database
managing, 28-109
setting up, 28-106
Mail menu
hiding, C-72
Mail Notification Agent, 5-57
Mail priority level, 28-27
disregarding during
routing, 28-39
Mail protocols
supported, 26-2
Mail recipients
looking up in the Domino
Directory, 27-47
restricting, 28-92
Mail relays
and outbound mail routing, 27-33
restricting, 28-75
Mail reports
generating, 33-12
setting up a Reports
database, 33-4

Mail routing
configuring, 27-37
configuring delivery, 28-8
connection costs and, 28-53
controlling message
transfer, 28-26
customizing Notes routing, 28-50
DNS and, 26-25
domain documents
and, 27-23, 27-26
examples, 27-9
forwarding addresses, 27-42
improving
performance, 28-2 to 28-3
IP addresses and, 26-10, 26-12
in local Internet
domain, 27-4, 27-39
logging and, 28-7
mail clients and, 27-3
for mail outside the local Internet
domain, 27-6, 27-38, 28-85
MAIL.BOX databases
and, 28-3 to 28-4
message priority and, 28-27
Notes protocols and, 26-17, 26-19
to 27-20, 28-36
obeying database quotas, 28-11
over dialup connections, 27-59
over SMTP, 26-23, 27-32, 27-34,
27-37, 28-57
relay hosts and, 27-33
requirements, 28-2
resolving addresses, 27-42
restricting for Notes, 27-28,
27-31, 28-55
restricting inbound Internet
mail, 28-71, 28-90
restricting inbound mail, 28-70
restricting inbound relays, 28-75
restricting message size, 28-28
restricting outbound messages,
28-98 to 28-99
restricting recipients, 28-92
Route command, A-24
routing table and, 26-10
scheduling Notes routing, 28-50
SMTP, 27-41
SMTP protocol and, 26-21
stopping, 27-5
topology, 27-2
using a firewall, 27-58

using a smart host, 27-43
using multiple Internet domain
names, 27-44
using multiple mailboxes, 28-4
workstation setup, 63-42
Mail routing event generators
creating, 52-7
Mail rules
forwarding, 28-9
journaling, 28-113
reloading, 28-21
setting server, 28-20
Mail servers
Mail storage
formats, 26-13
Mail templates
MAIL6EX.NTF, 32-11
Mail trace
Mail tracking
configuring servers for, 33-8
from the Domino
overview, 33-1
Mail Tracking Collector task
controlling, 33-5
Mail usage reports
described, 33-2
generating, 33-12
viewing, 33-16
Mail, dead
described, 28-41, A-39
Mail, undeliverable
releasing from server, A-39
returning, 28-37
MAIL.BOX databases
compacting, 63-43
corrupt, 63-43
described, 27-1
setting up multiple, 28-3 to 28-4
undeliverable mail, 28-41
Mail/ID registration options
Windows NT and Notes, 17-11
Mail_Disable_Implicit_Sender_Key
setting
described, C-64
Mail_Log_To_MiscEvents setting
described, C-64
Mail_Skip_NoKey_Dialog setting
described, C-65
MAIL6EX.NTF
using, 32-11
Mailboxes
setting number of, 60-12
setting up multiple, 28-3 to 28-4
MailCharSet setting
described, C-61
MailCompactDisabled setting
described, C-63
MailCompactHour setting
described, C-63
MailConvertMIMEonTransfer setting
described, C-63
Mail-in Database document
creating, 48-5
statistics, 52-35
Mail-in statistics
using, 52-35
MailServer setting
described, C-64
MailSystem setting
described, C-65
MailTimeout setting, 28-37
described, C-66
MailTimeoutMinutes setting
described, C-66
Mailto
setting up, 36-9
Maintain Trends database record
request, F-30
Manage Groups tool
using, 6-16
Manager access
actions, 40-14
privileges, 40-16
Map_Retry_Delay setting
described, C-66
Maps
replication topology, 7-34
Master Address Book. See Directory
assistance
Maximum concurrent transfer
threads
setting, 28-33
Maximum delivery threads, 28-9
Maximum hops
setting, 28-33
Maximum message size
setting, 28-28
Maximum transfer threads
setting, 28-33, 60-11
Maximum Transmission Unit.
See MTU setting
Index-21
Meetings
Memory
displaying, A-32
Memory requirements
for servers, 60-3
Memory_Quota setting
described, C-67
Message caching
disabling, C-73
Message conversion
Message delivery
configuring, 28-8, 60-11
Message filtering
using mail rules for, 28-20
Message headers
MIME, 28-131, 28-134
Message journaling. See Mail
journaling
Message priority level, 28-27
disregarding during
routing, 28-39
Message size
restricting, 28-28
Message tracking
configuring servers for, 33-8
controlling, 33-5
from the Domino
overview, 33-1
in Web Administrator, 16-27
Message transfer
controlling, 28-26, 28-33
Message validation
SSL, 46-1
Messages
disabling, A-22, A-44
encrypting for delivery, 28-9
MIB
overview, 53-7
using with SNMP, 53-21
Microsoft Active Directory
deleting users and groups, 17-42
directory assistance search
filters, 23-46
mapping containers to Notes
certifiers and policies, 17-32
mapping fields with Domino
Directory, 17-31
registering existing users, 17-35
registering new groups, 17-39
registering new users, 17-33
renaming users and groups, 17-41
Index-22
synchronizing with Domino

Directory, 17-25, 17-38
Microsoft IIS
setting Domino to work
with, 35-3
Microsoft Management Console
Notes registration and, 17-29
MIME messages
8-bit and ESMTP, 28-96,
28-103 to 28-104
converting, 28-122
converting addresses in, 27-50
converting to Notes format, 27-1
Domino mail server and, 26-3
encrypting, C-100, C-101
setting character set options
for, 28-118
setting options for
processing, 28-115
Minimal logging, 28-7
MinNewMailPoll setting
described, C-67
Miscellaneous Events view
corruption messages, 58-25
Mixed-release environments
log file analysis, 56-7
MMC
Notes registration and, 17-29
Mobile directory catalogs
described, 24-3
multiple, 24-33
Modem command files
described, 4-34
modifying, 4-49
Modems
displaying input/output, C-121
logging modem I/O, 63-48
number to use, 4-33
Modify CA Configuration in Domino
Modify ID recovery information in
Domino Directory
request, F-30
Modify room/resource in Domino
Modify user information stored in
Domino Directory
Monitoring
checklist for, 63-6
database cache, 61-10
database size, 61-13

events, 52-22, 52-24
events and statistics, 52-2
headline, 38-16
mail, 26-17
overview, 52-1
performance, 52-36
server activity, 54-17
server connections, 52-6
server tasks for, 52-1
Server.Load metrics, 62-10
setting preferences for, 16-8, 52-25
statistics, 52-9, 52-31
threshold values, in Server Health
Monitor, 54-10
tools, 52-1 to 54-2
Monitoring Configuration database
described, 52-1
document types, 52-2
location, C-83
viewing statistics in, 52-32
wizards for, 52-13
Monitoring Results database
described, 52-1
performance statistics and, 52-36
Move mail file
Move roaming user
Move_Mail_File_Expiration_Days
setting
described, C-67
MT Collector task
controlling, 33-5
described, 33-1
MTA servers
and interoperability with other
mail systems, 26-14
MTC task
controlling, 33-5
described, 33-1
MTCDailyTasksHour setting
described, C-68
MTMaxResponses setting
described, C-68
MTU setting
Multilingual applications
setting up Web for, 34-32
Multiple replicators
and scheduled replication, 7-30
Multiple-password IDs
described, 39-6
Multi-user client installation, 5-46

MX records
described, 26-25
examples, 26-27
N
NABRetrievalPOP3Mail command
described, I-18
NABUpdate command
described, I-18
NAMAGENT.NSF
Server.Load agents, 62-4
Name and Address Book. See
Domino Directory
Name change
refusing, F-56
Name lookups
restricting, 27-47
restricting to primary
directory, 28-40
Name resolution in IPX
Name resolution in NRPC
described, 2-4
ensuring DNS resolves, 2-16 to
2-17, 2-19, 2-22
over IPX/SPX, 2-30
over NetBIOS, 2-28
over TCP/IP, 2-11, 2-15, 2-44
Name services
Microsoft, 2-13
NetWare, 2-30 to 2-32,
2-61 to 2-62
Notes, 2-4
Name-and-password
authentication, 42-8, 46-15
customizing, 42-3
Internet/intranet clients
and, 28-60, 31-2, 42-1
level, 42-19
session-based, 42-6, 42-8, 42-10
setting up users, 42-3
virtual servers, 3-42
Names
changing, 5-56 to 5-57
for Policy documents, 9-32
for servers, 2-15, 2-17, 2-19,
2-22, 59-10,
Internet authentication and, 31-24
NDS, 2-62
server, deleting, 59-8

server, finding, 59-11
Names setting
described, C-68
NAMES.NSF, 19-1
customizing, E-22
NAMESPACE command
enabling support
for, 31-12 to 31-13
Naming contexts. See Naming rules
Naming conventions
ACL, 40-4
Domino system, 1-12
hierarchical, 1-3
Notes named networks, 2-33
ports, 2-38
Program documents, B-2
servers, 2-14, 2-29, 2-31 to 2-32
Naming rules
trusted, 23-14
NAT
using, 2-18
Navigate command
described, I-18
NDS
Domino server and, G-1
Notes workstations and, G-5
NOTES.INI setting, G-7
passwords, C-75
server names and, 2-32
specifying distinguished
names, 2-62
user IDs, C-75
NDS objects
Domino server, G-1 to G-2
managing, G-4
Nested groups
database authorization, 23-7
NetBIOS
name resolution in, 2-28
Notes port for, 2-34 to 2-36,
2-38 to 2-42, 2-58, 2-60
setting up servers for, 2-32, 2-58
Netscape
trusted root, 46-11
NetWare
name services, 2-30 to 2-32,
2-61 to 2-62
NetWare Administrator
Domino and, G-2, G-4
NetWareSocket setting
described, C-70
NetWareSpxSettings setting
described, C-70
Network Address Translation.
See NAT
Network connections
dropping, I-9
testing, 63-77
tracing, 63-77, A-59, C-76
Network Dialup
encrypting Connection
documents, 4-46
Network ports
adding, 2-36, 2-60
binding to IP
addresses, 2-46 to 2-47
compressing data on, 2-42
deleting, 2-40
disabling, 2-34
encrypting, 2-41
fine-tuning, 2-34
renaming, 2-38
reordering, 2-39, 2-45
Server Setup program and, 2-2
TCP/IP, 2-12, 2-22
Network protocols
compatible with Domino, 2-2
defined, 2-1
specifying, 4-16
Networks
integrating Domino
with, 2-1, 2-10, 2-26, 2-29
name resolution, 2-4, 2-11
security, 2-6 to 2-7
NewMail command
described, I-19
NewMailInterval setting
described, C-70
NewMailTune setting
Incoming Mail Sound
setting, C-44
NewReplicateDB command
described, I-19
NewUserServer setting
described, C-71
NIS
preventing problems with, 2-56
NNN. See Notes named networks
Index-23
No access
assigning, 40-14
privileges, 40-16
No_Force_Activity_Logging setting
described, C-72
NoDesignMenu setting
described, C-71
NoExternalApps setting
described, C-71
NoMailMenu setting
described, C-72
NoMsgCache setting
described, C-73
Nonroaming users
change to roaming, 5-70
Normal logging, 28-7
Note ID
finding documents by, 63-20
table of, I-12
NoteAdd command
described, I-20
Notes
registering Windows NT users,
17-1, 17-8, 17-12, 17-14
synchronizing with
Windows NT, 17-2 to 17-3
Notes client
authentication with directory
assistance, 23-6
authentication with directory
catalogs, 24-11
connecting to servers, 4-55
directory servers, 19-15
directory services, 18-10
installation in a shared
directory, 5-43
Notes Direct Dialup
Connection documents, 4-35
described, 4-34
setting up, 4-44
Notes domains. See Domino domains
Notes IDs
about, 39-1 to 39-2
Notes items
sending in Internet message
headers, 28-134
Notes mail
condensed Directory Catalogs
and, 24-29
directory catalogs and, 24-1,
24-3 to 24-4, 24-14
Index-24
Notes name lookups

Notes Name Service
described, 2-4
Notes named networks
defined, 2-3
setting up, 2-33
Notes names
LDAP directories and, 23-49
Notes network ports. See Network
ports
Notes protocols
mail routing and, 26-3, 26-19,
27-4, 27-20, 27-32, 28-50
Notes Remote Procedure Call
service. See NRPC service
Notes rich text format
in mail messages, 26-13, 27-1
Notes RPC. See NRPC service
Notes templates
table of, D-1
Notes workstations
NOTES.INI file
adding settings, A-25
editing, 16-27, C-1
NOTES.INI settings
Agent Manager, 60-6
database maintenance, 58-41
database organization, 49-6
database performance, 60-9, 61-29
Domain Search, 10-23
iNotes Web
Access, 32-8 to 32-9
LDAP service, 20-41
log files, 56-2
mail, 63-43
NDS, G-7
networks, 2-64
scheduling server tasks, B-2
schema daemon, 21-21
server performance and, 60-4
UNIX server, 60-14
NotesBench
described, 60-2
Novell Directory Service. See NDS
NRPC
NRPC Mail Initialization Workload
script
sample, J-8
NRPC service
default TCP port, 2-55
described, 2-2
encrypting, 2-41
name resolution in, 2-4, 2-11, 2-15
to 2-17, 2-19, 2-22, 2-28, 2-30
NSD log file
troubleshooting
and, 63-96, 63-101
NSF_Buffer_Pool_Size setting
described, C-73
NSF_DbCache_Disable setting
described, C-74
NSF_DbCache_Maxentries setting
described, C-74
Null modems
Num_Compact_Rename_Retries
setting
described, C-74
NWNDSPassword setting
described, C-75
NWNDSUserID setting
described, C-75
O
Object class hierarchy
described, 21-1
Object classes
extending, 21-11
for Group documents, 21-5
for Person documents, 21-4
Object collect task
use in generating shared mail
statistics, 29-13
use in resynchronizing mail
files, 29-22
Object Link command
use in managing shared mail, 29-15
Object Request Broker. See Domino
ORB
Object store
defined, 29-1
managing growth
of, 29-10 to 29-11
Offline Security Policy document
creating, 11-7
Offline Subscription Configuration
profile document
creating, 11-11
editing, 11-11
Offline subscriptions
overview, 11-1
Offline users
security, 11-7
tracking, 11-22
OID for LDAP
described, 21-12
On-demand cross-certificates, 39-32
Online Meeting Place
in the Resource Reservations
database, 8-9
Open command
described, I-20
Open relays
defined, 28-76
preventing, 28-76
OpenView for Windows
and SNMP traps, 53-21
ORB. See Domino ORB
Organization certifier IDs, 1-8
creating, 3-34
Organization hierarchy
moving user names in, 5-61
Organizational policies
described, 9-2
Organizational unit
certifier IDs, 1-8
creating, 3-35
Organizational units
Internet, 45-2
restricting mail based
on, 28-55
Organizations
restricting mail based
on, 28-55
OS/2
error codes, 63-100
OS/390. See zOS
OtherDomainServers group
access level, 7-6, 40-3
described, 6-1
Over quota enforcement
configuring, 28-17
P
Packing density
condensed Directory
Catalogs, 24-31
Partitioned servers
described, 1-6
IP addresses and, 2-21, 2-50, 2-53

multiple Web sites
and, 2-49, 34-20
performance, 60-5
port mapping, 2-53
removing, 59-13
SNMP and, 53-9
Passthru connections
activity logging through, 57-9
hangup delay setting, C-76
Passthru HTML, 34-2
Passthru servers
as application proxies for
NRPC, 2-8
configuring, 4-27
Connection documents, 4-29
creating a topology, 4-25
described, 4-23
destination servers and, 4-28
topology example, 4-26
using with hunt groups, 4-24
Passthru_Hangup_Delay setting
described, C-76
Passthru_LogLevel setting
described, C-76
Password quality scale
described, 39-7
levels, 39-4
Password recovery. See IDs,
recovering
Passwords
assigning, 39-4, 39-8, 42-3
change intervals for, 39-10
changing, F-6
checking during authentication,
39-8, 39-12, F-60
console, A-26
documents, 23-44
IDs and, 39-4
Internet, 42-24
for key ring file, 45-2, 46-22
multiple, 39-6, 39-13
NDS, C-75
recovering. See IDs, recovering
server console, C-92
verifying, 39-8, 39-11
Pause command
described, I-21
PC-Pine client
configuring, 31-39
PEER Agent
and SNMP Agent, 53-14
Peer-to-peer topology
example of, 4-11
People
registering Internet/intranet, 42-3
Performance
database cache and, 61-9
directory catalogs, 24-18, 24-20,
24-27, 24-30
Domino Performance Zone Web
site, 60-1
encryption and, 43-4
improving, 60-1, 60-3, 61-12
LDAP service, 20-28
mail, 26-17 28-3, 28-6
mail routing, 28-2
monitoring, 52-36
networks, 2-42
optimizing, 61-1, 61-3
Server Health Monitor, 54-12
sources for improving, 60-15
tools, 60-2
tuning disk I/O, 60-15
UNIX server, 60-14
view indexes and, 58-23
Web server, 34-52
Windows server, 60-13
Person documents
changing during
synchronization, 17-5
IMAP users and, 31-23
Internet Address
field, 27-50, 27-53
object classes for, 21-4
password checking, F-60
POP3 users and, 30-7
SSL clients, 47-20
missing views and, 63-42
PhoneLog setting
described, C-76
PHP
configuring a Web site for, 34-40
Pin lists
creating, 54-32
Ping, 27-38
Index-25
Pipelining commands
supporting via ESMTP, 28-96,
28-103 to 28-104
PKCS11_Library setting
described, C-77
Platform command
described, A-16
using, 52-28
Platform statistics
disabling, 52-30, C-77
displaying, 52-27
evaluating, 52-28
overview, 52-26
viewing, 52-30
Platform_Statistics_Disabled setting
described, C-77
Policies
assigning, 9-6, 9-40
child policy, 9-4, 9-34
creating, 9-7
examples, 9-4
exceptions, 9-3
for hosted organizations, 9-7, 12-4
with Notes synchronization, 17-6
overview, 9-1
planning, 9-6
types of, 9-2
viewing, 9-37 to 9-38
Policy documents
child policy, 9-34
creating, 9-32
deleting, 9-35
names in, 9-32
Policy hierarchy
effective policy, 9-36
examples, 9-4
Policy settings
deleting, 9-35
described, 9-1
desktop, 9-14
editing, 9-35
groups, 6-9
inheritance, 9-4
registration, 9-7
security, 9-19
setup, 9-12
viewing, 9-38
in Web Administrator, 16-25
Policy Synopsis tool
using, 9-36
Index-26
Policy viewer
described, 9-37
using, 9-38
Policy-based registration
POP3 Initialization Workload script
running, 62-27
sample, J-14
POP3 protocol
POP3 service
authentication and, 30-2
information for, 30-3
clients, 30-11
described, 30-1
DNS lookups, C-78
Internet domain names, C-79
mail commands, I-18, I-23
marking messages as read, C-79
message caching, C-78 to C-80
Notes port for TCP/IP, C-80
setting up, 30-2
starting, 30-3
updating configuration, C-78
POP3 users
allowing SMTP relays from, 28-82
creating mail files for, 30-10
enabling to send mail, 30-1
setting up, 30-7
POP3 Workload script
described, 62-26
running, 62-28
sample, J-14
POP3_Disable_Cache setting
described, C-78
POP3_Enable_Cache_Stats setting
described, C-79
POP3_Message_Stat_Cache_NumPer
User setting
described, C-80
POP3ConfigUpdateInterval setting
described, C-78
POP3DNSLookup setting
described, C-78
POP3Domain setting
described, C-79
POP3MarkRead setting
described, C-79
POP3NotesPort setting
described, C-80
Populate command
described, I-21
Port mapping
on partitioned servers, 2-53
Portals
creating for iNotes Web
Access, 32-3
portname_MaxSessions setting
described, C-80
troubleshooting
and, 63-59 to 63-60
Ports
adding, 2-36, 2-60
binding to IP
addresses, 2-46 to 2-47
cluster servers and, C-91
compressing data on, 2-42
configuring, 2-35, 28-66, 30-3, 31-5
deleting, 2-40
disabling, 2-34
dropping connections, I-9
enabling, C-81
encrypting, 2-41
for LDAP service, 20-12
maximum sessions, C-80
names, 2-38
renaming, 2-38
reordering, 2-39, 2-45
Server Setup program
and, 2-2
SMTP, C-104
specifying, 4-16
SSL, 46-15, 2-55
starting and stopping, A-22
TCP, 2-55, C-110 to C-111
Ports setting
described, C-81
Ports, communication
options, 4-47
setting up, 4-34
POST command
restricting, 34-29
Pre-delivery agents
controlling, 28-9
Preferences
Domino Administrator, 16-5, 16-7
to 16-9, 16-11
Primary Domino Directory
changing to Configuration
Directory, 19-5
for, 23-26, 23-33
excluding from LDAP

searches, 23-27
in, 24-28
preventing use as remote
primary, 19-8
Priority
Private design elements
notifying user of change to, 5-57
Private keys
encryption and, 43-1
Notes certification, 39-2
Privileges
access level, 40-16
extended ACL, 25-3, 25-5
Probes. See Event generators
Profiles
Activity Trends, 54-22 to 54-25
Server monitor, 52-43, 54-13
statistic, 52-39
Program document
to compact ADMIN4.NSF, 15-27
naming conventions for, B-1
for scheduling Updall, 50-5
ProgramMode setting
described, C-81
Progressive rendering
Web images and, 34-24
Properties boxes
shortcut keys, H-5
Proxies
defined, 2-7
Domino passthru servers as, 2-8
HTTP, 2-7
Internet connections and, 4-22
specifying for Server Web
Navigator, 36-3
PTR records
in DNS, 28-71
Public access, 40-18
assigning, 40-18
Public Address Book, 19-1
passthru access, 38-17
server access, 38-4
Server documents, 39-25
Public documents, 40-18
access to, 40-18
Public folders
IMAP, 31-13, 31-15
Public keys
copying, 58-26, 63-96, F-6
creating, 39-23 to 39-24
cross-certification and, 39-33

encryption and, 43-1, 43-4
lost or stolen, 39-22
mailing, 39-25
replacing in address book, 39-23
restricting, 44-12
verifying, 39-25
Publishing
to database libraries, 51-3
LDAP schema, 21-20
PUBNAMES.NTF
copying, E-4
customizing, E-1
upgrading, E-22
Pull routing
configuring for dialup
connections, 27-60
Pull server command, 7-31
described, A-17
Pull-only replication
specifying, 7-23, C-95
Purge agent
enabling, 36-17
Purge interval
deletion stubs and, 7-12
setting, 28-33
Purge/Compact
method for managing size of Mail
Journaling database, 28-112
Push server command
described, A-19
Push-only replication
specifying, 7-23, C-95
Q
Quick console
Quit command
Quotas
enforcing, 28-16
mail, 28-10 to 28-11, 28-15
memory, C-67
replication and, C-13, C-83
setting Router controls for, 28-17
soft deletions and, 28-14
Quotas, mail
R
R5 IMAP Initialization Workload
running, 62-17
R5 IMAP Workload script
described, 62-15
running, 62-18
sample, J-6
R5 NRPC Mail Initialization script
running, 62-21
R5 Shared Database script
described, 62-24
running, 62-25
sample, J-12
R5 Simple Mail Routing script
described, 62-20
running, 62-23
sample, J-9
RA. See Registration Authority
Ratings
Read command
described, I-22
Reader access
actions, 40-14
privileges, 40-16
Readers field
updating, 40-29
Realms
authentication and, 63-104
Receipts
configuring Internet, 28-116
Recertify Certificate Authority in
Domino Directory
Recommendation documents
Web Navigator
database, 36-11
Recovery. See IDs, recovering
Redirect URL command
finding links with, 34-27
Referrals
Refresh agent
enabling, 36-18
using, 36-18
Register hosted organization
Registration
customizing options, 17-8
existing Active Directory
users, 17-35
group member in Notes, 17-18
Index-27
hosted organizations, 13-5,

13-8, 13-11
IMAP users, 31-23
Internet/intranet users, 42-3
Microsoft Management Console
and, 17-29
new Active Directory
groups, 17-39
new Active Directory
members, 17-33
setting preferences, 16-9
from a text file, 5-22
Windows NT
users, 17-1, 17-8, 17-12, 17-14
Registration Authority
tasks, 44-4
Registration policy settings
creating, 9-7
Registration settings documents
Relay hosts, 28-85
configuring, 27-58
defined, 27-8
restricting, 28-75 to 28-76, 28-81
Remote connections
setting up, 4-36
types of, 4-34
Remote console
Remote primary directories
described, 18-2 to 18-3
preventing as, 19-8
how servers locate, 19-7
Remote server console
Remote servers
number of modems for, 4-33
topology, 4-3
topology example, 4-14
Remove certificate from Domino or
LDAP Directory request, F-49
Rename person
refusing name change, F-56
Rename Web user administration
requests, F-57
Repl_Error_Tolerance setting
described, C-82
Repl_Obeys_Quotas setting
described, C-83
Replica IDs
assigning access by, 40-10
Index-28
Replica stubs
described, 63-88
Replicas
access levels, 7-6
concurrent changes to, 58-8
controlling changes, 40-5
controlling creation of, 38-14
copying to servers, 48-2
creating, 7-9, F-8, I-19
creating for multiple
domains, F-77
deleting, 58-36
deleting documents from, 7-12
deletions, 63-89, 63-90
described, 7-1
limiting content, 7-12, 7-16
size of, 63-87
Replicas, directory
and, 23-20, 23-36
Replicate command
Replicate server command, 7-31
Replication
access levels, 7-6
CD-ROM updates, 7-17
customizing, 7-11, 7-22
database design and, 63-86
deleted documents, 7-7
described, 7-1, 7-3
direction, 7-23
directory catalogs, 24-32
disabling, 7-16, 7-32, 63-89
document size and, 7-14
from Domino
Administrator, A-19
editing conflicts, 63-91
enabling, 7-32
end-to-end topology, 4-8
enforcing consistent ACL, 40-28
error tolerance setting, C-82
examples, 7-19
forcing, 7-33
graphical display of
topology, 7-34
history, 58-6, 58-7
limiting time for, 7-29
log file, 58-8
manual, 7-31
monitoring, 58-6
multiple replicators, 7-30

NewReplicateDB
command, I-19
non-document elements, 7-15
one-way, A-17, A-19
preventing, 7-31, C-94
priority, 7-26, 7-28
Replicate command, A-20
scheduling, 7-24
selective, 7-12, 11-22, 15-27
server, I-22
setting up, 7-20
settings, 7-17 to 7-18
specific databases and, 7-27
specifying a group of
servers, 7-20
specifying dates, 7-13
statistics, 63-80
strategies, 4-6, 4-8
time limits, C-82
Web applications, 11-22
Replication conflicts
consolidating, 58-10
described, 58-8
Replication events
Replication formulas
using, 7-14
Replication history
directory catalogs, 24-39, 24-45
specifying dates, 7-13
troubleshooting
with, 63-2, 63-80, 63-85
Replication priority
assigning, 7-16
Replication topology
binary tree, 4-9
clusters, 4-8
end-to-end, 4-8
hub-and-spoke, 4-6
peer-to-peer, 4-8
ring, 4-8
viewing, 7-34
ReplicationTimeLimit setting
described, C-82
Replicator task
running concurrently, C-82
Replicators setting
described, C-82
Reply addresses
in Internet mail, 27-52
Report_DB setting
described, C-83
Reporter task
sending statistics, C-83
Reports
directory catalog, 24-49
mail usage, 33-2
REPORTS.NSF (Reports database)
creating, 33-4
ReportUseMail setting
described, C-83
Requests
managing certificate, 46-20
Web server, 34-55
Resent headers
using, 28-131
Reservations
deleting, 8-17
editing, 8-17
Resource balancing
in Activity Trends, 54-26
in Activity Trends,
setting up, 54-27
additional statistics, 54-46
analyzing distributions, 54-37
approval profile for, 54-59
charting options, 54-28
comparing, 54-39
creating plan constraints, 54-62
customizing, 54-36
database and server
locations, 54-27
database
moves, 54-32, 54-53, 54-55
and decommissioning a
server, 54-43
and Domino Change
Manager, 54-48 to 54-49
editing server properties, 54-43
evaluating server activity, 54-39
filtering servers, 54-45
goals, 54-30, 54-31
interpreting profile charts, 54-41
overview, 54-34
plan constraints explained, 54-61
plan documents for, 54-53, 54-57,
54-60 to 54-64
plan variables, 54-63
proposals for, 54-38, 54-47
viewing, 54-47
Resource document
creating, 8-9
editing and deleting, 8-13
plan notification messages, 54-64
Resource Reservations database

access rights, 8-8, 8-16
creating, 8-7
synchronizing with Domino
Directory, F-5
using with a Web browser, 8-16
Resources
modify in directory request, F-31
types of, 8-9
Response hierarchy
Response Log documents, 15-36
Response time
server, 60-3
Restart port command
described, A-22
Restart server command
described, A-23
Restart Task
described, A-23
Results database
database analysis, 58-38
from decommissioning a
server, 59-3
log events, 56-5, 56-7
RetrievePOP3Mail command
described, I-23
Retry interval
setting, 28-33
Return receipts
configuring, 28-116
Return-Receipt-To header
configuring for return
receipts, 28-116
Reverse DNS lookups
use in controlling inbound SMTP
sessions, 28-71
Rewind command
described, I-23
Rewind2 command
described, I-24
RFCs
LDAP service, 20-42
Ring topology
Roaming files
moving, 5-77
Roaming users, 5-9
change from nonroaming, 5-70
change to nonroaming, 5-69
deleting, F-21
move request, F-42

registering, 5-13
updating from non-roaming, F-66
Roles, 40-20
creating, 40-21
Web Administrator
and, 16-20 to 16-21
Room resources
in the Resource Reservations
database, 8-9
modify in directory request, F-31
setting up, 8-9
Root DSE
searching, 21-20
Roots
default trusted, 46-11
Route command
unscheduled mail and, A-24
Router task
described, 26-6
reloading configuration of, 27-22
server crashes and, 63-100
stopping and starting, 27-4
RouterAllowConcurrentXFERToALL
setting
described, C-84
transfer threads and, 28-36
RouterDisableMailToGroups setting
described, C-84
RouterDSNForNULLReversePath
setting
described, C-85
RouterEnableMailByDest setting
described, C-85
Routers
configuring delivery
by, 28-8 to 28-9
connection costs and, 28-53
described, 26-8, 26-21, 27-1
mail file quotas
and, 28-16 to 28-17
MAIL.BOX databases and, 28-3
obeying database quotas, 28-10
shutting down, 27-5
SMTP, 27-37
Tell commands, A-54
TRACERT command and, 63-67
updating configuration, 27-22
Routing costs
setting, 28-39, 28-53
Routing table
described, 26-10
Index-29
recalculating, 27-22
Routing task
described, 27-1
Routing. See Mail routing
RSA
trusted root, 46-11
RSVP
command for, I-24
RSVPInvitation command
described, I-24
RTR_Logging setting
described, C-86
Rules
mail, 28-113
S
S/MIME
encrypted, 47-13 to 47-15
setting up clients for, 47-1, 47-13
Sametime
setting up for iNotes Web
Access, 3-14
Save conflicts
consolidating, 58-10
described, 58-8
Sched_Dialing_Enabled setting
described, C-86
Sched_Purge_Interval setting
described, C-86
Schedule Manager
statistics, C-87
Tell commands, A-55
validation settings, C-87
Schedule_Check_Entries_When_
Validating setting
described, C-87
Schedule_No_CalcStats setting
described, C-87
Schedule_No_Validate setting
described, C-87
Scheduled replication
Scheduled reports
mail, 33-15
Schedules
replication, 7-24
viewing for replication, 7-34
Scheduling
example, 8-2
server programs, B-2
setting up, 8-5
Index-30
Scheduling Notes routing, 28-50

Schema
adding attributes, 21-13 to 21-14
adding syntaxes, 21-15
checking, 21-18 to 21-19
described, 21-1
Domino, 21-2
extending, 21-10, 21-17, E-3, E-7
to E-9, E-14, E-16, E-20
publishing, 21-20
root DSE searches, 21-20
viewing, 21-9
Schema daemon
described, 21-5
Schema database
deleting documents, 21-17
described, 21-7
extending schema
with, 21-13, to 21-17
views, 21-8 to 21-9
Schema entry
searching, 21-20
Schema_Daemon_Breaktime setting
described, C-88
Schema_Daemon_Idletime setting
described, C-88
Schema_Daemon_Reloadtime setting
described, C-88
Schema_Daemon_Resynctime setting
described, C-89
SCOS. See Shared mail
SCRIPT.DAT file
UNIX installation, 3-7
Scriptable setup
setting up Notes with, 5-52
Scripts
commands, 4-53
editing acquire and login, 4-51
keywords in, 4-52
Server.Load, I-1
Search filters
documents, 23-46
Search forms
adding categories to, 10-10
bookmarks and, 10-18, 10-20
customizing, 10-18
Web clients and, 10-20
Search order
directories, 18-15 to 18-17
Search results
access to, 10-12
filtering, 10-13
titles in, 10-19
Web server, 34-26
Searching
domains, 10-1
encrypted fields, 50-2
file systems, 10-9
SearchMax
number of documents to
display, 34-26
Secondary directories
directory services for, 18-12
LDAP service, 18-4
Secondary Domino Directory
support, 15-7
described, 23-1
and, 23-3, 23-8, 23-33
LDAP service, 23-10
name lookups, C-68
Secondary name servers
adding in Notes, 2-44
Secure_Disable_FullAdmin setting
described, C-90
SecureMail setting
described, C-90
Security
adding cross-certificates on
demand, 39-32
anonymous access, 42-25
application, 37-14
application design element, 37-15
authenticating
clients, 31-24, 46-25
certificates, 39-2
database, 10-12, 40-19
database access for SSL
clients, 46-19
databases, 38-14
directory links, 49-1
Domino Directory and, 18-7, 19-9,
20-16, 20-22 to 20-23
encryption, 2-6, 43-1
encryption defined, 43-4
full-text indexes and, 50-2
ID recovery, 39-14, 39-17
IDs and, 37-16, 39-1
for Internet/intranet clients, 31-24
iNotes Web Access, 32-1, 32-8

Internet passwords and, 42-24
Internet transactions and, 40-31
Internet/intranet clients, 42-27
keys, 39-2, 43-1
mail, 21-5, 28-68, 29-4
mail encryption, 43-7
mail journaling and, 28-110
name-and-password access, 42-19
name-and-password
authentication for Web
clients, 42-6
network, 2-6 to 2-7, 2-9
Notes IDs and, 39-1 to 39-2, 39-25
offline users, 11-7, 11-10
overview, 37-1
passwords, 39-4
port access, 38-14
public and private keys, 39-2
public keys, 39-22, 43-4
renewing an expired
certificate, 46-21
server, 38-23
server key ring file, 46-3
setting up, 37-1
setting up a Domino 5 certificate
authority, 45-1
setting up a Domino CA
server, 45-1
setting up anonymous
access, 42-26
setting up clients for
S/MIME, 47-13
setting up clients for SSL client
setting up clients for SSL server
setting up Person documents for
Internet clients using SSL
setting up SSL server
authentication using
SMTP, 47-22
signatures and, 43-11
SNMP, 53-5
SSL, 46-1
SSL server certificate, 46-5
trusted root certificates, 47-3
verifying passwords, 39-8
verifying public keys, 39-25
virtual Web servers, 3-42
workstation, 41-1
Security policy settings
creating, 9-19
Selection formulas
Selective replication
setting up, 11-22
Selective replication formulas
preventing replication of
ADMIN4.NSF, 15-27
Self subject
extended ACL, 25-11
Self-certified certificate, 46-22
Send copy to mail rule
disabling, 28-9
SendMessage command
described, I-24
SendSMTPMessage command
described, I-25
Server access
anonymous, 38-13
customizing, 38-7
data directory, 49-4
denying, 38-4, 38-7
passthru, 38-17
Server administrators
changing name of, 59-1
Server certificates
changing expiration date, 3-32
merging into key ring file, 46-12
Server Certificate Administration
requesting certificate, 46-5
setting up, 46-3
Server commands
entering from the UNIX
command line, A-8
redirecting command
output to, A-2
table of, A-10
Server comparisons
when decommissioning a
server, 59-5
Server console
commands, I-8
described, A-1
using at server, A-2
Server Console Configuration
document
settings in, 52-21
Server crashes
database indexes and, 63-99
fault recovery, 55-10

hosted organizations and, 14-11
Server documents
access lists, 38-2
build number in, F-47
CPU count field, F-64
creating for NDS, G-7
database creation, 38-14
DNS resolves in NRPC and, 2-12
network settings in, 2-36
protocol field, F-66
specifying international
settings, 34-31
time-out settings for Web, 34-53
Server failures
Server files
controlling Web browser access
to, 38-23
Server Health Monitor
configuring, 54-6
excluding servers, 54-15
overview, 54-2
performance of, 54-12
profiles, 54-13
ratings, 54-5
reports, 54-11 to 54-12
selecting server components, 54-9
setting up, 54-7
starting, 54-8
statistics, 54-3, 54-13, 54-16
threshold values, 54-10
using, 54-8
viewing in Domino server
monitor, 54-14
Server IDs
defined, 39-1
overview, 39-1
recertifying, 59-9
replacing, 63-96
security and, 39-25
server access and, 63-95
specifying, C-92
Server key ring files
creating, 46-3
Server monitor
adding a task, 52-43
adding servers, 52-44
changing default settings, 16-8
overview, 52-40
Index-31
profiles, 41-13, 52-44, 54-13

Server Health monitor, 54-2
starting, 52-41
using, 52-44
views, 52-41
Server names
deleting, 59-8
finding in domain, 59-11
IP names and, 2-14, 2-22
upgrading to hierarchical, 59-10
Server ports
access to, 38-14
Server programs
SSL and, 46-1
Server protocol information
updating, F-66
Server registration
Server security, 38-23
Server setup profiles
creating, 3-21
silent, 3-25
using, 3-22
Server Statistic Collection
document
creating, 52-25
Server tasks
adding, 52-43
running, B-1
scheduling, B-2
settings for, C-97 to C-98
SSL and, 46-1
status level, 52-42
table of, B-3
Server topology
planning, 1-2
Server Web Navigator
about the Averaging agent, 36-19
access to Internet services, 36-7
changing appearance of
pages, 36-12
controlling access to sites, 36-6
customizing, 36-6
described, 36-1
displaying authors, 36-12
displaying HTML source, 36-13
managing size of database, 36-16
moving out of data
directory, 36-14
private page access, 36-5
proxies, 36-3
renaming database, 36-14
retrieval settings, 36-6
Index-32
setting cache options, 36-18

setting up, 36-2
Server.Load
agents, 62-4
capacity planning with, 60-2
changing script variables, 62-10
described, 62-1
metrics, 62-7, 62-10
modifying built-in scripts, 62-11
setting stop condition, 62-10
setting up, 62-12
test parameters, 62-6
testing commands, 62-11
Server.Load scripts
built-in, 62-2, 62-11, 62-14 to
62-15, 62-20, 62-24, 62-26,
62-30 to 62-31
commands, 62-11, I-1
critical region, I-4, I-10
custom, 62-3, 62-11
list of, 62-2, J-1
loops, I-4 to I-5
pausing, I-21
restarting, I-23 to I-24
running, 62-3, 62-11, 62-14, 62-17
to 62-18, 62-21, 62-23, 62-25,
62-27 to 62-28, 62-30, 62-34
samples, J-1
stop conditions, 62-10
variables, 62-10
Server_Availability_Threshold
setting
described, C-91
Server_Cluster_Default_Port setting
described, C-91
Server_Console_Password setting
described, C-92
Server_Max_Concurrent_Trans
setting
described, C-93
Server_MaxSessions setting
described, C-93
troubleshooting
and, 63-59 to 63-60
Server_Restart_Delay setting
described, C-96
Server_Restricted setting
described, C-96
Server_Session_Timeout setting
described, C-96
Server_Show_Performance setting
described, C-97
Server-based certification authority

creating an Internet CA, 44-8
ServerKeyFileName setting
described, C-92
ServerName setting
described, C-94
ServerNoReplRequests setting
described, C-94
preventing replication with, 7-31
ServerPullReplication setting
described, C-95
ServerPushReplication setting
described, C-95
Servers
access, 38-2, 38-4
access levels for, 7-6, 40-13
access to databases, 7-5
adding hosted organizations
to, 14-2
adding to clusters, F-5
administering, 16-4
backing up, 63-7
capacity, 60-3
changing administrator of, 59-1
configuring for LANs, 2-19, 2-32,
2-43, 2-58, 2-61
connecting, 4-1, 4-4
database creation, 38-14
decommissioning, 54-43, 59-3,
59-12
delete requests
for, F-25, F-78, F-81
deleting hosted organizations
from, 14-3
Domain Search requirements,
10-2
editing properties for resource
balancing, 54-43
encrypting mail files, 43-8
environment for service
providers, 12-1
evaluating for resource
balancing, 54-39
filtering for resource
balancing, 54-45
functions, 1-2
Health reports, 54-11 to 54-12
hierarchical names, C-94
installing, for hosted
environments, 13-2
limiting replication time, 7-29
limiting transactions, C-93
managing, 59-1
maximum sessions, C-93

naming, 1-3, 2-14 to 2-17, 2-19,
2-29, 2-31 to 2-32
partitioned, 1-6, 2-21, 2-53, 59-13
passthru, 2-8, 4-23, 38-17,
password checking on, 39-12
performance, 60-3
performance tools for, 54-2
proxy, 2-7
recertifying, F-47
registering, 3-29
remote connections, 4-3, 4-34
removing from cluster, F-49
renaming, F-68, F-87
replicating groups of, 7-20
restarting, A-23, C-96
secondary name, 2-44
setup address, C-99
setup name, C-99
SSL connections, 46-18
swap file, C-109
time-out setting, C-96
topology, 4-6, 4-9
tracing connections, 63-77
troubleshooting mail
routing, 63-43
UNIX performance, 60-14
viewing health of, 54-14
Windows, performance, 60-13
Servers, external
access levels for, 7-7
Servers, partitioned
SNMP and, 53-9
ServerTasks setting
described, B-2, C-97
ServerTasksAt setting, B-2
ServerTasksAt2 setting, 50-4
ServerTasksAthour setting
described, C-98
Service providers
Activity Logging
for, 13-23 to 13-24
and DNS outages, 14-11
Domino features for, 12-4
environment example, 12-16
Global Web Settings documents
for, 13-21
mail and directory protocols
for, 12-13
managing users, 14-14
security for hosted
organizations, 12-3
server environment for, 12-1
server options, 12-2

setting up environment for, 13-1
using the Resource Reservations
database, 14-12
Servlets
managing on Web server, 34-13
Sessions
closing, I-25
IMAP, 31-9, 31-19
opening, I-26
SessionsClose command
described, I-25
SessionsOpen command
described, I-26
Set Configuration command
described, A-25
Set directory filename request, F-60
Set Rules command
described, A-25
Set SCOS command
described, A-25
Set Secure command
described, A-26
Set Statistics command
described, A-27
Set user name and enable schedule
agent request, F-61
Set Web admin fields
request, F-61
Set Web user name and enable
scheduled agent, F-61
SetCalProfilecommand
described, I-26
SetContextStatus command
described, I-26
Setup policy settings
creating, 9-12
Setup profiles
creating, 3-21
silent, 3-25
using, 3-22
Setup program. See Domino server
Setup setting
described, C-98
Setup=AT command
troubleshooting and, 63-48, 63-51
SetupDB setting
described, C-99
SetupServerAddress setting
described, C-99
SetupServerName setting
described, C-99
Shared installation, 5-43

Shared mail
clusters and, 29-20
disabling, 29-25
excluding mail files, 29-17
including mail files, 29-17
linking mail files to, 29-15
managing, 29-11, 29-21
moving mail files and, 29-21
object store, 29-1
replicated mail files and, 29-19
restoring, 29-23
security, 29-4
settings, C-100
statistics, 29-13
using for transfer and
delivery, 29-8
Shared mail databases
deleting, 29-24
inactive, 29-2
purging obsolete messages
from, 29-22
setting up, 29-5, 29-9 to 29-11
Shared_Mail setting
described, C-100
Shell commands
using, A-3
Shortcut keys
for accessibility, H-1
for cursor, H-8
database, H-4
dialog box, H-5
document, H-6, H-7, H-8
Domino Administrator, H-3
properties box, H-5
views, 58-21, H-10
Show Allports command
described, A-27 to A-28
Show Cluster command
described, A-29
Show Configuration command
described, A-29
Show Directory command
described, A-30
Show Diskspace command
described, A-30
Show Heartbeat command
described, A-32
Show Memory command
described, A-32
Index-33
Show Opendatabases command

described, A-32
Show Performance command
described, A-33
Show Port command
described, A-33
Show Schedule command
described, A-34
Show SCOS command
described, A-35
Show Server command
described, A-36
Show Stat command
described, A-37
using, 52-28, J-4
Show Stat Platform command
described, A-38
using, 52-27
Show Tasks command
described, A-39
Show Transactions command
described, A-39
Show Users command
described, A-41
Show Xdir command
described, A-41
Signatures
described, 43-9
sent mail and, 43-11
Signing
databases and templates, 48-7
defined, 43-9
documents and mail, 43-9
dual Internet certificates
and, 47-17
Silent install
UNIX, 3-7
Single sign-on
configuring, 42-13 to 42-14, 42-18
configuring for a Web Site, 42-17
Domino and WebSphere, 42-12
Single-copy object store. See Shared
mail
Site documents. See Internet Site
documents
Site Profile document
creating, 8-9
Size
attachments, 7-14
Console Log file, C-16
database cache, 61-9, C-74
Index-34
Extended Directory
Catalog, 24-26
increasing database, 61-23
index, 50-3
Java heap, C-46 to C-47
Java stack, C-48
mail file, 28-11
MIME message, C-40
NSF buffer pool, C-73
replica, 7-12, 63-87
database, 36-16
transaction log, C-113
SIZE extension
enabling, 28-96, 28-103 to 28-104
Size quotas
mail, 29-4, 28-10, 28-15 to 28-16,
28-28, 28-55
Smart hosts
for mail routing, 27-5, 27-43
SMIME_Strong_Algorithm setting
described, C-100
SMIME_Weak_Algorithm setting
described, C-101
SMTP
information
for, 28-58, 28-60, 28-66
IMAP clients and, 31-1
in local Internet domain, 27-39
mail commands, I-25
requirements for routing, 28-2
restricting inbound connections,
28-71, 28-75
authentication for Notes and
Domino using, 28-68
using inside the local Internet
domain, 26-23
using outside the local Internet
domain, 26-24, 27-38
SMTP addresses
inbound lookup, 27-47
SMTP configuration
updating, 27-65
SMTP connection documents
creating, 27-34
SMTP Initialization Workload script
running, 62-27
sample, J-14
SMTP Listener task
enabling or disabling, 27-41
SMTP protocol
DNS and, 26-25
SMTP routing
configuring multiple relay
hosts, 27-58
customizing, 28-57
relay hosts and, 27-33
SMTP Workload script
described, 62-26
running, 62-28
sample, J-14
SMTP_Config_Update_Interval
setting
described, C-102
SMTPAllHostsExternal setting
described, C-101
SMTPDebug setting
described, C-102
SMTPDebugIO setting
described, C-103
SMTPExpandDNSBLStats setting
described, C-103
SMTPGreeting setting
described, C-104
SMTPMaxForRecipients setting
described, C-105
SMTPMTA_Space_Repl_Char setting
described, C-105
SMTPNotesPort setting
described, C-104
SMTPNoVersionInRcvdHdr setting
described, C-104
SMTPRelayAllowHostsandDomains
setting
described, C-106
SMTPSaveImportErrors setting
described, C-106
SMTPStrict821AddressSyntax setting
described, C-107
SMTPStrict821LineSyntax setting
described, C-107
SMTPTimeoutMultiplier setting
described, C-108
SMUX protocol
and SNMP Agent, 53-14
Snap-in registry values
configuring, G-3
SNMP
Domino events, 53-4
floating-point support, 53-7
INI file configuratrion, 53-9
MIB, 53-5
on partitioned servers, 53-9
overview, 53-1
security, 53-5
traps, 53-21 to 53-23
using Domino MIB with, 53-21
SNMP Agent
alerts, 53-2
Sockets
IPX/SPX addresses and, 2-62
SOCKS proxy
through, 36-3
Soft deletions
defined, 61-8
effect on quotas, 28-14
expiration time, 61-8, F-70
Solaris
servers, 2-51
for, 53-14
Soundex
Space Saver settings
in Administration Requests
database, 15-27
Spamming
preventing, 28-20, 28-70, 28-75,
28-90, C-101
Spoofing
preventing, 28-71
SPX. See IPX/SPX
SSL
authenticating clients, 9-37, 28-60,
31-2, 31-6, 46-25,
Certificate Authority server
and, 45-5
creating a self-certified key
ring, 46-22
database access for clients, 46-19
default Domino trusted
roots, 46-11
features, 46-1
forcing connections, 46-18
in a hosted
environment, 12-4 to 12-13
Internet security and, 40-31
LDAP directories and, 23-43

LDAP lookups, 47-23
merging certificates, 46-9
merging server certificates, 46-12
overview, 46-1
passwords, 42-3, 42-24
Person documents for client
resuming sessions, 46-19
server authentication and, 47-3
server authentication using
SMTP, 47-22
server certificate request, 46-5
server tasks, 46-1
setting up clients for, 47-1
setting up for Web
Navigator, 36-8
setting up test site, 46-22
virtual servers and, 3-42
SSL certificates
client, 47-3, 47-21
creating a Certificate
Authority, 45-2
marking as trusted root, 46-21
publishing in Person
records, 47-21
removing trusted roots, 46-21
renewing, 46-21
SSL ciphers
restricting, 46-23
SSL key rings
creating a key ring and certificate
request, 45-2
creating a self-certified key
ring, 46-22
SSL server authentication
setting up clients for, 47-3
SMTP, 28-96, 34-23, 47-22
trusted root certificate for, 47-3
SSL servers
protocol version, 46-15
setting up application, 46-3
setting up on server, 46-2
setting up test site, 46-22
SSL_Resumable_Sessions setting
described, C-109
SSL_Trace_KeyFileRead setting
described, C-109
SSLCipherSpec setting
described, C-108
Stamp command
described, I-26
Start Consolelog command
described, A-43
Start Port command
described, A-44
STARTTLS extension
enabling for SMTP, 28-68
enabling for SMTP
inbound, 28-96
Stash files
setting up for SSL, 46-5
Statistic alarms
reporting, 52-9
for Server Health Monitor, 54-10
Statistic Collector
Tell commands, A-57
Statistic Collector task
described, 52-24
Statistic documents
creating, 52-32
Statistic event generator
creating, 52-9
Statistic profiles
charting, 52-37
creating, 52-31, 52-36
modifying, 52-39
Statistic thresholds
viewing, 52-32
Statistics
Activity Trends, 54-22
Administration Process, 15-35
charting, 54-16, 54-25, 52-36
creating documents for, 52-32
database activity, 58-12
database archives and, 61-26
database cache, 61-10
default thresholds, 52-32
exporting to spreadsheet, 52-34
LDAP service ports, 20-38
mail-in, 52-35
modifying, 52-32
platform, 52-26, 52-28, 52-30
for resource balancing, 54-46
Server Health
Monitor, 54-3, 54-13
Server.Load, 62-7
Set Statistics command, A-27
setting preferences
for, 16-11, 52-25
shared mail, 29-13
viewing, 52-28, 52-30, 52-32
Index-35
Windows NT Performance
Monitor, 17-23
Statistics Collector
overview, 52-1
Statistics reports
viewing, 52-31
Statlog task
database activity
reporting, 58-11, C-72
statistics, 58-12
user activity reporting, 58-13
STH files
setting up for SSL, 46-5
Stop Consolelog command
described, A-44
Stop Port command
described, A-44
Stop triggers
setting, 52-22
Storage format, mail file
setting for IMAP
users, 31-3, 31-23, 31-35
Store CA policy information in
Domino Directory
request, F-62
Store certificate in Domino or LDAP
directory request, F-62
Store Certificate Revocation List in
Domino or LDAP directory
request, F-63
Store directory type in server record
request, F-63
Store servers DNS host name in
Server record request, F-64
Structural object classes
described, 21-2
Subjects
extended ACL, 25-9, 25-17
Subscriptions, offline
overview, 11-1
SwapPath setting
described, C-109
Synchronization
enabling, 17-27
Notes and Windows 2000
users, 17-25, 17-38
Notes and Windows NT
users, 17-1 to 17-3, 17-5
Syntaxes
LDAP, 21-2, 21-4
System administrators, 38-8
Index-36
System and application templates

table of, D-1
System mail rules
setting, 28-20
T
Tables
forms and, 61-4
Targets
extended ACL, 25-12 to 25-14,
25-17, 25-30
Task status event generator
creating, 52-10
TCP server event generator
creating, 52-11
TCP/IP
Domino Internet services
and, 2-47
frame types, 63-68
importance of Notes port
order, 2-45
IPv6 standard, 2-25, 2-45
multiple IP addresses for
servers, 2-12, 2-19, 2-22
name resolution in, 2-15
name resolution in NRPC, 2-11,
2-16 to 2-17, 2-19, 2-22
Notes port for, 2-34 to 2-36, 2-38,
2-39 to 2-42, 2-46
partitioned servers and, 2-21
passwords, 42-3, 42-24
planning server
configurations, 2-10
port mapping, 2-53, 63-78
port numbers, 2-55
redirect to SSL, 31-7, 46-18
Secondary name servers, 2-44
security, 2-9
setting up servers
on, 2-19, 2-32, 2-43
testing, 2-56
TCP/IPportname_PortMappingNN
setting
described, C-110
TCP/IPportname_TCPIPAddress
setting
described, C-111
TCP_EnableIPV6 setting
described, C-110
Tell commands
Administrator Process, A-46
Agent Manager, 63-12, A-47
CA process, A-48
Change Manager, A-50
Cluster Replicator, A-51
described, A-45
Directory Cataloger, A-53
LDAP service, A-53
Router, 27-5, 27-22, A-54
Schedule Manager, A-55
SMTP, 27-65, A-56
Statistic Collector, A-57
Web Navigator, A-57
Web Server, A-57
Telnet
and UNIX installation, 3-5
Temp_Index_Max_Doc setting
described, C-111
Templates
signing, 48-7
system and application, D-1
updating databases with, 58-24
Temporary directory
changing for view
rebuilding, 58-22
Terminated users
deleting from system, 40-23
Terminations group
adding names to, 40-6
creating, 6-8
Text
Text files
for Domino Web server log, 56-10
redirecting command output
to, A-2
setting up for registration, 5-23
Third-party relays
defined, 28-76
Threads
DIIOP and, 34-11
IMAP service, 31-19
transfer, 28-33, 28-36
Web server, 34-55
Threads, Administration Process
changing number of, 15-29
Time zones
and replication, 7-24
Time-out settings
IMAP service, 31-9
LDAP service, 20-28
message, 28-37
server, C-96
SMTP, C-108
specifying for Web, 34-53
TCP/IP, 2-45
TimeZone setting
described, C-112
Titles
window, C-120
TLS (Transport Layer Security)
for SSL, 28-68
Tools
Active Directory Domino
Upgrade Service, 17-25
administration, 16-16 to 16-17
Agent log, 63-13
for troubleshooting, 63-2
monitoring servers and, 52-1
Topology
creating a passthru, 4-25
Topology maps task
starting, 7-34
update frequency, C-112
Topology_WorkInterval setting
described, C-112
Trace command
described, A-59
TRACERT command
using for TCP/IP, 63-67
Tracing
mail, 63-2
network connections, 63-77
passthru connections, 63-79
Tracking messages
configuring the server for, 33-8
from the Domino
Mail Tracking Collector task, 33-5
overview, 33-1
Transaction logging
database changes, 58-25
disabling, 55-8
disk space and, C-115, 55-8
enabling, C-114
log location, C-113
log size, C-113
logging style, C-114
overview, 55-1
performance, C-113
planning for, 55-4
recovery, 14-11, 55-9
setting up, 55-5

settings, 55-7
using, 55-3
Transactions
disabling, A-22, A-44
Transfer failures
non-delivery reports and, 28-37
Transfer threads
setting maximum number
between servers, 60-11,
specifying messages to
journal, 28-36
Transferring messages
controlling, 28-26
using shared mail, 29-8
Transform file
creating, 5-47
Transform files
applying, 5-50
for end-user installations, 5-50
installation options with, 5-49
TRANSLOG_MaxSize setting
described, C-113
TRANSLOG_Path setting
described, C-113
TRANSLOG_Performance setting
described, C-113
TRANSLOG_Status setting
described, C-114
TRANSLOG_Style setting
described, C-114
TRANSLOG_UseAll setting
described, C-115
Troubleshooting
Administration
Process, 63-8, 63-11
Certificate Authority, 63-101
database corruption, 58-26
database performance, 63-16
Directories, 63-21
Directory assistance, 63-21
Directory catalogs, 63-25
disk space problems, 63-86
Domino, 63-1
Domino SNMP Agent, 53-24
extended ACLs, 25-30, 63-34
Fixup task, 58-26
IPX/SPX, 63-70
LDAP service, 63-31
Location documents, 63-42
Lotus Support Services and, 63-4
mail routing, 63-36

meeting and resource
scheduing, 63-45
modems, 63-48
Network dialup
connections, 63-74
NOTES.INI, 63-43
NRPC, 63-55
NSD log files and, 63-101
partitioned servers, 63-78
Passthru connections, 63-79
Personal Address Book, 63-42
platform statistics, 63-52
remote connections, 63-48
replication, 63-80
server access, 63-91
server crashes, 63-96
Server.Load, 63-110
shared mail, 63-44
SNMP, 53-10
tools, 63-2, 63-57
transaction logging, 63-102
Web client authentication, 63-21
Web Navigator, 63-104
Web servers, 63-104
workstation setup, 63-42
Trusted naming rules
Trusted root certificates
accepting server CAs
certificate, 46-9
default Domino SSL, 46-11
removing, 46-21
SSL authentication and, 47-3
Type-ahead addressing
condensed directory catalogs
and, 24-29
disabling, 28-6
U
Undeliverable mail
generating non-delivery reports
for, 28-37
holding in
MAIL.BOX, 28-40 to 28-41
Unicode
Unit numbers
NetBIOS ports and, 2-58
Index-37
UNIX
accessing the server console, A-8
directory for entering
commands, 3-2
installation on, 3-4
Unread command
described, I-27
Unread marks
allowing IMAP users to change
other users, 31-17
performance and, 61-3, 63-18
setting, I-27
Unwanted commercial e-mail
preventing, 28-20, 28-70,
28-75, 28-90
Updall task
commands, 58-16
indexes, 58-15
options, 58-16
running, 58-19
scheduling, 50-4 to 50-5
Update client information in Person
record, F-64
Update command
described, I-27
Update Config command, 27-65
described, 27-22
Update task
directory indexer, 58-15
indexes, 58-14
running, 58-21
Update user from non-roaming to
roaming user
Update_No_BRP_Files setting
described, C-115
Update_No_Fulltext setting
described, C-115
Update_Suppression_Limit setting
described, C-116
Update_Suppression_Time setting
described, C-116
Updaters setting
described, C-116
UpgradeApps setting
described, C-117
URLs, 34-3
categorizing for Domain
Search, 10-21
mailed to SSL server
administrators, 45-4
redirecting, 34-27
Index-38
retrieving information from, I-28

UseFontMapper setting
described, C-117
User accounts
creating in Windows NT, 17-12
deleting, 17-22
User activity
reporting, 58-13
statistics, 58-11
User authentication
registering Internet/intranet
users, 42-3
User IDs
adding alternate name, 5-40
defined, 39-1
passwords, 39-4
recertifying, 5-82
security and, 39-25
User information
synchronizing in Notes and
Windows NT, 17-1
User Management, 5-54
User name failures
User names
aliases, 40-7
categorizing by corporate
hierarchy, 19-13 to 19-14
changing, 5-56
deleting, 5-73, 17-42
deleting with Web
Administrator, 5-75
editing, 40-23
finding in domains, 5-85, F-29
moving in the organization name
hierarchy, 5-61
renaming, 5-57, 5-61
upgrading from flat to
hierarchical, 5-67
Web, 40-30
wildcards in, 40-4
User Preferences
User registration
Advanced, 5-13
Advanced from the Web
Administrator, 5-31
alternate names, 5-41
Basic, 5-11
Basic from the Web
Administrator, 5-28
customizing, 5-4
default settings, 5-9
explained, 5-2
from a text file, 5-22
Internet-only users, 5-37
non-Notes users, 5-37
roaming, 5-13
types of, 5-7
Web, 5-8, 5-27, 5-31
User rules mail forwarding
disabling, 28-9
User types
assigning to ACL, 40-19
Users
access levels, 40-1, 40-11
anonymous, 40-8
configuring for TCP/IP, 2-44
managing, 5-54
migrating from external mail
system or directory, 5-8
recertifying, F-48
registering, 5-2, 16-25,
17-33, 17-35
renaming, 17-41, F-51, F-84
restricting in clusters, 60-6
terminated, 40-6
UTF-8
UTF-8 locale
V
Validation, 38-1
Internet/intranet
clients, 42-27
Verbose logging
mail, 28-7
Web servers, C-119 to C-120
VeriSign
trusted root, 46-11
Version numbers
identifying, C-98
View indexes
updating, 58-14
View_Rebuild_Dir setting
described, C-119
ViewExpnumber setting
described, C-118
ViewImpnumber setting
described, C-118
Views
adding documents, J-1
database, 15-19
Close command, I-8
creating, 40-17
Directory, E-2, E-5
in Server Web Navigator
database, 36-12
keyboard shortcuts for, 58-21
logging, 55-9
navigating, I-10
opening, I-20
purging database, 58-23
rebuilding, 58-22, C-119
searching in, I-11
shortcut keys, H-10
updating, J-3, I-16
Virtual servers
Web site hosting, 34-17
Virtual Web servers
partitioned servers and, 2-49
security, 3-42
Viruses
protection against, C-71
W
WANs
network compression
and, 2-42
Web
access levels, 40-13
anonymous users, 40-8
restricting amount of data
sent, 34-29
Web access
improving, 60-10
Web Administrator
access, 16-18, 16-20
configuring, 16-17
creating groups with, 6-4
Domino Console, Domino
Controller and, 16-28
in a hosted
environment, 14-15 to 14-16
managing policies, 16-25
managing the ACL with, 40-24
message tracking, 16-27
re-creating database, 63-109
registering users, 16-25, 5-27, 5-31
remote console, 16-26, A-7
resizing and, 63-109
roles, 16-20 to 16-21
service providers and, 16-26

setting preferences, 16-24
signing out, 16-27
starting, 16-22
using, 16-17, 16-23
Web applications
enabling for offline
use, 11-1 to 11-2
replicating, 11-22
Web browsers
controlling access from, 38-23
restricting access to links, 49-4
Web client authentication
restricting, 42-19
Web Idle Workload script
described, 62-30
running, 62-30
sample, J-15
Web mail files
delegating access to, F-10
Web Mail Initialization Workload
script
sample, J-15
Web Mail Workload script
described, 62-31
running, 62-34
sample, J-16
Web Navigator
changing appearance of
pages, 36-12
customizing, 36-6, 36-11
displaying authors, 36-12
managing size of, 36-16
moving out of data
directory, 36-14
renaming, 36-14
setting cache options, 36-18
Tell commands, A-57
Web Navigator SSL
setting up, 36-8
Web pages
mailto, 36-9
rated, 36-19
retrieving with Web
Navigator, 36-1
updating for Server Web
Navigator, 36-18
Web server messages, 34-48
customizing, 34-48, 34-50 to 34-51
Web servers, 34-1, 34-26

creating links on, 49-1
creating secure Web
applications, 34-3
features, 34-2
interactive Web applications, 34-3
listing files on, 63-105
logging, 56-8
performance, 34-52 to 34-56
processing requests, 34-55
running Web agents on, 34-54
security, 34-9
setting Domino to work
with, 35-1
setting up logging, 56-9
Tell commands, A-57
Web application
development, 34-3
Web set soft deletion expire time
request, F-70
Web Site authentication realm
creating, 34-45
described, 34-45
Web Site Authentication Realm
document
defined, 34-45
Web Site documents
configuring for hosted
organization, 13-20
creating, 34-17
DOLS and, 3-12
file protection and, 34-42
language preferences, 34-31
setting up session authentication
for, 34-23
Web Site Rule documents
creating, 34-38
described, 13-19, 34-34
Web sites, 34-38, 34-42
authentication
and, 34-23, 34-45
hosting, 34-17
Lotus Support Services, 63-4
multiple, on a server
partition, 2-49, 34-20
Web task
and, 36-3
Index-39
Web tours
Web Navigator
database, 36-11
Web user
registering, 5-8
Web user preferences, 34-30
cookies, 34-30
regional settings, 34-30
Web users
authenticating, 40-7
controlling access, 40-30
renaming, 5-66
WEB.NSF
renaming, 36-14
WEBADMIN.NSF
configuring, 16-17
securing, 16-18
WebAuth_Verbose_Trace setting
described, C-119
WebDAV, 34-15, 34-22
setting up, 34-15, 34-17
WebGet command
described, I-28
WebSess_Verbose_Trace setting
described, C-120
WebSphere plug-ins
installing on IIS servers, 35-4
Welcome Page
creating, 5-87
Wide-area networks. See WANs
Wildcard searches
LDAP service, 20-28
Window_Title setting
described, C-120
Windows
for, 53-11
directory for entering
commands, 3-2
installation on, 3-3
running Server Setup program
on, 3-18
system fonts, C-121
Windows 2000
servers, 2-52
ensuring name resolves on, 2-29
improving server
performance, 60-13
registering existing users, 17-35
registering new users, 17-33
Index-40
synchronizing with Notes

users, 17-25
Unit/LANA numbers for
NetBIOS ports, 2-59
Windows NT
adding groups to
Notes, 17-16, 17-20
servers, 2-52
ensuring name resolves on, 2-29
improving server
performance, 60-13
registering users in
Notes, 17-1, 17-8, 17-12, 17-14
renaming user accounts with
Domino, 5-57
synchronizing with
Notes, 17-2, 17-3
synchronizing with Notes
users, 5-62, 17-5
Unit/LANA numbers for
NetBIOS ports, 2-59
Windows NT Performance Monitor
viewing statistics with, 17-23
Windows NT User Manager
deleting user accounts with, 17-22
setting up, 17-1, 17-3
WinInfoboxPos setting
described, C-120
WinSysFontnumber setting
described, C-121
Workload balancing
clusters and, 60-4
servers and, 60-2
Workstations
ECL, 41-1
mail routing errors and, 63-42
www.lotus.com/support
searching, 63-4
X
X.PC network
compression and, 2-42
XACLs. See Extended ACLs
x-headers
adding to outbound Internet
mail, 28-134
XPC_Console setting
described, C-121
xSP servers
Activity Logging
for, 13-23 to 13-24
applications on, 12-15
binding IP addresses to, 13-16
Domino features for, 12-4
example, 12-16
installation options, 12-2
installing, 13-2
mail protocols on, 12-13
opening databases on, 13-8
securing, 12-3
setting up environment for, 13-1
Z
zOS
for, 53-17
Lotus Domino 6
Lotus software
Lotus Domino 6
Part No. CT1L5NA

G210-1427-00
Printed in USA

Administering The Domino System, Volume 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Administering The Domino System, Volume 1

Uploaded by

Copyright:

Available Formats

Lotus Domino 6

Administering the Domino System, Volume 1

Part No. CT1L5NA

Administering the Domino System, Volume 1

Administering the Domino System, Volume 1

Starting and shutting down the Domino

1 Deploying Domino . . . . . . . . . . . . 1-1

2 Setting Up the Domino

3 Installing and Setting Up

Using Domino Off-Line Services (DOLS)

5 Setting Up and Managing

Adding an alternate language and name

6 Setting Up and Managing

7 Creating Replicas and

Guidelines for setting server access to

Setting up a database ACL for

Specifying replication settings for one

11 Setting Up Domino Off-Line

Domino Off-Line Services

12 Planning the Service

8 Setting Up Calendars and

Collecting detailed information from user

Planning the xSP server environment

Using Domino features in a hosted server

Calendars and scheduling

Example of planning a hosted

13 Setting Up the Service

Setting up the Resource Reservations

Creating Site Profile and Resource

Setting up the service provider environment .

Installing the first server or additional

Setting up a hosted organization

Setting up the Domino certificate

The Administration Process

What happens when you register a hosted

Adding a hosted organization to an

Deleting a hosted organization

Enabling anonymous access to a hosted

Moving a hosted organization to another

Using a browser to access a hosted

Restoring a hosted environment after a

Administration Process support of

Processing administration requests across

Setting up ACLs for the Administration

Using the Resource Reservations database

Selecting a server to administer in the

17 Using Domino with

16 Setting Up and Using

Temporarily disabling services for a

Setting policy-based registration options

Using the Windows NT Performance

Customizing the Directory Profile

Setting up Domino Active Directory

Planning the management of entries in the

Planning directory services in a

Directory search order

Planning internationalized directory

19 Setting Up the Domino

Setting up the Domino Directory for a

Scheduling replication of the Domino

NOTES.INI settings related to the schema

Using a central directory architecture in a

Managing Domino Directories in a central